CA Privileged Access

Manager - 2.8
Upgrading

Date: 22-Mar-2017
 CA Privileged Access Manager - 2.8

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as
the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This
Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or
duplicated, in whole or in part, without the prior written consent of CA.

If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make
available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with
that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable
license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to
certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY
KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,
DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST
INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE
POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement and such
license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions
set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or
their successors.

Copyright © 2017 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to
their respective companies.

22-Mar-2017 3/31
Table of Contents

Update Paths ............................................................................................... 6

2.8 Hotfixes and Patches ............................................................................................................................ 6
Releases 2.7 Through 2.8 ........................................................................................................................... 6
Update Path .......................................................................................................................................... 7
Download Instructions ........................................................................................................................... 8
Releases 2.6 through 2.7 ............................................................................................................................ 8
Releases 2.5 through 2.6 .......................................................................................................................... 14
Xsuite Releases Before 2.5 ....................................................................................................................... 18

Upgrade Prerequisites ............................................................................... 23

Upgrade Considerations ............................................................................ 25

Automated Backup .................................................................................................................................... 25
Lengthy Installation ................................................................................................................................... 25

Single-Appliance Software Upgrade ......................................................... 26

Cluster Software Upgrade ......................................................................... 30

Upgrade a Socket Filter Agent (SFA) ........................................................ 31

Upgrade a Linux or UNIX Socket Filter Agent ........................................................................................... 31
Upgrade a Windows Socket Filter Agent ................................................................................................... 31

Upgrading 4
 CA Privileged Access Manager - 2.8

Upgrading
This section describes how to upgrade the product. To apply an upgrade to release 2.6.2 or earlier,
see CA Privileged Access Manager Update Paths (https://support.ca.com/phpdocs/7/9526/9526_update-
paths.pdf) (PDF).
Update Paths (see page 6)
Upgrade Prerequisites (see page 23)
Upgrade Considerations (see page 25)
Single-Appliance Software Upgrade (see page 26)
Cluster Software Upgrade (see page 30)
Upgrade a Socket Filter Agent (SFA) (see page 31)

22-Mar-2017 5/31
 CA Privileged Access Manager - 2.8

Update Paths
To raise a previous version of CA Privileged Access Manager to the current release, certain patches
are necessary to apply, in a specific order.
2.8 Hotfixes and Patches (see page 6)
Releases 2.7 Through 2.8 (see page 6)
Releases 2.6 through 2.7 (see page 8)
Releases 2.5 through 2.6 (see page 14)
Xsuite Releases Before 2.5 (see page 18)

2.8 Hotfixes and Patches

Install 2.8 hotfixes and patches in the following sequence:

1. 2.8 Upgrade Patch. The 2.8 upgrade patch provides all updates from the 2.7 Database Backup
Patch through the 2.7.1 Patch.

2. 2.8.0.01 Hotfix (https://docops.ca.com/display/CAPAM28/2.8.0.01+Hotfix). The 2.8.0.01 Hotfix

resolves an issue where Putty intermittently failed to open a connection (Salesforce case
number 00521100/Internal defect ID DE241623).

Obtain CA Privileged Access Manager patches and solutions from the CA Support Site (http://www.ca.
com/us/support/ca-support-online/product-content/recommended-reading/technical-document-index/ca-
privileged-access-manager-solutions-patches.aspx).

Releases 2.7 Through 2.8

The 2.8 Upgrade Patch includes most but not all updates from the 2.7 Database Backup Hotfix
through the 2.7.1 Patch and provides numerous defect fixes and new features.

22-Mar-2017 6/31
 CA Privileged Access Manager - 2.8

Important! The 2.8 release does not contain the following defect fixes and enhancements
that were included in the 2.7.0.05 and 2.7.1 patches :

SecureCRT transparent login only works with autologin (Salesforce Case 00529711;
Internal defect ID DE246965).

Issue with Putty/SecureCRT Auto-Connect ( Salesforce Case 00494275; Internal defect

ID DE200481).

Putty intermittently fails to open connection (Salesforce case 00521100; Internal defect
ID DE241623). Note: This fix is available in the 2.8.0.01 Hotfix (https://docops.ca.com
/display/CAPAM28/2.8.0.01+Hotfix).

Cluster out-of-sync because CSV import is timing out (Salesforce case 00580685;
Internal defect ID DE246231).

Enhancement: Add external storage to virtual appliances (Salesforce case 00604503 ;

defect ID DE174582) .

If you need any of these fixes or enhancements, wait for an upcoming 2.8.x patch that
includes them.

Contents
Update Path (see page 7)
Download Instructions (see page 8)

Update Path
Apply the 2.8 Upgrade Patch over any of the following 2.7 software levels:

2.7 Upgrade Patch (http://www.ca.com/us/support/ca-support-online/support-by-product/ca-privileged-

access-management.aspx) – The 2.7 upgrade patch provides all updates from the 2.6.3 patch
through the 2.6 Increase Upgrade Size Patch and numerous defect fixes and new features.

2.7 Database Backup Hotfix (see page 6) – This patch solves a specific issue that you might
encounter after upgrading from 2.6.2 to 2.7: Configured periodic Scheduled Backup would fail to
execute properly again.

