Java on Linux

Keeper Automator sample implementation using standalone Java service
This guide provides step-by-step instructions to publish Keeper Automator on any Linux instance that can run Docker.
Make sure you already have your SSL Certificate! If not, please follow the steps in the Create SSL Certificate page.
Standalone Java Service
(1) Install Java
In preparation of the service, ensure that at least Java 17 is installed. In a standard Amazon AWS Linux 2 instance, the Java 17 SDK can be installed using the below command:
[ec2-user@xxx ~]$ sudo amazon-linux-extras install java-openjdk17
To check which version is running, type:
[ec2-user@xxx ~]$ java --version
(2) Install the Service
From the Automator instance, download and unzip the Keeper Automator service:
[ec2-user@xxx ~]$ mkdir automator
[ec2-user@xxx ~]$ cd automator/
[ec2-user@xxx ~]$ wget https://keepersecurity.com/automator/keeper-automator.zip
[ec2-user@xxx ~]$ unzip keeper-automator.zip
(3) Create the config folder
If the folder does not exist, create the a "config" folder in the extracted location.
[ec2-user@xxx ~]$ mkdir keeper-automator/config
(4) Copy the .pfx and password file
Upload the .pfx file created in the Create Certificate page to the Automator's config/ folder and make sure the filename is called ssl-certificate.pfx.
For example, using scp:
$ scp -i xxx.pem ssl-certificate.pfx \
  ec2-user@xxx:/home/ec2-user/automator/keeper-automator/config/
If your ssl-certificate.pfx file is protected by a passphrase, you also need to create a file called ssl-certificate-password.txt and place it into the docker container:
For example:
echo "my_pfx_password..." > ssl-certificate-password.txt
​
scp -i xxx.pem ssl-certificate-password.txt \
  ec2-user@xxx:/home/ec2-user/automator/keeper-automator/config/
(5) Start the Service
From the Automator instance, start the service using java -jar. In this example below, it is run in the background using nohup.
[ec2-user@xxx automator]$ cd automator/
[ec2-user@xxx automator]$ nohup java -jar keeper-automator.jar &
On Windows command line or powershell, the command must be executed exactly per below:
start "" /B javaw -jar "keeper-automator.jar"
(6) Check Service Status
Confirm the service is running through a web browser (note that port 443 must be opened from whatever device you are testing)

In this case, the URL is: https://automator.lurey.com/api/rest/status
For automated health checks, you can also use the below URL:
https://<server>/health
Example:
$ curl https://automator.lurey.com/health
OK
Now that the service is running, you need to integrate the Automator into your environment using Keeper Commander.
Final Configuration with Commander
Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.
On your workstation or server, install Keeper Commander CLI.  The installation instructions including binary installers are here:
https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup

After Commander is installed, you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.  
$ keeper shell
​
My Vault> login [email protected]
​
  _  __  
 | |/ /___ ___ _ __  ___ _ _ 
 | ' </ -_) -_) '_ \/ -_) '_|
 |_|\_\___\___| .__/\___|_|
 v16.1.10     |_|
​
 password manager & digital vault
​
Logging in to Keeper Commander
​
SSO user detected. Attempting to authenticate with a master password.
(Note: SSO users can create a Master Password in Web Vault > Settings)
​
Enter password for [email protected]
Password: 
Successfully authenticated with Master Password
Syncing...
Decrypted [58] record(s)
​
My Vault>

Login to Keeper Commander and activate the Automator using a series of commands, starting with automator create
My Vault> automator create --name="My Automator" --node="Azure Cloud"
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
Automator Create
The output of the command will display the Automator settings, including metadata from the identity provider. 
                    Automator ID: 1477468749950
                            Name: My Automator
                             URL: 
                         Enabled: No
                     Initialized: No
                          Skills: Device Approval
Note that the "URL" is not populated yet.  So let's do that next.
My Vault> automator edit --url=https://automator.lurey.com "My Automator"
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
My Vault> automator setup "My Automator"
Next, send other IdP metadata to the Automator:
My Vault> automator init "My Automator"
Enable the Automator service
My Vault> automator enable "My Automator"
At this point, the configuration is complete.
For environments using AD FS ...
When activating Keeper Automator with AD FS as the identity provider, users will not be able to login until you update the Keeper certificate using the instructions below:
Login to the Keeper Admin Console
Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
Click on "Export SP Cert".
In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.
On the "Encryption" tab, replace the old certificate with this new cert.
On the "Signature" tab, Add/Replace the new SP certificate with this new cert.
Securing the Service
We recommend restricting network access to the service. Please see the Network Config section for a list of IP addresses to allow.
Testing the User Experience
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.
Service Restart
When you stop/start the Keeper Automator service, or if you restart the server, you may need to use Keeper Commander to re-initialize the service endpoint.
My Vault> automator setup "My Automator"
My Vault> automator init "My Automator"
My Vault> automator enable "My Automator"
As of version 2.1 of Keeper Automator, the keeper.properties file contains a new setting:
persist_state=true
This will ensure that the state of the Automator persists between service and computer restarts.
Troubleshooting
Service not starting
Please check the Keeper Automator logs. This usually describes the issue.  On Linux, the logs are located in the install directory.
Users always getting prompted for approval
When you reconfigure the Keeper Automator service, you may need to use Keeper Commander to re-initialize the service endpoint. (Keeper Commander documentation is linked here).
The commands required on Keeper Commander to re-initialize your Automator instance are below:
$ keeper shell
​
My Vault> automator list
288797895952179  My Automator True https://something.company.com 
​
(find the Name corresponding to your Automator)
​
My Vault> automator setup "My Automator"
My Vault> automator init "My Automator"
My Vault> automator enable "My Automator"
Check the persist_state setting 
As of version 2.1 of Keeper Automator, the keeper.properties file contains a new setting:
persist_state=true
This will ensure that the state of the Automator persists between service and computer restarts.
Users randomly getting prompted for approval
There may be latency or communications errors between the Keeper backend and your automator instance. Please contact our support team for assistance in troubleshooting further.
Azure Firewall
AWS Elastic Container Service
Last modified 2mo ago