Skip to content

AI Setup with OpenAI

Section: AI Assistant | Article 28
Audience: System Administrators
Last Updated: 2026-04-07

Overview

This article walks through configuring OpenAI as the AI provider for RP-PAM. OpenAI supports both embedding and completion models, making it a complete single-provider solution.

Prerequisites

Requirement Detail
RP-PAM licence Enterprise or MSP tier
OpenAI account An account at platform.openai.com
API key A valid OpenAI API key with access to the models you plan to use
Network access The RP-PAM server must be able to reach api.openai.com on port 443
Budget OpenAI charges per token; estimate costs based on your expected usage

Step 1: Get an OpenAI API Key

  1. Sign in to platform.openai.com.
  2. Navigate to API keys (left sidebar).
  3. Click + Create new secret key.
  4. Name it: RP-PAM
  5. Copy the key immediately -- it is only displayed once.

The key looks like: sk-proj-...

Step 2: Encrypt the API Key

Store the API key in RP-PAM's encrypted vault. Never put the raw key in a configuration file.

Windows PowerShell: 

& "C:\Program Files\Ravenphyre\RP-PAM\tools\rppam-migrate.exe" vault-store `
  --key "ai-api-key" `
  --value "sk-proj-YOUR_OPENAI_API_KEY"

Linux: 

sudo /opt/rppam/tools/rppam-migrate vault-store \
  --key "ai-api-key" \
  --value "sk-proj-YOUR_OPENAI_API_KEY"

The tool encrypts the key with AES-256-GCM and stores it in the vault. The plaintext key is not saved to disk.

Step 3: Configure rppam.config

Edit the AI section in rppam.config.

Windows path: C:\ProgramData\Ravenphyre\RP-PAM\rppam.config
Linux path: /etc/rppam/rppam.config

{
  "ai": {
    "enabled": true,
    "provider": "openai",
    "apiKeyVaultKey": "ai-api-key",
    "embeddingModel": "text-embedding-3-small",
    "completionModel": "gpt-4o",
    "embeddingDimension": 1536,
    "maxTokens": 4096,
    "temperature": 0.3,
    "riskScoring": {
      "enabled": true,
      "threshold": 60
    },
    "anomalyDetection": {
      "enabled": true,
      "lookbackDays": 90
    }
  }
}

Configuration Fields

Field Description Default
enabled Enable the AI module false
provider AI provider: openai, anthropic, xai, or ollama (required)
apiKeyVaultKey Vault key name where the encrypted API key is stored (required)
embeddingModel Model for generating text embeddings text-embedding-3-small
completionModel Model for generating natural-language responses gpt-4o
embeddingDimension Dimension of the embedding vectors (must match the model) 1536
maxTokens Maximum tokens in a completion response 4096
temperature Creativity of responses (0.0 = deterministic, 1.0 = creative) 0.3
riskScoring.enabled Enable AI-based risk scoring on access requests true
riskScoring.threshold Risk score threshold for alerting (0-100) 60
anomalyDetection.enabled Enable anomaly detection true
anomalyDetection.lookbackDays Number of days of historical data to analyse 90
Use Case Model Cost Tier Notes
Embeddings (standard) text-embedding-3-small Low 1536 dimensions, good quality-to-cost ratio
Embeddings (high quality) text-embedding-3-large Medium 3072 dimensions, better for large deployments
Completions (standard) gpt-4o-mini Low Fast, cost-effective for most PAM queries
Completions (advanced) gpt-4o Medium Higher quality responses, better reasoning

Step 4: Restart RP-PAM

Windows PowerShell: 

Restart-Service RpPam

Linux: 

sudo systemctl restart rppam

Step 5: Verify AI Is Working

Check Module Health

Linux: 

curl -s http://localhost:7101/api/v1/modules \
  -H "Authorization: Bearer $ADMIN_JWT" | jq '.items[] | select(.moduleName == "ai")'

PowerShell: 

$modules = Invoke-RestMethod -Uri "http://localhost:7101/api/v1/modules" `
  -Headers @{ Authorization = "Bearer $adminJwt" }
$modules.items | Where-Object { $_.moduleName -eq "ai" } | ConvertTo-Json

Expected: 

{
  "moduleName": "ai",
  "status": "healthy",
  "provider": "openai",
  "embeddingModel": "text-embedding-3-small",
  "completionModel": "gpt-4o"
}

Test a Query

Linux: 

curl -s -X POST http://localhost:7101/api/v1/ai/query \
  -H "Authorization: Bearer $ADMIN_JWT" \
  -H "Content-Type: application/json" \
  -d '{ "query": "What access requests were submitted today?" }' | jq .

PowerShell: 

$response = Invoke-RestMethod -Uri "http://localhost:7101/api/v1/ai/query" `
  -Method Post `
  -Headers @{ Authorization = "Bearer $adminJwt" } `
  -ContentType "application/json" `
  -Body '{ "query": "What access requests were submitted today?" }'
$response | ConvertTo-Json

If the AI module is working, you receive a natural-language response summarising today's requests.

Cost Management

OpenAI charges per token. To manage costs:

Strategy How
Use smaller models gpt-4o-mini for completions, text-embedding-3-small for embeddings
Limit maxTokens Reduce from 4096 to 2048 if responses do not need to be long
Disable features you do not need Set riskScoring.enabled or anomalyDetection.enabled to false
Monitor usage Check your OpenAI usage dashboard

Proxy Configuration

If your RP-PAM server reaches the internet through a proxy:

{
  "ai": {
    "proxy": {
      "enabled": true,
      "url": "http://proxy.corp.local:8080",
      "noProxy": ["localhost", "127.0.0.1"]
    }
  }
}

Troubleshooting

Problem Cause Solution
"status": "unhealthy" for AI module API key invalid or expired Regenerate the key in OpenAI; re-store it with vault-store
401 Unauthorized from OpenAI Wrong API key Verify the vault key name matches apiKeyVaultKey
429 Too Many Requests Rate limit exceeded Reduce request frequency or upgrade your OpenAI plan
Connection refused Server cannot reach api.openai.com Check firewall rules; configure a proxy if needed
Slow responses Model too large or high latency to OpenAI Switch to gpt-4o-mini or check network latency
"embeddingDimension mismatch" Model dimension does not match config Set embeddingDimension to 1536 for text-embedding-3-small or 3072 for text-embedding-3-large

Next Steps

RP-PAM v1.0.0 -- Copyright 2026 Ravenphyre. All rights reserved.