2.7.0.02 Hotfix (see page 6) – This patch remediates an Oracle Java-based incompatibility
between Juniper and CA Privileged Access Manager.

2.7.0.05 Hotfix (see page 6) – This patch resolves an issue where SecureCRT tranparent login
did not not work without autologin.

2.7.1 Patch (see page 6) – Resolves several issues and allows you to attach extra storage to
virtual appliances.

22-Mar-2017 7/31
 CA Privileged Access Manager - 2.8

Download Instructions
Use the following procedure to download the 2.8 Upgrade patch from the CA Support Site.

Follow these steps:

1. From the target system, log in to the Download Center on the CA Support Site:
https://support.ca.com/irj/portal/DownloadCenter.

2. Enter "CA Privileged Access Manager - DEBIAN" in the Enter the Product Name here, or
select from dropdown field:

3. Select 2.8 from the Select a Release drop-down list.

4. Select Go.

5. Select the Download button associated with CA Privileged Access Manager Upgrade Patch r2.
8.

6. Select a download method and download the .zip file to local storage.

7. Unzip the installation package.

Releases 2.6 through 2.7

Refer to the table for information about required updates. Follow the recommended sequence below
to install from any release between 2.6 and the 2.7 upgrade patch release.

Order Software Installer Description Advice

1 2.6 Upgrade Patch (ftp://ftp This patch provides all Requirements
.ca.com/pub updates from release 2.5.1
/CAPrivilegedAccessManagem through 2.5.6, and the Before installing the 2.6 upgrade
ent/PAM/Releases/XS_2.6.p. following new features: patch:
zip) CA Privileged Access UpdateCA Privileged Access
Manager Client – This Manager or Xsuite to at least
feature allows access release 2.5. In other words, do not
without local install 2.6 directly over any Xsuite
(workstation) Java 2.4.4.9 or prior release without
installation. Download updating to CA Privileged Access
is available from the Manager 2.5 first.
CA Privileged Access Shut down your cluster (if
Manager GUI login applicable).
page. Prepare for reboot consequences
Password View Policy (for example, production
(PVP) enhancements downtime).
Improved RDP security
Upgrade instructions are provided in
the Release Notes.

22-Mar-2017 8/31
 CA Privileged Access Manager - 2.8
Order Software Installer Description
This release also resolves
numerous issues. 2.6 Relea
se Notes provides a listing
of resolved issues and an
updated report of known
issues. (GA 6 May 2016)
Filename CAPAM_2.6.p.
bin
22-Mar-2017
Advice
Release Documentation
CA PAM 2.6 A2A Integration Guide (
https://support.ca.com/phpdocs/7
/9526/docs/CA-PAM-2.6
_A2A_Integration_Guide_v1_GA.pdf)
(PDF): This title informs developers
for A2A customizations.
CA PAM 2.6 Credential
Management Implementation
Guide (https://support.ca.com
/phpdocs/7/9526/docs/CA-PAM-2.6
_CM_Implementation_Guide_v1_GA.
pdf) (PDF): This title c overs all
aspects of Credential
Management.
CA PAM 2.6 Implementation Guide (
https://support.ca.com/phpdocs/7
/9526/docs/CAPAM-
26_ImplementationGuide-v2.pdf)
(PDF): Outlines procedures for
deployment, access, configuration,
and provisioning tasks.
CA PAM 2.6 New Features (https://s
upport.ca.com/phpdocs/7/9526/docs
/CA-PAM-2.6_New_Features_v1_GA.
pdf) (PDF): This title d escribes, and
outlines procedures, for all
significant new capabilities from
release 2.5.6.
CA PAM 2.6 Peripheral
Implementation Guide (https://supp
ort.ca.com/phpdocs/7/9526/docs/CA-
PAM-2.6
_Peripheral_Implementation_Guide_v1
_GA.pdf) (PDF): This title c overs all
aspects of peripheral components:
A2A, Windows Proxies, and Socket
Filter Agents (SFAs) software
CA PAM 2.6 Planning Guide (https://
support.ca.com/phpdocs/7/9526/docs
/CA-PAM-2.6_PlanningGuide_v1_GA.
pdf) (PDF): This title p rovides
product implementation strategy,
including planning, deployment,
configuration, user monitoring,
and auditing advice.
CA PAM 2.6 Reference Guide (https:
//support.ca.com/phpdocs/7/9526
/docs/CAPAM-26_ReferenceGuide-v2.
9/31
 CA Privileged Access Manager - 2.8
Order Software Installer Description
2 Release 2.6.3 Patch (http:// This title p rovides the
www.ca.com/us/support/ca- updates of Releases 2.1.1
support-online/product- through 2.6.2, and the Before installing Release 2.6.3
content/recommended- following fixes: maintenance patch:
reading/technical-document- Luna SA coordination
index/ca-privileged-access- fixes
manager-solutions-patches.
Clustering
aspx)
improvements
2.6.3 Release Notes
describes in more detail all
changes from release 2.6.
(GA 13 Sep 2016)
Filename: CAPAM_2.6.3.p.
bin
Upgrade instructions are provided in
Release 2.6.2 is no longer the Release Notes.
available. The updates of
Release 2.6.2 included the Release Documentation
following fixes:
CA PAM Client
authentication now
includes SAML,
RADIUS, RADIUS
challenge/response,
RSA, RSA+LDAP
22-Mar-2017
Advice
pdf) (PDF): This title d isplays the
interfaces and provides tabular
information about their
components.
CA PAM 2.6 Release Notes (https://s
upport.ca.com/phpdocs/7/9526/docs
/CA-PAM-2.6_ReleaseNotes-v1_GA.pdf
) (PDF): This title p rovides
information about supported
environments, new features,
resolved issues, known issues, and
upgrade procedures.
CA PAM 2.6 Third-Party License
Acknowledgments (https://support.
ca.com/phpdocs/7/9526/docs/CA-
PAM-2.6_TPLAs_v1_GA.pdf) (PDF): Thi
s title p rovides required legal
notices for all non-CA components
of CA PAM.
Updated online help (HTML): Each
2.6 GUI page provides a context-
sensitive pop-up from its Help
button
Requirements
UpdateCA Privileged Access
Manager or Xsuite to at least
release 2.6. In other words, do not
install 2.6.3 directly over any 2.5.x
or any prior release without
updating to 2.6 first.
Shut down your cluster (if
applicable).
Prepare for reboot consequences
(for example, production
downtime).
2.6.3 Release Notes (https://support.
ca.com/phpdocs/7/9526/docs/CA-
PAM-2.6.3_ReleaseNotes-v1.pdf)
10/31
 CA Privileged Access Manager - 2.8

