Upgrading the PSM

Make sure the components you will upgrade are compatible before beginning to upgrade. The compatible versions of the PAM - Self-Hosted components are listed in CyberArk component compatibility.

If you already have the license, you do not need to obtain it again.

If you are upgrading from versions 10.7 through 11.2, you must update the SQL Express 2016 service pack.

  1. Download SQLEXPR_UPGRADE.zip from the CyberArk Marketplace and extract the zip file.

  2. Verify that SQL Express is installed on your PSM:

    Go to Add\Remove programs and check whether Microsoft SQL Server 2016 Setup (English) version 13.1.4001.0 is installed.

    • If version 13.2.5026.0 (SP 2) is installed, you do not need to run the script.
    • If you run the script on a machine with MS SQL Express not installed, you will receive the following message: "The SQL Server is not installed on this machine, so the upgrade to SP2 will not be performed".

  3. Open a Powershell console and run:

      
    >CD <SQLEXPR_UPGRADE path>

    >.\SQLExpressSP2Upgrade.ps1
  4. Verify that the script successfully updated the SQL Express 2016 service pack or returned the SQLExpress is not installed on your Machine message.

  5. If the script failed, run the update manually.

    1. Go to <SQLEXPR_UPGRADE path> and run SQLEXPR_x64_ENU.

    2. On the License Terms screen, accept the license terms and click Next.

    3. On the Select Features screen, click Select All and click Next.

    4. On the Check Files in Use screen, stop the detected applications and services and click Next.

    5. The update completes successfully.

Use the following procedure to upgrade your stand-alone PSM server.

1. In the Vault, make sure the user who will upgrade the PSM is not an owner in the PSMUnmanagedSessionAccounts Safe.
2. On the PSM machine, stop the PSM service. For more information, refer to Privileged Session Manager Administration.
3. In the Privileged Session Manager installation package, run the Privileged Session Manager installation to begin the upgrade procedure:
Double-click Setup.exe

or,

On systems that are UAC-enabled, right-click Setup.exe, then select Run as Administrator.

The PSM installation wizard appears and displays a list of required features that it will install on your computer before it can install the PSM.

4. Click Install to begin the upgrade procedure; the installation wizard detects the existing version of the PSM on your computer, then displays the Setup
5. Click Next to begin the upgrade procedure.
6. During the procedure, accept the default values to upgrade the existing environment,

or,

Specify different values to modify the existing environment.

7. When the PSM environment is installed, the following window appears to enable you to complete the upgrade procedure.
8. Click Finish. The upgrade process is complete, and the PSM has now been upgraded.
9. Restart the PSM server. You can also restart the PSM server at a later stage. In any event, you must restart the PSM server before using the PSM.
10. On the PVWA machine, run iisreset,

or,

Wait for the PVWA refresh configuration interval to pass.

Use the following procedure to upgrade your PSM server in a Distributed Vaults environment.

  1. If you configure Session Management in Distributed Vaults for the first time when upgrading the Vaults, follow the instructions in PSM.
  2. If you previously configured Session Management in Distributed Vaults , review the instructions in PSM to determine whether your environment is properly configured.

Use one of the following procedures to upgrade your PSM HTML5 gateway.

Upgrade the PSM HTML5 Gateway

To upgrade the PSM HTML5 Gateway from 10.1 to 10.x, do the following:

  1. Delete the existing gateway by running the following command:

      
    rpm –e CARKpsmgw

  2. Run the upgrade with the following command:

      
    rpm –ivh CARKpsmgw-*

  3. Restart the webserver.

To upgrade from 10.2 and higher versions, do the following:

 

To upgrade from 11.2 and lower versions to 11.6 or higher versions, perform the following before running the upgrade:

  1. Run the first three steps in Upgrading the PSM.
  2. Run Upgrading the PSM.

  1. Run the upgrade with the following command:

      
    rpm –Uvh CARKpsmgw-*

  2. Restart the webserver.

Upgrade the Tomcat web service

Check your Tomcat version:

  1. On the HTML5 Gateway machine, go to CATALINA_HOME.

      
    cd /opt/tomcat

  2. Run the following command:

      
    java -cp lib/catalina.jar org.apache.catalina.util.ServerInfo

  3. Check Server version: Apache Tomcat.

  4. If Tomcat version is prior to 8.5.72 or prior to 9.0.54, you must update Tomcat to the latest 8.5 or 9.0 version.

 

If you upgrade from version 8.x to 9.x, you must update the Java version to 8 or higher.

