Professional Documents
Culture Documents
Manager - 2.8
Upgrading
Date: 22-Mar-2017
CA Privileged Access Manager - 2.8
This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.
If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.
Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.
22-Mar-2017 3/31
Table of Contents
Upgrading 4
CA Privileged Access Manager - 2.8
Upgrading
This section describes how to upgrade the product. To apply an upgrade to release 2.6.2 or earlier,
see CA Privileged Access Manager Update Paths (https://support.ca.com/phpdocs/7/9526/9526_update-
paths.pdf) (PDF).
Update Paths (see page 6)
Upgrade Prerequisites (see page 23)
Upgrade Considerations (see page 25)
Single-Appliance Software Upgrade (see page 26)
Cluster Software Upgrade (see page 30)
Upgrade a Socket Filter Agent (SFA) (see page 31)
22-Mar-2017 5/31
CA Privileged Access Manager - 2.8
Update Paths
To raise a previous version of CA Privileged Access Manager to the current release, certain patches
are necessary to apply, in a specific order.
2.8 Hotfixes and Patches (see page 6)
Releases 2.7 Through 2.8 (see page 6)
Releases 2.6 through 2.7 (see page 8)
Releases 2.5 through 2.6 (see page 14)
Xsuite Releases Before 2.5 (see page 18)
1. 2.8 Upgrade Patch. The 2.8 upgrade patch provides all updates from the 2.7 Database Backup
Patch through the 2.7.1 Patch.
Obtain CA Privileged Access Manager patches and solutions from the CA Support Site (http://www.ca.
com/us/support/ca-support-online/product-content/recommended-reading/technical-document-index/ca-
privileged-access-manager-solutions-patches.aspx).
22-Mar-2017 6/31
CA Privileged Access Manager - 2.8
Important! The 2.8 release does not contain the following defect fixes and enhancements
that were included in the 2.7.0.05 and 2.7.1 patches :
SecureCRT transparent login only works with autologin (Salesforce Case 00529711;
Internal defect ID DE246965).
Putty intermittently fails to open connection (Salesforce case 00521100; Internal defect
ID DE241623). Note: This fix is available in the 2.8.0.01 Hotfix (https://docops.ca.com
/display/CAPAM28/2.8.0.01+Hotfix).
Cluster out-of-sync because CSV import is timing out (Salesforce case 00580685;
Internal defect ID DE246231).
If you need any of these fixes or enhancements, wait for an upcoming 2.8.x patch that
includes them.
Contents
Update Path (see page 7)
Download Instructions (see page 8)
Update Path
Apply the 2.8 Upgrade Patch over any of the following 2.7 software levels:
2.7 Database Backup Hotfix (see page 6) – This patch solves a specific issue that you might
encounter after upgrading from 2.6.2 to 2.7: Configured periodic Scheduled Backup would fail to
execute properly again.
2.7.0.02 Hotfix (see page 6) – This patch remediates an Oracle Java-based incompatibility
between Juniper and CA Privileged Access Manager.
2.7.0.05 Hotfix (see page 6) – This patch resolves an issue where SecureCRT tranparent login
did not not work without autologin.
2.7.1 Patch (see page 6) – Resolves several issues and allows you to attach extra storage to
virtual appliances.
22-Mar-2017 7/31
CA Privileged Access Manager - 2.8
Download Instructions
Use the following procedure to download the 2.8 Upgrade patch from the CA Support Site.
1. From the target system, log in to the Download Center on the CA Support Site:
https://support.ca.com/irj/portal/DownloadCenter.
2. Enter "CA Privileged Access Manager - DEBIAN" in the Enter the Product Name here, or
select from dropdown field:
4. Select Go.
5. Select the Download button associated with CA Privileged Access Manager Upgrade Patch r2.
8.
6. Select a download method and download the .zip file to local storage.
22-Mar-2017 8/31
CA Privileged Access Manager - 2.8
22-Mar-2017 9/31
CA Privileged Access Manager - 2.8
22-Mar-2017 10/31
CA Privileged Access Manager - 2.8
22-Mar-2017 11/31
CA Privileged Access Manager - 2.8
INSTALLATION
22-Mar-2017 1. 12/31
CA Privileged Access Manager - 2.8
22-Mar-2017 13/31
CA Privileged Access Manager - 2.8
22-Mar-2017 14/31
CA Privileged Access Manager - 2.8
22-Mar-2017 15/31
CA Privileged Access Manager - 2.8
22-Mar-2017 16/31
CA Privileged Access Manager - 2.8
Included Releases
Release 2.5.4 is no
longer available. The
updates of Release
2.5.4 included the
following fixes:
Certificate linefeed
fix
User no longer
disabled following
autoconnection
attempt using
checked-out
credentials
Xceedium LDAP
Browser fix
Browser
management
improvements
Unresponsive
Device and User
listings fixed
22-Mar-2017 17/31
CA Privileged Access Manager - 2.8
Release 2.5.1 is no
longer available. The
updates of Release
2.5.1 included the
following fixes:
OpenSSL upgrade
to 1.0.1q
Resolution of a GUI
issue
22-Mar-2017 18/31
CA Privileged Access Manager - 2.8
22-Mar-2017 19/31
CA Privileged Access Manager - 2.8
Included Releases
22-Mar-2017 20/31
CA Privileged Access Manager - 2.8
22-Mar-2017 21/31
CA Privileged Access Manager - 2.8
Release Documentation
2.4.4.x Certificate Linefeed
Patch Release Notes (https://s
upport.ca.com/phpdocs/7/9526
/docs/CA-PAM-244x-
CertLinefeedPatch_ReleaseNotes
-v1.pdf)
22-Mar-2017 22/31
CA Privileged Access Manager - 2.8
Upgrade Prerequisites
Review and perform these steps before upgrade:
Important! Remove Embedded VNC from Devices: You must remove all currently attached
Embedded VNC Access Methods from all Device records.
