Upgrade the Central Credential Provider (CCP)

This topic describes how to upgrade the CCP.

To identify which of your CCPs require upgrading, see View Credential Provider versions prior to upgrade.

Step 1: Before the upgrade

One of the files overwritten during the CCP upgrade is the web.config file. If this file has customizations, back up the file before you start the upgrade. This file is located in C:\inetpub\wwwroot\.

Step 2: Upgrade the CCP

If you have CCPs installed behind a load balancer, the upgrade requires upgrading each CCP, one at a time.

To upgrade a CCP behind a load balancer:

  1. Remove the CCP from behind the load balancer and confirm that it was removed and is inactive.

    To confirm that the CCP was removed, check in the CP and IIS logs located in \inetpub\logs\LogFiles\W3SVC1 that no traffic is being sent to the CCP.

  2. Upgrade the CCP:

    1. Upgrade the Credential Provider on Windows.

    2. Uninstall the CCP web service:

      From the list of programs in Windows, uninstall the CCP web service, CyberArk AIMWebService.

      If you defined multiple security configurations and authentication methods for the CCP web service, you must delete the respective virtual applications from the IIS Manager. See Multiple security configurations and authentication methods for the Central Credential Provider web service.

    3. Reinstall the CCP web service:

      The CCP web service must be installed using the same installation packages as the Credential Provider.

      1. Copy the content from the installation package's \Central Credential Provider\Central Credential Provider Web Service folder into the local \Central Credential Provider\Central Credential Provider Web Service folder that you created above.

      2. Run the CCP installation:

        1. In the installation package's \Central Credential Provider\Central Credential Provider Web Service folder, double-click AIMWebService.msi.

        2. In the AIMWebService Setup window that opens, click Next to start the installation procedure.

        3. In the Select Installation Address page, accept the default location (C:\inetpub\wwwroot\AIMWebService) or provide the details for a different destination.

          Click Next.

        4. In the Confirm Installation window, click Next to start the installation.

        5. When the installation is finished, click Close to complete the Secrets Manager middle tier web service installation.

        On the CCP machine, open CMD as Administrator and run the following command:

          
         msiexec.exe  /i "<CCP Install Path>\AIMWebService.msi" /qn

      If you installed CCP on a hardened PVWA, in the web.config file (C:\inetpub\wwwroot\AIMWebService\web.config), change the httpRedirect parameter from enabled="true" to enabled="false".

      The HTTP Redirect setting must be disabled when installing CCP on a hardened PVWA, so that the CCP can be called without redirecting to PVWA.

    4. If the user running the upgrade uses hash authentication, regenerate the hash for the AIMWebService service. For details, see Define the Central Credential Provider web service.

    5. Test the upgraded CCP with a local CCP query on the server.

  3. Add the inactive CCP machine back into the load balancer pool and confirm that it is receiving new requests.

Repeat for each CCP behind the load balancer.

To upgrade a CCP, you first have to upgrade the CCP's dedicated Credential Provider (CP), then uninstall and reinstall the CCP web service.

If you have CCPs installed behind a load balancer, see Upgrade the Central Credential Provider (CCP).

  1. Upgrade the Credential Provider on Windows.

  2. Uninstall the CCP web service:

    From the list of programs in Windows, uninstall the CCP web service, CyberArk AIMWebService.

    If you defined multiple security configurations and authentication methods for the CCP web service, you must delete the respective virtual applications from the IIS Manager. See Multiple security configurations and authentication methods for the Central Credential Provider web service.

  3. Reinstall the CCP web service:

    The CCP web service must be installed using the same installation packages as the Credential Provider.

    1. Copy the content from the installation package's \Central Credential Provider\Central Credential Provider Web Service folder into the local \Central Credential Provider\Central Credential Provider Web Service folder that you created above.

    2. Run the CCP installation:

      1. In the installation package's \Central Credential Provider\Central Credential Provider Web Service folder, double-click AIMWebService.msi.

      2. In the AIMWebService Setup window that opens, click Next to start the installation procedure.

      3. In the Select Installation Address page, accept the default location (C:\inetpub\wwwroot\AIMWebService) or provide the details for a different destination.

        Click Next.

      4. In the Confirm Installation window, click Next to start the installation.

      5. When the installation is finished, click Close to complete the Secrets Manager middle tier web service installation.

      On the CCP machine, open CMD as Administrator and run the following command:

        
       msiexec.exe  /i "<CCP Install Path>\AIMWebService.msi" /qn

    If you installed CCP on a hardened PVWA, in the web.config file (C:\inetpub\wwwroot\AIMWebService\web.config), change the httpRedirect parameter from enabled="true" to enabled="false".

    The HTTP Redirect setting must be disabled when installing CCP on a hardened PVWA, so that the CCP can be called without redirecting to PVWA.

  4. If the user running the upgrade uses hash authentication, regenerate the hash for the AIMWebService service. For details, see Define the Central Credential Provider web service.

  5. Test the upgraded CCP with a local CCP query on the server.

Step 3: After the upgrade

If you backed up a customized web.config file, copy the back-up file back into C:\inetpub\wwwroot\.