The upgrade for CA PAM from 2.8.x to 3.0 is different from the previous update files that you might be used to. This is because the 3.0 upgrade is comprised of 2 components: (1) the actual upgrade.bin file that you are used to using; (2) a payload file that must be copied/pasted into the root folder/directory of the Session Recording mount point.
The processes below, are documented from several iterations and upgrades that were performed as part of the CA PAM SDLC, and should help everyone get through the upgrade process in about 20 to 25 minutes.
Upgrade Process
Understand there was a controlled (aka limited) release of CA PAM 3.0. It was always considered as an intermediate step to get to the GA CA PAM v 3.0.1. 3.0 was never intended to be used, as is, in production networks.
To that end, upgrading to 3.0 will be short lived as it is expected that the 3.0.1 or 3.0.2 upgrade will be what will be installed in production environments.
CA PAM 3.0.0 will be deprecated in favor of 3.0.1. This means that no one should remain on 3.0 as part of this upgrade process. Everyone should be on 3.0.1 when this is all over: customers, partners, and ourselves included.
In simple terms, don't use 3.0 in production networks as it's not supported.
The process for getting to 3.0.1 will be as follows:
a - 2.8.3.x.x or 2.8.4.x.x to 3.0 - ---> This will require two separate files. See Items 2 and 3 below in the Upgrade files to 3.0.0 section. Any 2.8.3 sub-release will be fine for the upgrade to 3.0.0.
b - 3.0.0 to 3.0.1 ---> This will require a single file and will be like every other upgrade prior to 2.8.3 to 3.0.0. See the 3.0.0 to 3.0.1 Upgrade Procedures section for the link to the needed file.
The process for upgrading from 2.8.3 to 3.0 is different from previous upgrades in that there are two different files that are needed to perform the upgrade from 2.8.3 to 3.0.0. One is a payload file needed to make the OS and database upgrades. The second is the standard PAM .bin file that is needed to update the PAM software itself.
Once the upgrade to 3.0.0 is complete. You will need the separate 3.0.1 bin file that will be made available shortly.
In summary, you need three files in total to upgrade from PAM 2.8.3 to 3.0.1.
The rest of this post outlines the steps to do just that.
Assumptions/Requirements
This upgrade process is focused on the VMware based PAM OVA. Physical and AWS-based PAM instances are not covered here.
The assumption is that everyone has 2.8.x instances in VMware, so this post and the video show the upgrade process in VMware. AWS instances will be similar, but different given the platform differences.
Be sure to make a full clone of your PAM instance so you can keep your current 2.8.3 demo environment completely separate from the 3.0.0 upgrade that you are about to perform.
2 things you will need to be sure you have ready before you go through the actual upgrade:
1 - You will need to attach a 2nd 20GB virtual disk to your PAM instance before you perform any of the below steps. You don't need to do anything other than add it in VMware. No need to try and expand or attach it in any way, as the upgrade script takes care of everything for you. This will require you to shut down PAM so that you can add the virtual drive in VMware settings.
2 - Be sure the mount point for recordings is attached before you begin the upgrade process. Failure to do so results in the inability to upgrade to PAM 3.0.0.
Upgrade files to 3.0.0:
1 - With the PAM VM shutdown, attach a new 20GB 2nd virtual hard disk to PAM, then boot PAM.
The upgrade process is quite large given the changes to the core appliance (upgraded OS, database, etc.). As a result, more storage space is needed to move backups, etc., around and between the virtual disks as the upgrade takes place. Once the upgrade is complete, we will be able to safely detach/delete the drive that we are adding temporarily.
Note: Don't do anything else other than attach the drive to the VM via VMware's settings. No need to attached the drive via Config > 3rd party or anything else. The upgrade script will take care of everything for you. When the upgrade is complete, you can power down the VM and remove/delete the secondary drive.
