Silent upgrade

This topic describes how to automate a Windows Credential Provider (CP) upgrade.

This upgrade supports upgrading:

  • a 32-bit CP to a 32-bit CP

  • a 64-bit CP to a 64-bit CP

To migrate a 32-bit CP to a 64-bit CP, you must uninstall the 32-bit CP and then install the 64-bit CP. See Migrate the 32-bit Credential Provider to the 64-bit Credential Provider.

Workflow

To automate a Windows upgrade:

  1. On one Windows CP, upgrade the CP in Record mode. During the upgrade, all the necessary information is recorded and saved to an upgrade response file, <upgrade>.iss.

  2. Use the recorded response file to automate other Windows CP upgrades.

Upgrade Windows CP silently

This section describes the steps for automating Windows CP upgrades.

Step 1: Before you upgrade

  1. Download the Secrets Manager Credential Providers installation package from the CyberArk Marketplace.

  2. If you are using distributed Vaults, open your current installation's Vault.ini file (<CP installation path>\CyberArk\ApplicationPasswordProvider\Vault) and make sure that DISTRIBUTEDVAULTS set to Yes, and that Address is set to a DNS SRV record.

  3. On the machine where you are upgrading the CP, create a folder for the CP upgrade files. We refer to this as the CP upgrade folder.

  4. Optional: Set up the credential file containing the privileged Vault user credentials

    In addition to the CP being upgraded, the CP environment in the Vault might also require some updates. If you want the upgrade to perform these Vault updates, you need to provide the CP upgrade with a the credentials of a privileged Vault user.

    1. Create a privileged Vault user as described in Before you install Credential Provider (CP) for Windows.

    2. Copy the following files from the downloaded CP package to your CP upgrade folder:

      • CreateCredFile.exe (CreateCredFile utility)
      • ssleay32.dll
      • libeay32.dll
    3. In the CP upgrade folder, open the command prompt as an administrator, and run the CreateCredFile utility as follows:

      CreateCredFile <credfile>.cred Password /Username <username> /Password <password> /Hostname /EntropyFile

      For example, to create a cred file, pvu.cred, run

      CreateCredFile pvu.cred Password /Username adminname /Password adminpw /Hostname /EntropyFile

      The .cred file and a corresponding .entropy file are created in the same folder as the CreateCredFile utility.

       
      • Creating a credential file on a remote machine and using it for several CP installations is not secure and is not CyberArk recommended.

      • The user credential file must be placed in a folder that is accessible only for the machine or domain administrator who runs the CP installation. We strongly recommend that you delete the credential file after completing the installation.

Step 2: Record the Windows CP upgrade

  1. From the downloaded CP package folder, run (as administrator) the following command to start the interactive CP upgrade in Record mode:

    setup.exe /r /f1"<absolute full path to <cpupgrade>.iss>" "<full path to credential file>"
    • Make sure there are no spaces between /f1 and the value that follows it.

    • The path to the credential file must be specified only if you are updating the CP environment in the Vault during the upgrade. In this case, specify the credential file's absolute path.

    For example, the following command creates the silentupgrade.iss response file in your CP upgrade folder, and uses the pvu.cred file that you created earlier to make updates to the CP environment in the Vault.

    The /r flag runs the setup in Record mode.

    setup.exe /r /f1"C:\CPUpgrade\silentupgrade.iss" "C:\CPUpgrade\pvu.cred"

    The Interactive upgrade starts. Your responses are recorded and saved in silentupgrade.iss.

  2. When the upgrade completes, restart the machine. The restart is mandatory.

Step 3: Run the upgrade on other machines

Now that you have a recorded response file, you can run the following command on other machines from a command line or by adding it to a script to run it automatically.

 
setup.exe /s /f1"<absolute path to <silentupgrade>.iss>" "<path to .cred file>"
 
  • Make sure there is no space between /f1 and the value that follows it.

  • The path to the credential file must be specified only if you are updating the Credential Provider environment in the Vault during the upgrade. In this case, specify the credential file's absolute path.

Example: The following command updates the CP environment in the Vault during upgrade:

setup.exe /s /f1"C:\CPUpgrade\silentupgrade.iss" "C:\CPUpgrade\pvu.cred"
  • The upgrade uses the silentupgrade.iss response file in the C:\CPUpgrade folder.

  • The credential file, pvu.cred, contains the privileged Vault user's credentials that are used to update the CP environment in the Vault.

Example 2:

The upgrade runs using the silent.iss response file in the C:\CPUpgrade folder.

setup.exe /s /f1"C:\CPUpgrade\silentupgrade.iss"

The command does not specify a credential file, so that upgrade doesn't update the CP environment in the Vault.

When the upgrade completes, restart the machine. The restart is mandatory.

Step 4: After the upgrade

For each CP that was upgraded, follow the steps in After the upgrade.