The upgrade for CA PAM from 2.8.x to 3.0 is different from the previous update files that you might be used to. This is because the 3.0 upgrade is comprised of 2 components: (1) the actual upgrade.bin file that you are used to using; (2) a payload file that must be copied/pasted into the root folder/directory of the Session Recording mount point.
The processes below, are documented from several iterations and upgrades that were performed as part of the CA PAM SDLC, and should help everyone get through the upgrade process in about 20 to 25 minutes.
Understand there was a controlled (aka limited) release of CA PAM 3.0. It was always considered as an intermediate step to get to the GA CA PAM v 3.0.1. 3.0 was never intended to be used, as is, in production networks.
To that end, upgrading to 3.0 will be short lived as it is expected that the 3.0.1 or 3.0.2 upgrade will be what will be installed in production environments.
CA PAM 3.0.0 will be deprecated in favor of 3.0.1. This means that no one should remain on 3.0 as part of this upgrade process. Everyone should be on 3.0.1 when this is all over: customers, partners, and ourselves included.
In simple terms, don't use 3.0 in production networks as it's not supported.
The process for getting to 3.0.1 will be as follows:
a - 2.8.3.x.x or 2.8.4.x.x to 3.0 - ---> This will require two separate files. See Items 2 and 3 below in the Upgrade files to 3.0.0 section. Any 2.8.3 sub-release will be fine for the upgrade to 3.0.0.
b - 3.0.0 to 3.0.1 ---> This will require a single file and will be like every other upgrade prior to 2.8.3 to 3.0.0. See the 3.0.0 to 3.0.1 Upgrade Procedures section for the link to the needed file.
The process for upgrading from 2.8.3 to 3.0 is different from previous upgrades in that there are two different files that are needed to perform the upgrade from 2.8.3 to 3.0.0. One is a payload file needed to make the OS and database upgrades. The second is the standard PAM .bin file that is needed to update the PAM software itself.
Once the upgrade to 3.0.0 is complete. You will need the separate 3.0.1 bin file that will be made available shortly.
In summary, you need three files in total to upgrade from PAM 2.8.3 to 3.0.1.
The rest of this post outlines the steps to do just that.
This upgrade process is focused on the VMware based PAM OVA. Physical and AWS-based PAM instances are not covered here.
The assumption is that everyone has 2.8.x instances in VMware, so this post and the video show the upgrade process in VMware. AWS instances will be similar, but different given the platform differences.
Be sure to make a full clone of your PAM instance so you can keep your current 2.8.3 demo environment completely separate from the 3.0.0 upgrade that you are about to perform.
2 things you will need to be sure you have ready before you go through the actual upgrade:
1 - You will need to attach a 2nd 20GB virtual disk to your PAM instance before you perform any of the below steps. You don't need to do anything other than add it in VMware. No need to try and expand or attach it in any way, as the upgrade script takes care of everything for you. This will require you to shut down PAM so that you can add the virtual drive in VMware settings.
2 - Be sure the mount point for recordings is attached before you begin the upgrade process. Failure to do so results in the inability to upgrade to PAM 3.0.0.
Upgrade files to 3.0.0:
1 - With the PAM VM shutdown, attach a new 20GB 2nd virtual hard disk to PAM, then boot PAM.
The upgrade process is quite large given the changes to the core appliance (upgraded OS, database, etc.). As a result, more storage space is needed to move backups, etc., around and between the virtual disks as the upgrade takes place. Once the upgrade is complete, we will be able to safely detach/delete the drive that we are adding temporarily.
Note: Don't do anything else other than attach the drive to the VM via VMware's settings. No need to attached the drive via Config > 3rd party or anything else. The upgrade script will take care of everything for you. When the upgrade is complete, you can power down the VM and remove/delete the secondary drive.
2 - Download and transfer the 1.6 GB payload file to the PAM session recording mount. This is the first of two needed files for the 2.8.3 to 3.0 upgrade:
To download the needed file, login to SupportCA.com and search for Privilieged Access Manager under the Download Management Section of the new site. Once there look for, "CA Privileged Access Credential Manager DEBIAN," with a release level of 3.0.1 and a service pack level of 0000.
All 3.0.1 files should be on the page, the payload file will be the one labeled, "CA PRIVILEGED ACCESS MANAGER MIGRATION PATCH PAYLOAD R3.0 - ESD ONLY - DVD06091335E.bin."
Note: Upload the payload file to the root of your session recording file system (NFS, CIFS, or Amazon S3). Do not change the payload file name.
The share must be, "Mounted," and, "Available," to CA PAM at the time the upgrade is to take place. Be sure to check this in Config > Logs in the Session Recordings panel. A quick look for Green Text indicates that the share is both mounted and available.
3 - Download the 3.0 upgrade file to CA PAM via the Config > Upgrade page. This is the second of two needed files for the 2.8.3 to 3.0 upgrade.