Order Software Installer Description Advice

Service credentials
pass-through enabled
Identification of Client
in Mac menu bar
Terminal
Customization: Buffer
Size fixed
Command filtering
restored for Cisco
Devices
SSH Service failure
corrected
License signature
verification restored
AWS Access Key can
now be changed
CA PAM Client installer
can now be launched
on Windows 7 from IE
download
SFTP-SFTP Services
capability restored
Application re-keying
supported for Services
SSH connection
activations now
captured to session
logs
Web portal Services
fixed
SSH key can now be
changed successfully
using master account
JAR file versioning
improved
SAML reauthentication
restored for the
password view feature
CA PAM Client can
now successfully
connect using FQDN
Large number of
unique connection
sockets now possible
CA PAM Client can
now be used on Red
Hat EL 7

22-Mar-2017 11/31
 CA Privileged Access Manager - 2.8

Order Software Installer Description Advice

Cluster member
Virtual Management IP
delegation corrected
Certificate update no
longer prevents
autologin

Release 2.6.1 is no longer

available. The updates of
Release 2.6.1 included the
following fixes:
Security updates
Cluster issue
remediation
Command filtering for
PuTTY Telnet
NFS share Security
Safe setting restored
Auto-login using
embedded Service
settings restored
RADIUS password can
contain a colon
ExternalAPI available
to a stopped cluster
member
Consistent visibility
restored for session
recordings
FIPS security certificate
update
Re-authentication
mechanism restored
3 2.6 Increase Upgrade Size Remedies an upload Before you install the 2.7 Upgrade,
Patch (http://www.ca.com filesize limitation on the you must install this patch. If you try
/us/support/ca-support- Upgrade page. Required to upgrade to 2.7 from 2.6.x without
online/product-content before installing 2.7 this patch, you see the error message:
/recommended-reading Upgrade Patch. (GA 15 Sep “Problem uploading the upgrade
/technical-document-index 2016) package”. This message also appears
/ca-privileged-access- in the session logs.
manager-solutions-patches. Filename: CAPAM_2.
aspx) 6_HF2_UpSize.p.zip PREREQUISITES

This patch does not require a reboot,

and does not require a cluster to be
turned off.

INSTALLATION

22-Mar-2017 1. 12/31
 CA Privileged Access Manager - 2.8

Order Software Installer Description Advice

1. Use the Upload button on the C
onfig, Upgrade page.
2. Following completion of the
upload, reload/re-navigate to
the Upgrade page. Otherwise,
you will (again) receive the
upload error message after you
attempt to upload 2.7 Upgrade
Patch.

4 2.7 Upgrade Patch (http://w This upgrade provides all PREREQUISITES

ww.ca.com/us/support/ca- updates from release 2.6.1
support-online/support-by- through 2.6.3, and the Before installing the release 2.7
product/ca-privileged-access- following new features: upgrade, do the following:
management.aspx) Device discovery Confirm that you currently use
improvement release 2.6, 2.6.1, 2.6.2, or 2.6.3.
Target account Do not install 2.7 directly over any
discovery and SSH key release before 2.6. Thus, if
discovery necessary, update Xsuite or CA
Privileged Access Manager to at
Integration with
least release 2.6.
several service desk
solutions Install 2.6 Increase Upgrade Size
Patch. (See the patch line item
SAML JIT User Group
immediately preceding this line.)
enhancements
Before updating, shut down your cl
Improved security
uster (if applicable).
between appliance
and SFA Before updating, prepare for reboo
t consequences (for example,
Update NVC applet
production downtime).
Kerberos-PIV/CAC
authentication Release Documentation:
Transparent login CA PAM 2.7 documentation (https:/
added to ExternalAPI /docops.ca.com/display/CAPAM27/)
FIPS 140-2 CMVP
Certificate 1443 and
Certificate 1747
encryption options
available for stored
credentials
Documentation ported
to the CA DocOps web
platform

This release also resolves

numerous issues. 2.7 Relea
se Information provides a
listing of resolved issues
and an updated report of
known issues. (GA 15 Sep
2016)

22-Mar-2017 13/31
 CA Privileged Access Manager - 2.8

Order Software Installer Description Advice

Filename: CAPAM_2.7.0.p.
zip

Releases 2.5 through 2.6

Refer to the table for information about required updates. Follow the recommended sequence below
to install the following patches from any release between 2.5 and the latest 2.5 patch release.

