Upgrade Vault Synchronizer

This topic describes upgrading CyberArk Vault Synchronizer.

 
  • Upgrade is supported from Vault Synchronizer v10.4.

  • Before upgrading, we recommend backing up the Vault Synchronizer folder.

  • After the upgrade, expect the first startup of the Vault Synchronizer to take as long as it took when Vault Synchronizer was first installed.

    In addition, during the first startup, the Vault Synchronizer log may include error code VCSS024E. You can ignore this because the LOB metadata files are regenerated.

  1. Prerequisite

    1. Before you upgrade the Vault Synchronizer to version 12.3, .NET Framework version 4.8 must be installed on the Vault Synchronizer machine.

       

      If this exact version of .NET Framework is missing, the Vault Synchronizer will fail.

    2. If you are upgrading from a Vault Synchronizer version earlier than v11.2:

      Verify that the Synchronizer Vault user has PVWAConfig Safe ownership.

      To do this, in the PVWAConfig Safe, under Owners, select the Synchronizer Vault user, and click Advanced to check that the following permissions are assigned:

      Role

      Permissons

      Access

      • List Files
      • Retrieve Files

      Workflow

      Access Safe without confirmation

  2. Log in to the Vault Synchronizer machine as an Administrator.

  3. Unzip VaultConjurSynchronizer.zip to a directory of your choice. We will refer to this directory as the <Sync-package directory>.

  4. Stop the CyberArk Vault-Conjur Synchronizer service.

  5. From <Sync-package directory>, copy the all the files EXCEPT FOR the Vault folder and VaultConjurSynchronizer.exe.conf. Paste the files into <Sync-installation directory>, replacing the existing files in the directory.

     

    The previous location of the <Sync-installation directory> folder remains the same (by default C:\Program Files\CyberArk\Synchronizer).

  6. Update the .NET Framework version to 4.8 in the VaultConjurSynchronizer.exe.config file.

     
    supportedRuntime version="4.0" sku=".NETFramework,Version=v4.8
  7. We recommend enabling cleanup to delete the unwanted data from Conjur, which is no longer available in the Vault. For more information, see Enable cleanup.

  8. When upgrading from versions earlier than Vault Synchronizer v12.1.2: We recommend generating a new credentials file and replace the existing one.

     

    We strongly recommend that you perform this step. It only needs to be performed once.

    1. On the Vault Synchronizer machine, find out the name of the Vault Synchronizer user for the Vault (Sync_<hostname>) by running $env:computername in PowerShell.

    2. Log in to PAM - Self-Hosted / Privilege Cloud as administrator.

    3. Set a new password for the Synchronizer user using one of the following methods:

      Tool

      Description

      PrivateArk Client (PAS users only)

      Update the password of the Sync_<hostname> user.

      PVWA REST API

      1. Get the ID of the Sync_<hostname> user that needs to be updated.

      2. Reset the user's password.

      For details see:

    4. Generate a new credentials file using the new password: On the Vault Synchronizer machine, in PowerShell, change to the <Sync-package directory>\CreateCredFile directory and run:

       
      .\CreateCredFile.exe VaultConjurSynchronizerUser.cred Password /Username Sync_<hostname> /Password <Synchronizer's Vault User password> /ExePath "<Sync-installation directory>\VaultConjurSynchronizer.exe" /AppType AppPrv /DPAPIMachineProtection /Hostname /IPAddress /EntropyFile
    5. Move the generated credentials files, VaultConjurSynchronizerUser.cred and VaultConjurSynchronizerUser.cred.entropy, to <Sync-installation directory>\Vault.

  9. Start the CyberArk Vault-Conjur Synchronizer service.

     

    The password is rotated every time the service is restarted.