Upgrade multiple CPs using software distribution tool

This topic describes guidelines for upgrading multiple standalone CPs using any third-party software distribution tool (SDT) used by your organization, while complying with corporate software distribution procedures.

These guidelines support upgrading standalone CPs only. It is not relevant for Central Credential Provider (CCP) and Application Server Credential Provider upgrades.

For information about upgrading multiple CCPs behind a firewall, see Upgrade the Central Credential Provider (CCP).
When upgrading from version 12.0 or lower, you may need to upgrade your hardware, if it is not operating at its highest level of efficiency or effectiveness, to meet your organization’s CPU SLA thresholds. This is due to changes made in version 12.1, such as security enhancements to Credential Provider caching and Credential Provider-SDK communication, which may increase the CPU consumption and IO operations of servers.

Overview

Many organizations work with hundreds, even thousands, of standalone CPs that are deployed on different operating systems, and often span multiple CP versions.

You can use an SDT to help upgrade multiple CPs at the same time. Because the SDT needs a CyberArk Vault user credential to upgrade each CP, we recommend setting up a CCP to securely provide the Vault user credentials to the SDT, as follows:

The bulk of the work required for upgrading CPs at such scale needs to be done only once:

Make a list of the CPs in you organization that you want to upgrade.

You'll need to gather a list of all the standalone CPs that you want to upgrade. You'll need their versions, and the IP addresses and operating systems of the machines they are installed on.
Set up a privileged Vault user that will be used for upgrading the CPs.
Set up a Central Credential Provider (CCP) to securely provide the SDT with the Vault user credentials. Using a CCP reduces the risk of exposing the credentials of the privileged Vault user.
Prepare CP upgrade scripts per operating system.
Set up the SDT to upgrade the CPs.

All this needs to be done only once; future upgrades will require only keeping the CP list up-to-date.

Before the upgrade

To upgrade multiple CPs simultaneously using an SDT, you need to set up a few things.

Step 1: Make a list of your CPs

Collect information about the CPs in your organization so that you can prepare a list (or lists) of CPs for the SDT to work with.

Get a list of standalone CPs (IP addresses and versions) in your organization. You can do this using any of the following:
- CyberArk PAS System Health Report, which can be downloaded from the CyberArk Marketplace.
- PAM - Self-Hosted/Privilege Cloud System Health REST API. For details, see:
  - PAM - Self-Hosted: PAM - Self-Hosted documentation
  - Privilege Cloud: Privilege Cloud documentation.
  - PVWA/Privilege Cloud Portal > System Health > Secret Manager Credential Portal
Run your SDT to determine the operating system of each standalone CP machine.
Prepare a list (or lists) of CPs to upgrade, grouped according to their current versions and operating systems. You might even choose to group the CPs according to business applications.

Coordinate this with the relevant stakeholders.

To help keep track of the upgrade status of the CPs, we recommend no more than 50 CPs per group.

Step 2: Set up a privileged Vault user for the upgrade

Set up a Vault user in PAM - Self-Hosted/Privilege Cloud. with the required privileges as described in Before you install Credential Provider (CP) for Windows.

Step 3: Set up a remote Central Credential Provider (CCP)

When you upgrade CPs using a SDT, we strongly recommend using a remote CCP to securely provide the SDT with the privileged Vault user's credentials.

To set up the CCP to provide the Vault user credentials:

Install the CCP on a remote machine. For details, see Install the Central Credential Provider (CCP).
In PAM - Self-Hosted/Privilege Cloud:
1. Create an account that contains the Vault user credentials.
2. Add an application that can access the new account. This application should contain authentications for all of the CPs that you are upgrading. We recommend adding OS User and Allowed Machine authentication.
  
  When you add Allowed Machines, list the IP addresses of all the CPs that you are going to upgrade.
For details, see the PAM - Self-Hosted/Privilege Clouds documentation.

During runtime, the CCP securely provides the credentials to the SDT to create a credential file on each CP.

Step 4: Prepare the silent upgrade files

Prepare the files for the silent upgrade for each relevant operating system:

From the CyberArk Marketplace, download the relevant CP upgrade packages to the remote machine where your CCP is installed.

Prepare the silent upgrade file as described in the relevant Before upgrade sections:

Operating system	Docs
Windows	Silent upgrade We recommend using Record mode. If you are upgrading both v12.0 and earlier, and v12.1 and later, you need to generate two separate silent upgrade files because the upgrade is different for each.
Linux/AIX	Before upgrading

Run the upgrade using your SDT

Set up the SDT to upgrade the CPs using the artifacts gathered in Before the upgrade.

Provide your SDT with:

The list of IPs to upgrade
CCP and Vault connection details
The CP upgrade files

After the upgrade

During the upgrade a credential file is created on each CP machine. After the upgrade, we strongly recommend deleting this file from each CP machine.

Example

Check out our blog post, Upgrading Your Linux Secrets Manager Credential Providers with Ansible at Enterprise Scale, for a great use case example!