Order Software Installer Description Advice

1 CA Privileged Access This patch provides all Requirements
Manager 2.5 Upgrade updates from MP
Patch (ftp://ftp.ca.com 2.4.4.1 through MP
/pub 2.4.4.9, and the IMPORTANT You must:
/CAPrivilegedAccessMan following new
Install 2.4.4.x Certificate Linefeed
agement/PAM/Releases features:
Patch before installing this 2.5
/XS_2.5.0.p.zip) VMware NSX upgrade. See .Xsuite Releases
coordination Before 2.5 (see page 18).
SAML Re-sign JAR files immediately afte
authentication r this upgrade, as noted
support as IdP or immediately below.
SP
TACACS+ Re-sign JAR applet files for each CA
authentication PAM appliance before further use.
support
Splunk Follow these steps:
coordination
1. Navigate to Config > Security.
Interface updates
addressing Section 2. If your continuing or newly
508 requirements applicable certificate has not
already been uploaded, then
AWS API Proxy 2.1
in the Upload Certificate or
support
Private Key panel, load that
VMware NSX API certificate.
1.0 support
3. In the Sign Xsuite Applets pan
More el, enter the Xsuite Domain,
enhancements select the applicable
(see New Features certificate, and click Sign
and Release Notes) Applets with Certificate.

This patch resolves

numerous issues. CA
PAM 2.5 Release Notes Upgrade instructions are provided in the
provides an updated Release Notes.
report of known
issues. (GA 21 Nov Release Documentation
2015)

22-Mar-2017 14/31
 CA Privileged Access Manager - 2.8

Order Software Installer Description Advice

Filename: XS_2.5.0.p. CA PAM 2.5 A2A Integration Guide (https://s
bin upport.ca.com/phpdocs/7/9526/docs/CA-PAM-
25_A2A_Integration_Guide-v2.pdf) (PDF): This
title informs developers for A2A
customizations.
CA PAM 2.5 Credential Management
Implementation Guide (https://support.ca.
com/phpdocs/7/9526/docs/CA-PAM-
25_CM_Implementation_Guide-v2.pdf) (PDF): T
his title c overs all aspects of Credential
Management.
CA PAM 2.5 Implementation Guide (https://s
upport.ca.com/phpdocs/7/9526/docs/CA-PAM-
25_Implementation_Guide-v2.pdf) (PDF):
Outlines procedures for deployment,
access, configuration, and provisioning
tasks.
CA PAM 2.5 New Features (https://support.ca.
com/phpdocs/7/9526/docs/CA-PAM-
25_NewFeatures-v2.pdf) (PDF): This title d esc
ribes, and outlines procedures, for all
significant new capabilities from the
release 2.4.4.
CA PAM 2.5 Peripheral Implementation
Guide (https://support.ca.com/phpdocs/7/9526
/docs/CA-PAM-
25_Peripheral_Implementaton_Guide-v2.pdf)
(PDF): This title covers all aspects of
peripheral components: A2A, Windows
Proxies, and Socket Filter Agents (SFAs)
software.
CA PAM 2.5 Planning Guide (https://support.
ca.com/phpdocs/7/9526/docs/CA-PAM-
25_Planning_Guide-v2.pdf) (PDF): This title
provides product implementation strategy,
including planning, deployment,
configuration, user monitoring, and
auditing advice.
CA PAM 2.5 Reference Guide (https://support
.ca.com/phpdocs/7/9526/docs/CA-PAM-
25_Reference_Guide-v2.pdf) (PDF): This title
displays the interfaces and provides tabular
information about their components.
CA PAM 2.5 Release Notes (https://support.
ca.com/phpdocs/7/9526/docs/CA-PAM-
25_ReleaseNotes-v2.pdf) (PDF): This title

22-Mar-2017 15/31
 CA Privileged Access Manager - 2.8

Order Software Installer Description Advice

provides information about supported
environments, new features, resolved
issues, known issues, and upgrade
procedures.
Updated online help (HTML): Each 2.5 GUI
page provides a context-sensitive pop-up
from its Help button

More supporting documentation:

CA PAM Introduction (https://support.ca.com
/phpdocs/7/9526/docs/CA-PAM-
25_Introduction-v2.pdf) (PDF): This title
describes in detail a simple deployment
and use of CA PAM on a hardware
appliance.
Xsuite Hardware Model X304L Setup Guide (
https://support.ca.com/phpdocs/7/9526/docs
/Xsuite_HardwareModelX304LSetupGuide-v3.
pdf) (v3) (PDF): This title describes
hardware shipment contents, appliance
racking, connection, and LCD setup.
2 Release 2.5.6 Patch (ft This patch provides Requirements
p://ftp.ca.com/pub the updates of release
/CAPrivilegedAccessMan 2.5.5, and the Before installing the 2.5.6 maintenance patch:
agement/PAM/Patches following fixes: Update Xsuite to at least release 2.5. In
/XS_2.5.6.p.zip) Signing JAR files other words, do not install 2.5.6 directly
with long URL now over any Xsuite 2.4.x.y or prior release
permitted without updating to 2.5 first.
Cluster members Shut down your cluster (if applicable).
release-level Prepare for reboot consequences (for
checks example, production downtime).
implemented
Daily reports now Upgrade instructions are provided in the
sending emails Release Notes.
LDAP no longer
updates from Release Documentation
duplicate records 2.5.6 Release Notes (https://support.ca.com
for same Devices /phpdocs/7/9526/docs/CA-PAM-
Certificate linefeed 256_ReleaseNotes-v1.pdf)
issue: Remediation
3
Juniper access
remediation

2.5.6 Release Notes

describes in more
detail all changes from
release 2.5. (GA 1 Apr
2016)

22-Mar-2017 16/31
 CA Privileged Access Manager - 2.8

Order Software Installer Description Advice

Filename: XS_2.5.6.p.
bin

Included Releases

Release 2.5.5 was a

limited availability
patch and has not
been published. The
updates of Release
2.5.5 included the
following fix:
FIPS-mode
encryption to SFAs

Release 2.5.4 is no
longer available. The
updates of Release
2.5.4 included the
following fixes:
Certificate linefeed
fix
User no longer
disabled following
autoconnection
attempt using
checked-out
credentials
Xceedium LDAP
Browser fix
Browser
management
improvements
Unresponsive
Device and User
listings fixed

Release 2.5.3 was a

limited availability
patch and has not
been published. The
updates of Release
2.5.3 included the
following fixes:
Device listing
performance
improvements
Dual authorization
expiration fix

22-Mar-2017 17/31
 CA Privileged Access Manager - 2.8

Order Software Installer Description Advice

Release 2.5.2 is no
longer available. The
updates of Release
2.5.2 included the
following fixes:
AWS cluster no
longer requires EIP
addressing
Multiple access
credentials
permitted for the
AWS Management
Console portal
CRL Options panel
updated
Resolution of
several more
issues

Release 2.5.1 is no
longer available. The
updates of Release
2.5.1 included the
following fixes:
OpenSSL upgrade
to 1.0.1q
Resolution of a GUI
issue

Xsuite Releases Before 2.5

Refer to the table for information about required updates. Follow the recommended sequence below
to install from a release earlier than Xsuite 2.4.4.9.

Installation Software Installer Description Advice

Order
1 Xsuite Maintenance This patch provides the Requirements
Patch 2.4.4.9 (ftp://ftp. updates of all earlier 2.4.4.x
ca.com/pub patches, and adds the
/CAPrivilegedAccessMana following fixes: IMPORTANT If you are
gement/PAM/Patches New log detail for AD currently at release
/XS_2.4.4.9.p.zip) connection failure 2.4.4.6: A possible
Scheduled Password cluster recovery
Update in clustered LDAP instability condition
deployments requires you to install
this 2.4.4.9 patch
update immediately.

22-Mar-2017 18/31
 CA Privileged Access Manager - 2.8

Installation Software Installer Description Advice

Order
Improved Filter for re-
running Scheduled Jobs This patch does not require
License settings corrected any previous 2.4.4.x patches.
in the sysinfo text file An automatic reboot occurs
Reset catalina.out logging during update.
levels
Upgrade instructions are
SafeNet HSM integration
provided in the Release Notes.
update
Clustering improvements Release Documentation
Restoration of the last- 2.4.4.9 Release Notes (https://
deactivated CM support.ca.com/phpdocs/7/9526
database /docs/Xsuite-MP-
Improved Device list 2449_ReleaseNotes-v1.pdf)
load time for VMware
imports
Logged timeouts for
Scheduled Jobs
Scheduled Jobs run
only for an active
database
LDAP connector
timeouts
Windows connector
timeouts
View cluster log
entries from
Synchronization page
Credential
Management cluster
metrics in session logs
AWS instance and
VMware VM
constraints removed
Error message
improvements
Cluster message that is
removed from non-cluster
logs
Vulnerability mitigations
Port scan settings and
advice improvement
Host header attack
vulnerability mitigated

(GA beginning 9 Oct 2015)

22-Mar-2017 19/31
 CA Privileged Access Manager - 2.8

Installation Software Installer Description Advice

Order
Filename XS_2.4.4.9.p.bin

Included Releases

Release 2.4.4.8 was a limited

availability patch and has not
been published. The updates
of Release 2.4.4.8 included
the following change:
VNC Access Method
applet and Embedded
VNC removed

Release 2.4.4.7 was a limited

availability patch and has not
been published. The updates
of Release 2.4.4.7 included
the following change:
NLA can be bypassed for
PIV use