Otherwise, during upgrade an error will occur that requires you to restore from a prior
backup. In that case, when log back in you will receive a (yellow) error message at the top
of the dashboard page explaining where to find detailed information in the session logs. If
you do not have backups you will not be able to successfully upgrade.
1. Remove Embedded VNC from the Access Methods panel of all Device records that
use it before upgrading to release 2.7.
2. Create backups for recovery in the unlikely, but catastrophic, case that Embedded
VNC remains in use on some Device:
To easily locate the applicable records, you may want to export your Device
records (Manage Devices, Import/Export Devices, Export Devices button) and
search for "Embedded" in the spreadsheet.
Please also see the recovery procedures provided in Release Information: Known Issues (
https://docops.ca.com/display/CAPAM28/Known+Issues): Existing Devices that use Embedded
VNC cause upgrade failure.
Upgrade paths: The only valid paths for upgrading to Release 2.8 are to upgrade from the CA
Privileged Access Manager versions, patches, and hotfixes that are specified in Releases 2.7
Through 2.8 (see page 6).
22-Mar-2017 23/31
CA Privileged Access Manager - 2.8
Keep your browser open: Ensure that the upgrade applies properly by keeping the Web browser
open at least until you see the reboot message. This prerequisite applies to any patch (upgrade,
hotfix, security patch, or other software) that requires or automatically includes a reboot.
Note:
If the reboot message still appears after 5 minutes, close your browser, reopen it, and
then navigate once again to the login page.
22-Mar-2017 24/31
CA Privileged Access Manager - 2.8
Upgrade Considerations
Automated Backup
When upgrading a physical appliance, CA Privileged Access Manager copies the primary drive data
(including database and configuration files) onto its backup drive before applying the update. If there
is any issue with the upgrade, you can restore your appliance to its preupgrade state from the backup
drive.
Lengthy Installation
The upgrade installation process might take some time to complete because it backs up your
previous firmware, configuration, and provisioning database. Do not interrupt it.
22-Mar-2017 25/31
CA Privileged Access Manager - 2.8
1. If this appliance is a member of a synchronized cluster and you have not yet reviewed the
cluster procedure, do so at Cluster Software Upgrade (see page 30).
2. Log in as user "config", or as another account with an Access role of Configuration Manager or
the equivalent privileges (such as "super").
3. If your installation uses NFS or CIFS mount to store session recordings, ensure that the mount
is up:
4. Navigate to Global Settings, and confirm that your Login Timeout is greater than the default of
10 minutes. The file upload can sometimes take longer than 10 minutes. To perform this
upgrade procedure, CA Technologies recommends a timeout setting of at least 30 minutes.
5. Navigate to Config, Upgrade. The Upgrade page is displayed showing the currently installed
firmware version.
6. Confirm that the header of the top panel shows a firmware version that supports upgrading to
the current release. Refer to Update Paths.
7. In the Upgrade History panel, confirm that your currently installed upgrades include all
necessary patches to enable upgrade to the current release. Refer to Update Paths.
8. Browse to the drive location of the upgrade package, select it, and then click Upload to copy it
to the CA Privileged Access Manager storage.
Depending on capacity of your connection, this process might take several minutes. You might
not continuously receive GUI or browser feedback. After the upload completes, you are
presented with the Upgrade Confirmation screen.
Important:
The upgrade installation process might take several minutes to complete because it
first backs up your previous firmware, configuration, and provisioning database.
Keep your browser open at least until you see a reboot message.
22-Mar-2017 26/31
CA Privileged Access Manager - 2.8
Upgrade
Upgrade of the appliance takes time. Please be patient and wait until it reboots.
The LCD will show the message "System Upgrade! Please wait!"
Note:
If the rebooting message still appears on the GUI after 5 minutes, continue to the
next step.
10. After the automatic reboot completes, but before you log in again:
a. For each browser you use to access CA Privileged Access Manager, clear its cache, and
close it.