2 - Download and transfer the 1.6 GB payload file to the PAM session recording mount. This is the first of two needed files for the 2.8.3 to 3.0 upgrade:
To download the needed file, login to SupportCA.com and search for Privilieged Access Manager under the Download Management Section of the new site. Once there look for, "CA Privileged Access Credential Manager DEBIAN," with a release level of 3.0.1 and a service pack level of 0000.
All 3.0.1 files should be on the page, the payload file will be the one labeled, "CA PRIVILEGED ACCESS MANAGER MIGRATION PATCH PAYLOAD R3.0 - ESD ONLY - DVD06091335E.bin."
Note: Upload the payload file to the root of your session recording file system (NFS, CIFS, or Amazon S3). Do not change the payload file name.
The share must be, "Mounted," and, "Available," to CA PAM at the time the upgrade is to take place. Be sure to check this in Config > Logs in the Session Recordings panel. A quick look for Green Text indicates that the share is both mounted and available.
3 - Download the 3.0 upgrade file to CA PAM via the Config > Upgrade page. This is the second of two needed files for the 2.8.3 to 3.0 upgrade.
To download the needed file, login to SupportCA.com and search for Privilieged Access Manager under the Download Management Section of the new site. Once there look for, "CA Privileged Access Credential Manager DEBIAN," with a release level of 3.0.1 and a service pack level of 0000.
All 3.0.1 files should be on the page, the 3.0.0 upgrade file will be the one labeled, "PRIVILEGED ACCESS MANAGER MIGRATION PATCH R3.0 GEN500000000000553.zip."
Note, the file is actually a zip file, so extract it and upload the .bin file to CA PAM. Be sure not to change the .bin file name.
4 - Important! The upgrade process might take several minutes to complete. Keep your browser open until you see the final reboot message. Do not interrupt the upgrade process.
Note: If the reboot message still appears in the UI or the LCD display (hardware appliance) after 5 minutes, continue to the next step. After the upgrade is complete, log in to the UI. If you cannot initially log in, wait for approximately 10-15 minutes and try again.
You should see an, "upgrade complete," message in the VMware virtual console when complete. PAM will reboot.
At the 4:00 minute mark in the associated video, you can see the various actions the upgrade goes through.
5 - The following steps will confirm that the upgrade has been successfully applied:
Navigate to Configuration, Upgrade, and confirm that the Upgrade History section at the bottom of the screen shows the file name that you uploaded in Step 4, with the current time and date.
Navigate to Sessions, Logs. You will not see any entries for the successful upgrade and reboot of the appliance. However, you will see the successful upload of the 3.0.0 upgrade file in the logs.
6 - Log in to the appliance and confirm that all data is restored. You should see the 3.0.0 build number at the bottom of page within the new UI.
Post 3.0.0 Upgrade Procedures
After the upgrade, the new version of CA Privileged Access Manager runs at the current release version.
Complete the following tasks after the upgrade completes:
- Shutdown CA PAM
- Remove the backup drive from the virtual appliances
- Clear the browser and JRE caches
- Reboot PAM
- Reapply Credential Manager preference settings
3.0.0 to 3.0.1 Upgrade Procedures
The 3.0.0 to 3.0.1 upgrade process is the same as all previous updates. Simply download the .bin file from the support site once it's GA, and apply it via Config > Upgrade.
Since 3.0.1 is not GA yet, I have linked a file that will allow you to access a beta 3.0.1 upgrade.bin file.
To download the needed file, login to SupportCA.com and search for Privilieged Access Manager under the Download Management Section of the new site. Once there look for, "CA Privileged Access Credential Manager DEBIAN," with a release level of 3.0.1 and a service pack level of 0000.
All 3.0.1 files should be on the page, the 3.0.0 upgrade file will be the one labeled, "PRIVILEGED ACCESS MANAGER UPGRADE PATCH R3.0.1 GEN500000000000379.zip"
I've done this upgrade about 20 times in the last few weeks and it's pretty straight forward. If you have any questions, please let me know by replying to this post.