Release 2.4.4.6 is no longer

available. The updates of
Release 2.4.4.6 included the
following fixes:
Vulnerability mitigations
[CVE-2015-4666, CVE-
2015-4668]
Apostrophe in Username
prevented password view
Cluster stability affected
by long-running scheduled
jobs
Learn Mode failure
corrected for cluster
configurations using
external loadbalancer
Tomcat log level setting

Release 2.4.4.5 is no longer

available. The updates of
Release 2.4.4.5 included the
following fixes:
OpenSSL upgraded to 1.0.1
p [CVE-2015-1793]
SQL injection security
vulnerability remediated
[CVE-2015-4664]

22-Mar-2017 20/31
 CA Privileged Access Manager - 2.8

Installation Software Installer Description Advice

Order
Incoming connection load
balancing improvements
made for clustered Xsuite
Cluster database
synchronization
improvements
Ability that is provided to
create PKI/CAC Users
through ExternalAPI
Xceedium Browser now
updated for client
workstations using IE 8 to
access Xsuite

Release 2.4.4.3 was an

internal release, and was not
provided to customers. No
additional fixes were
provided.

Release 2.4.4.2 is no longer

available. The updates of
Release 2.4.4.2 included the
following fixes:
Support provided for
Oracle Directory Server
when Devices are
members of more than
one group
Synchronization page was
occasionally inaccessible
and prevented cluster
shut down
Display is now wiped
following timeout or
termination
Vulnerability mitigations.

Release 2.4.4.1 is no longer

available. The updates of
Release 2.4.4.1 included the
following fixes:
Smart card access using
Windows Server 2008 R2
and 2012 R2 permitted
Secondary Transparent
Login policy ‘Enable’
button activated

22-Mar-2017 21/31
 CA Privileged Access Manager - 2.8

Installation Software Installer Description Advice

Order
Xsuite VM Devices can
now be deployed with any
number of network
interfaces
Juniper login failure after
time out
2 2.4.4.x Certificate This patch fixes all uploaded Requirements
Linefeed Patch (ftp://ftp. certificate chain files that are
ca.com/pub missing line feeds between
/CAPrivilegedAccessMana certificate blocks. (GA 23 Feb IMPORTANT You must i
gement/PAM/Patches 2016) nstall this patch before
/XS_CERT_CLEANUP.p.zip) release 2.5.
NOTE This patch does not
correct the algorithm; the
algorithm fix is instead
provided in release 2.5.4. This Minimum current level:
patch corrects only the Xsuite 2.4.4
existing certificate files. Maximum current level:
Filename: XS_CERT_CLEANUP. 2.4.4.9
p.bin You do not need to shut
down a cluster. No reboot is
forced or required.

Upgrade instructions are

provided in the Release Notes.

Release Documentation
2.4.4.x Certificate Linefeed
Patch Release Notes (https://s
upport.ca.com/phpdocs/7/9526
/docs/CA-PAM-244x-
CertLinefeedPatch_ReleaseNotes
-v1.pdf)

22-Mar-2017 22/31
 CA Privileged Access Manager - 2.8

Upgrade Prerequisites
Review and perform these steps before upgrade:

Important! Remove Embedded VNC from Devices: You must remove all currently attached
Embedded VNC Access Methods from all Device records.

Otherwise, during upgrade an error will occur that requires you to restore from a prior
backup. In that case, when log back in you will receive a (yellow) error message at the top
of the dashboard page explaining where to find detailed information in the session logs. If
you do not have backups you will not be able to successfully upgrade.

If you currently use Embedded VNC, follow these steps:

1. Remove Embedded VNC from the Access Methods panel of all Device records that
use it before upgrading to release 2.7.

2. Create backups for recovery in the unlikely, but catastrophic, case that Embedded
VNC remains in use on some Device:

Hardware appliances: Prepare database and configuration backups.

VMware vm appliances: Create a vm snapshot of the appliance.

AWS AMI instance appliances: Prepare database and configuration backups.

3. When upgrading, do not use CA PAM Client.

To easily locate the applicable records, you may want to export your Device
records (Manage Devices, Import/Export Devices, Export Devices button) and
search for "Embedded" in the spreadsheet.

Please also see the recovery procedures provided in Release Information: Known Issues (
https://docops.ca.com/display/CAPAM28/Known+Issues): Existing Devices that use Embedded
VNC cause upgrade failure.

Upgrade paths: The only valid paths for upgrading to Release 2.8 are to upgrade from the CA
Privileged Access Manager versions, patches, and hotfixes that are specified in Releases 2.7
Through 2.8 (see page 6).

22-Mar-2017 23/31
 CA Privileged Access Manager - 2.8

VM upgrade preparation: Take a snapshot of the VM before upgrading a CA Privileged Access

Manager VMware VM. This precaution ensures that you have a backup in case it is later needed.
CA Privileged Access Manager typically creates a backup automatically as a first step when
upgrading a hardware appliance. However, this step is not performed during a CA Privileged
Access Manager VM upgrade because a VM does not have a secondary drive.

Keep your browser open: Ensure that the upgrade applies properly by keeping the Web browser
open at least until you see the reboot message. This prerequisite applies to any patch (upgrade,
hotfix, security patch, or other software) that requires or automatically includes a reboot.

Note:

If the reboot message still appears after 5 minutes, close your browser, reopen it, and
then navigate once again to the login page.