  1. Download a new version of Tomcat to the /opt directory.

     

    • We recommend deploying Tomcat manually.

    • The yum repository does not always contain the latest Tomcat version.

    • The PSM HTML5 Gateway supports Tomcat v.8.5 or v.9.

  2. Stop the Tomcat and PSMGW services.

      
    service tomcat stop

    /etc/init.d/guacd stop

  3. Set CATALINA_HOME to be the root folder for Tomcat.

    In the examples below, we use /opt/tomcat as the root folder.

      
    export CATALINA_HOME=/opt/tomcat

     

     

    All scripts assume that /opt/tomcat is the root folder. If you use a different root folder, you must change these scripts.

  4. Rename the old Tomcat home directory and extract the Tomcat archive.

      
    cd /opt

    mv tomcat tomcat_<old_version>

    tar -xvf apache-tomcat-<version>.tar.gz

    mv apache-tomcat-<version> tomcat

  5. Run the following commands to configure Tomcat to run as a low privileged user/group.

    • Set tomcat permissions

        
      chmod 755 /opt/tomcat

    • Set up ownership

        
      chown -R tomcat:tomcat $CATALINA_HOME

    • Set permissions for the Tomcat server configuration file

        
      chmod 600 $CATALINA_HOME/conf/server.xml

  6. Secure the connection between the end user and Tomcat.

    • Find the Keystore that was generated in the installation procedure

        
      grep "keystoreFile=" /opt/tomcat_<old_version>/conf/server.xml

       

       

      If the output includes a folder under tomcat home, it is now under the backed-up folder.

      For example, if the output is keystoreFile="/opt/tomcat/keystore", the Keystore is actually under /opt/tomcat_<old_version>/keystore.

      In this case, you must copy the following items to the new location. For example:

      • mv /opt/tomcat_<old_version>/keystore /opt/tomcat/keystore

      • mv /opt/tomcat_<old_version>/cert.crt /opt/tomcat/cert.crt

      • mv /opt/tomcat_<old_version>/key.pem /opt/tomcat/key.pem

    • Configure Tomcat to work with SSL and the Keystore you found in the previous step

      • Copy the connector section from the server.xml under the old tomcat home to $CATALINA_HOME/conf/server.xml

          
        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

        maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

        clientAuth="false" sslProtocol="TLS" keystoreFile="<generated keystore path>" keystorePass="<generated keystore password>"

        />

      • Delete any additional connector sections in $CATALINA_HOME/conf/server.xml.

    • Move the guac.war file to the new Tomcat

        
      mv /opt/tomcat_<old_version>/webapps/guac.war /opt/tomcat/webapps/

  7. Start the Tomcat and PSMGW services.

      
    service tomcat start

    /etc/init.d/guacd start

  8. Secure the Tomcat server, as described in Upgrading the PSM.

  9. Secure the connection between the end user and Tomcat, as described in Upgrading the PSM.

To upgrade the PSM HTML5 gateway, do the following:

Version 13.0

  1. Stop the running PSM HTML5 gateway container:

      
    sudo docker kill <container name>

    For example:

      
    sudo docker kill <PSM gateway FQDN>

  1. Delete the PSM HTML5 gateway container from the local Docker system:

      
    sudo docker rm <container name>

    For example:

      
    sudo docker rm <PSM gateway FQDN>

  1. Install the PSM HTML5 Gateway from the latest image, as described in Install the HTML5 Gateway.

Version 13.0.1 and higher

  1. Stop the running PSM HTML5 gateway container:

      
    sudo ./html5_console.sh purge <container name>

    For example:

      
    sudo ./html5_console.sh purge CyberArk.local

  1. Install the PSM HTML5 Gateway from the latest image, as described in Install the HTML5 Gateway.

Continue with hardening and other Post PSM upgrade procedures to complete the upgrade process.