All 3.0.1 files should be on the page, the 3.0.0 upgrade file will be the one labeled, "PRIVILEGED ACCESS MANAGER MIGRATION PATCH R3.0 GEN500000000000553.zip."
Note, the file is actually a zip file, so extract it and upload the .bin file to CA PAM. Be sure not to change the .bin file name.
4 - Important! The upgrade process might take several minutes to complete. Keep your browser open until you see the final reboot message. Do not interrupt the upgrade process.
Note: If the reboot message still appears in the UI or the LCD display (hardware appliance) after 5 minutes, continue to the next step. After the upgrade is complete, log in to the UI. If you cannot initially log in, wait for approximately 10-15 minutes and try again.
You should see an, "upgrade complete," message in the VMware virtual console when complete. PAM will reboot.
At the 4:00 minute mark in the associated video, you can see the various actions the upgrade goes through.
5 - The following steps will confirm that the upgrade has been successfully applied:
Navigate to Configuration, Upgrade, and confirm that the Upgrade History section at the bottom of the screen shows the file name that you uploaded in Step 4, with the current time and date.
Navigate to Sessions, Logs. You will not see any entries for the successful upgrade and reboot of the appliance. However, you will see the successful upload of the 3.0.0 upgrade file in the logs.
6 - Log in to the appliance and confirm that all data is restored. You should see the 3.0.0 build number at the bottom of page within the new UI.
Post 3.0.0 Upgrade Procedures
After the upgrade, the new version of CA Privileged Access Manager runs at the current release version.
Complete the following tasks after the upgrade completes:
3.0.0 to 3.0.1 Upgrade Procedures
The 3.0.0 to 3.0.1 upgrade process is the same as all previous updates. Simply download the .bin file from the support site once it's GA, and apply it via Config > Upgrade.
Since 3.0.1 is not GA yet, I have linked a file that will allow you to access a beta 3.0.1 upgrade.bin file.
All 3.0.1 files should be on the page, the 3.0.0 upgrade file will be the one labeled, "PRIVILEGED ACCESS MANAGER UPGRADE PATCH R3.0.1 GEN500000000000379.zip"
I've done this upgrade about 20 times in the last few weeks and it's pretty straight forward. If you have any questions, please let me know by replying to this post.
Thank you This is very helpful
Thanks for provided!
The original 3.0 migration patch was "PRIVILEGED ACCESS MANAGER MIGRATION PATCH R3.0 GEN500000000000553.zip." It has been replaced by PRIVILEGED ACCESS MANAGER MIGRATION PATCH R3.0.1 GEN500000000000774.zip. When you unzip the new file you will find CAPAM_3.0.0.p.bin.
Please look at the support portal for the latest migration / upgrade files from 2.8.x to 3.0.0 release.
To remove any ambiguity, do you have a specific link you were referring to?
I assume you are meaning the latest 3.1.1 documentation which is here: Upgrading - CA Privileged Access Manager - 3.1.1 - CA Technologies Documentation, but wanted to be sure.
Hi Shawn, I believe Reatesh wanted to point out that there is a new 3.0.0 migration patch available at https://support.ca.com/us/download-center/product-files.html. This relates to the update from Ed Vogel. By now the migration patch version GEN500000000000774.zip is long obsolete. The current version is GEN500000000001300.zip and it includes an important performance fix that speeds up the upgrade process for instances with a large password history table. In general we recommend to download the latest version available right before you start the upgrade.
Cool. That’s what I was asking for. I’ll be sure to update the original post with the new links.
Shawn W. Hank
Advisor, Product Management
This is very helpful. Thanks for sharing.
When you're creating the second hard disk, it's also a good idea to increase the size of the primary hard disk. In PAM 2.8 virtual appliances, this was limited to 8 GB, which can be too small. When you do the first step of the upgrade to 3.0, PAM will expand to use the new disk size that you specify. The product documentation recommends 80 GB, and at an absolute minimum 10 GB (see first section - "Ensure there is available disk space on the virtual appliances").
Note that your VM Management Console won't let you expand the primary disk so long as you have any snapshots.
So, you can copy the entire file system containing the VM and use this for a copy of the VM. Make sure the copy uses the same MAC Address (I've seen vSphere assign a new MAC address). Then you can delete the snapshots from the original, resize the primary disk and take a new snapshot. Then, assuming you've already added the second hard disk, you're ready to start the upgrade.
After upgrading from 126.96.36.199 to 3.0.0 I get the following error at login, "Error: PAM-CMN-0900: Bad User ID (Super) or Password"
Cannot log in with admin credentials. Thoughts?
For clarity, this is not the same issue as this: Issues with RSA and CA PAM integration
While RSA isn't an option (and it should be) I am unable to log in at all.
Hi Robert, This must relate to the support case that we just discussed on the phone. Let' continue working through the case for now and we can post what we find here later on.