22-Mar-2017 24/31
 CA Privileged Access Manager - 2.8

Upgrade Considerations

Automated Backup
When upgrading a physical appliance, CA Privileged Access Manager copies the primary drive data
(including database and configuration files) onto its backup drive before applying the update. If there
is any issue with the upgrade, you can restore your appliance to its preupgrade state from the backup
drive.

Lengthy Installation
The upgrade installation process might take some time to complete because it backs up your
previous firmware, configuration, and provisioning database. Do not interrupt it.

22-Mar-2017 25/31
 CA Privileged Access Manager - 2.8

Single-Appliance Software Upgrade

Follow these instructions to perform a software upgrade of a single CA Privileged Access Manager
appliance. Confirm that all prerequisites have been met as specified in Update Paths (see page 6).
When you are ready to upgrade, follow these steps:

1. If this appliance is a member of a synchronized cluster and you have not yet reviewed the
cluster procedure, do so at Cluster Software Upgrade (see page 30).

2. Log in as user "config", or as another account with an Access role of Configuration Manager or
the equivalent privileges (such as "super").

3. If your installation uses NFS or CIFS mount to store session recordings, ensure that the mount
is up:

a. Navigate (if needed) to the Config, Logs page.

b. In NFS/CIFS Settings, confirm that Mount Status states "mounted".

4. Navigate to Global Settings, and confirm that your Login Timeout is greater than the default of
10 minutes. The file upload can sometimes take longer than 10 minutes. To perform this
upgrade procedure, CA Technologies recommends a timeout setting of at least 30 minutes.

5. Navigate to Config, Upgrade. The Upgrade page is displayed showing the currently installed
firmware version.

6. Confirm that the header of the top panel shows a firmware version that supports upgrading to
the current release. Refer to Update Paths.

7. In the Upgrade History panel, confirm that your currently installed upgrades include all
necessary patches to enable upgrade to the current release. Refer to Update Paths.

8. Browse to the drive location of the upgrade package, select it, and then click Upload to copy it
to the CA Privileged Access Manager storage.
Depending on capacity of your connection, this process might take several minutes. You might
not continuously receive GUI or browser feedback. After the upload completes, you are
presented with the Upgrade Confirmation screen.

Important:

The upgrade installation process might take several minutes to complete because it
first backs up your previous firmware, configuration, and provisioning database.

Keep your browser open at least until you see a reboot message.

Do not interrupt the upgrade process.

9. Click Proceed to start the upgrade process.

22-Mar-2017 26/31
 CA Privileged Access Manager - 2.8

9. Click Proceed to start the upgrade process.

During the early part of the upgrade process, the following message is displayed:

Upgrade

Upgrade of the appliance takes time. Please be patient and wait until it reboots.
The LCD will show the message "System Upgrade! Please wait!"

Wait until the normal operation message shows on the LCD

then log in again and resume work in your browser.

Remember to keep your browser open.

The upgrade proceeds. The CA Privileged Access Manager appliance automatically reboots
after the upgrade is complete. Both the GUI and the LCD display show messages when the
reboot occurs. (You might also briefly see a blank Upgrade page.) These might appear for
several minutes as the process continues.
After the appliance reboots, the appliance login screen is displayed on your browser.

Note:

If the rebooting message still appears on the GUI after 5 minutes, continue to the
next step.

10. After the automatic reboot completes, but before you log in again:

a. For each browser you use to access CA Privileged Access Manager, clear its cache, and
close it.

b. Clear your Java cache in the Java JRE.

c. Restart your browser.

These instructions are applicable to every CA Privileged Access Manager client that connects
to the appliance. Communicate them to both administrators and end users.

11. Log in as "super" or other account that allows both administrative access to session
recordings and configuration access.
If your upgrade completed successfully, either the CA Privileged Access Manager dashboard or
the Access page is displayed. If the dashboard is displayed, navigate to the Access page.
You see the new version at the left of the upper-right menu.

12. After navigating to the Access page, you might see the following message:

22-Mar-2017 27/31
 12.

CA Privileged Access Manager - 2.8

The Access page failed to load. Please verify that Java is installed and is enabled in
your browser, and that the Next-generation Java Plug-in is enabled. If so, then the
download of the CA Privileged Access Manager Java applet might be taking too
long. Please try again. If the problem persists, please contact your CA Privileged
Access Manager administrator.

If you see this message, reset Java:

a. Log out of CA Privileged Access Manager.

b. Clear the Java cache.

c. Log in to CA Privileged Access Manager.

13. Confirm that the upgrade software has been successfully applied:

a. Navigate to Config, Upgrade page, and confirm that:

The Upgrade History panel at the bottom of the screen shows the file name that
you uploaded in Step 8, with the current time and date.

The correct release number is shown in the heading of the Upgrade Firmware
panel.

The correct release number is shown at the top of the page.

b. Navigate to the Sessions, Logs page, and confirm that there are entries for the
successful upgrade and reboot of the appliance.

14. The upgrade resets your Credential Manager dashboard settings and your Credential Manager
preference settings. To reapply your settings:

a. Select Policy, Manage Passwords.

b. From the new tab/window menu bar, select Settings, UI Settings.

c. Use the Default Preferences tab to reapply your preferences.

d. Use the Dashboard tab to reapply your dashboard settings.