These instructions are applicable to every CA Privileged Access Manager client that connects
to the appliance. Communicate them to both administrators and end users.
11. Log in as "super" or other account that allows both administrative access to session
recordings and configuration access.
If your upgrade completed successfully, either the CA Privileged Access Manager dashboard or
the Access page is displayed. If the dashboard is displayed, navigate to the Access page.
You see the new version at the left of the upper-right menu.
12. After navigating to the Access page, you might see the following message:
22-Mar-2017 27/31
12.
The Access page failed to load. Please verify that Java is installed and is enabled in
your browser, and that the Next-generation Java Plug-in is enabled. If so, then the
download of the CA Privileged Access Manager Java applet might be taking too
long. Please try again. If the problem persists, please contact your CA Privileged
Access Manager administrator.
13. Confirm that the upgrade software has been successfully applied:
The Upgrade History panel at the bottom of the screen shows the file name that
you uploaded in Step 8, with the current time and date.
The correct release number is shown in the heading of the Upgrade Firmware
panel.
b. Navigate to the Sessions, Logs page, and confirm that there are entries for the
successful upgrade and reboot of the appliance.
14. The upgrade resets your Credential Manager dashboard settings and your Credential Manager
preference settings. To reapply your settings:
15. If you use the AWS API Proxy, reconfigure your setup as follows:
a. Select Policy, Manage Passwords to display the Credential Manager GUI. From the
Credential Manager GUI:
ii. Double-click the ID of the target alias that is named AWS API Proxy Access
Accounts to display the Authorization Details panel for that group mapping.
iii.
22-Mar-2017 28/31
CA Privileged Access Manager - 2.8
iii. From the Authorization Details screen for AWS API Proxy Access Accounts,
ensure that the following checkbox is selected: Check Execution User ID. Ensure
that the following checkboxes are unselected: Check Execution Path, and Check
File Path.
b. Return to CA Privileged Access Manager main GUI page and select Policy, Manage
Policies. From the resulting web page, delete all the password view options between
the xceedium.aws.amazon.com and the AWS API proxy users.
c. Return to the Credential Manager GUI. From the Credential Manager GUI:
ii. Delete all target accounts belonging to the target application AWS API Proxy
Access Accounts.
i. Select Groups, User Groups to display the User Groups List web page.
Role: TargetAdmin
As each API user signs in they have a dropdown letting them view a password to use the API
proxy. Once they view the password, the account is created. The account can then be reused.
17.
a. If this is not the final member of the cluster to upgrade, repeat steps 2 through 12 of
the previous procedure for the remaining cluster members.
b. If this is the final cluster member, return now to the cluster instructions, continuing
with Step 4.
22-Mar-2017 29/31
CA Privileged Access Manager - 2.8
a. Confirm that all appliances are running the same CA Privileged Access Manager release
and all appliances have the same patch (Upgrade History) set.
b. Confirm that the CA Privileged Access Manager release and patch set currently running
on all your appliances support upgrade to the latest release. Refer to CA Privileged
Access Manager Update Paths.
c. If the appliances in the cluster are running a mixture of releases or patch sets, contact
CA Technologies CA Privileged Access Manager Support for instructions and software
as required. Upgrade each applicable appliance to the same release and patch set that
supports upgrade to the latest release.
d. If the appliances in the cluster are running the same release and patch sets but it does
not support upgrade to the latest release, contact CA Technologies CA Privileged
Access Manager Support for instructions and software as required. Upgrade each
applicable appliance to the same release and patch set that supports upgrade to the
latest release.
c. Near the lower-right corner of the Distributed Synchronization panel, click the Turn
Cluster Off button, and wait until Status (at panel bottom) indicates that
Synchronization is now off.
4. When each cluster member has been upgraded, go to your Primary cluster member, and
navigate to Config, Synchronization.
b. Verify that you have all positive (green) indicators ("ON", "Database is synchronized",
and checkmark under "Active") showing at the bottom of your Synchronization page.
22-Mar-2017 30/31
CA Privileged Access Manager - 2.8
1. Access the CA Technologies CA Privileged Access Manager support website at: https://support.
xceedium.com. Download the latest Linux or UNIX SFA installer.
2. Access the computer with the Linux or UNIX SFA to be upgraded. Ensure that the Linux or
UNIX SFA is operating.
3. Run the latest Linux or UNIX SFA installer. If you have a pre-existing SFA, the installer updates
all files as required. The installer automatically stops the required daemons before the
upgrade and restarts them after the upgrade.
1. Access the CA Technologies CA Privileged Access Manager support website at: https://support.
xceedium.com. Download the latest Windows SFA installer.
2. Access the computer with the Windows SFA to be upgraded. Ensure that the Windows SFA is
operating.
3. Access the Windows Services console and stop the Xceedium Socket Filter service.
22-Mar-2017 31/31