15. If you use the AWS API Proxy, reconfigure your setup as follows:

a. Select Policy, Manage Passwords to display the Credential Manager GUI. From the
Credential Manager GUI:

i. Select A2A, Mappings to display the Authorization Mapping web page.

ii. Double-click the ID of the target alias that is named AWS API Proxy Access
Accounts to display the Authorization Details panel for that group mapping.

iii.
22-Mar-2017 28/31
 CA Privileged Access Manager - 2.8

iii. From the Authorization Details screen for AWS API Proxy Access Accounts,
ensure that the following checkbox is selected: Check Execution User ID. Ensure
that the following checkboxes are unselected: Check Execution Path, and Check
File Path.

iv. Click Save.

b. Return to CA Privileged Access Manager main GUI page and select Policy, Manage
Policies. From the resulting web page, delete all the password view options between
the xceedium.aws.amazon.com and the AWS API proxy users.

c. Return to the Credential Manager GUI. From the Credential Manager GUI:

i. Select Targets, Accounts to display the Account List web page.

ii. Delete all target accounts belonging to the target application AWS API Proxy
Access Accounts.

d. From the Credential Manager GUI:

i. Select Groups, User Groups to display the User Groups List web page.

ii. Click Add and create a group as follows:

Name: AWS Proxy Accessors

Description: Promote or demote users to be able to add or delete Proxy

target accounts

Role: TargetAdmin

Target Group: AWS API Proxy Access Accounts

iii. Click Save.

As each API user signs in they have a dropdown letting them view a password to use the API
proxy. Once they view the password, the account is created. The account can then be reused.

16. If this appliance is a cluster member:

17.
a. If this is not the final member of the cluster to upgrade, repeat steps 2 through 12 of
the previous procedure for the remaining cluster members.

b. If this is the final cluster member, return now to the cluster instructions, continuing
with Step 4.

22-Mar-2017 29/31
 CA Privileged Access Manager - 2.8

Cluster Software Upgrade

To upgrade the firmware for a synchronized cluster to the current release, do the following steps.

1. For each appliance in the cluster:

a. Confirm that all appliances are running the same CA Privileged Access Manager release
and all appliances have the same patch (Upgrade History) set.

b. Confirm that the CA Privileged Access Manager release and patch set currently running
on all your appliances support upgrade to the latest release. Refer to CA Privileged
Access Manager Update Paths.

c. If the appliances in the cluster are running a mixture of releases or patch sets, contact
CA Technologies CA Privileged Access Manager Support for instructions and software
as required. Upgrade each applicable appliance to the same release and patch set that
supports upgrade to the latest release.

d. If the appliances in the cluster are running the same release and patch sets but it does
not support upgrade to the latest release, contact CA Technologies CA Privileged
Access Manager Support for instructions and software as required. Upgrade each
applicable appliance to the same release and patch set that supports upgrade to the
latest release.

2. If synchronization is active, turn it off. At any of the cluster members:

a. Log in as an administrator with configuration privileges (using, for example, "config" or

"super").

b. Navigate to Config, Synchronization.

c. Near the lower-right corner of the Distributed Synchronization panel, click the Turn
Cluster Off button, and wait until Status (at panel bottom) indicates that
Synchronization is now off.

3. For each cluster member, perform an upgrade as described in Single-Appliance Software

Upgrade (see page 26).

4. When each cluster member has been upgraded, go to your Primary cluster member, and
navigate to Config, Synchronization.

a. Turn synchronization back on by clicking the Turn Cluster On button. Wait

approximately 5 minutes until Status indicates that Synchronization is now on.

b. Verify that you have all positive (green) indicators ("ON", "Database is synchronized",
and checkmark under "Active") showing at the bottom of your Synchronization page.

22-Mar-2017 30/31
 CA Privileged Access Manager - 2.8

Upgrade a Socket Filter Agent (SFA)

This content describes how to upgrade a Socket Filter Agent.

Upgrade a Linux or UNIX Socket Filter Agent

Use this procedure to upgrade your Linux or UNIX Socket Filter Agent.

Follow these steps:

1. Access the CA Technologies CA Privileged Access Manager support website at: https://support.
xceedium.com. Download the latest Linux or UNIX SFA installer.

2. Access the computer with the Linux or UNIX SFA to be upgraded. Ensure that the Linux or
UNIX SFA is operating.

3. Run the latest Linux or UNIX SFA installer. If you have a pre-existing SFA, the installer updates
all files as required. The installer automatically stops the required daemons before the
upgrade and restarts them after the upgrade.

Upgrade a Windows Socket Filter Agent

Use this procedure to upgrade your Windows Socket Filter Agent (SFA).

Follow these steps:

1. Access the CA Technologies CA Privileged Access Manager support website at: https://support.
xceedium.com. Download the latest Windows SFA installer.

2. Access the computer with the Windows SFA to be upgraded. Ensure that the Windows SFA is
operating.

3. Access the Windows Services console and stop the Xceedium Socket Filter service.

4. Uninstall the old Windows SFA.

5. Run the latest Windows SFA installer to install a new SFA.

6. Restart the Xceedium Socket Filter service.

22-Mar-2017 31/31