docs.cyberark.com
Open in
urlscan Pro
23.100.50.156
Public Scan
Submitted URL: http://go.cyberark.com/MzE2LUNaUC0yNzUAAAGGSLng5fjvQ3sGa2cqfImH75Z3B8CR6K-YLh5KNZpyovGf8PMuXrti1NTMaWcv6GiunUk0sGk=
Effective URL: https://docs.cyberark.com/Product-Doc/OnlineHelp/PrivCloud/Latest/en/Content/Privilege%20Cloud/PrivCloud-upgrade-connector...
Submission: On August 17 via api from SG — Scanned from DE
Effective URL: https://docs.cyberark.com/Product-Doc/OnlineHelp/PrivCloud/Latest/en/Content/Privilege%20Cloud/PrivCloud-upgrade-connector...
Submission: On August 17 via api from SG — Scanned from DE
Form analysis
2 forms found in the DOM#
<form class="search" action="#">
<div class="search-bar search-bar-container needs-pie">
<input class="search-field needs-pie" type="search" aria-label="Search Field" placeholder="Search">
<div class="search-filter-wrapper"><span class="invisible-label" id="search-filters-label">Filter: </span>
<div class="search-filter" aria-haspopup="true" aria-controls="sf-content" aria-expanded="false" aria-label="Search Filter" title="All" role="button" tabindex="0">
</div>
<div class="search-filter-content" id="sf-content">
<ul>
<li>
<button class="mc-dropdown-item" aria-labelledby="search-filters-label filterSelectorLabel-00001"><span id="filterSelectorLabel-00001">All</span>
</button>
</li>
</ul>
</div>
</div>
<div class="search-submit-wrapper" dir="ltr">
<div class="search-submit" title="Search" role="button" tabindex="0"><span class="invisible-label">Submit Search</span>
</div>
</div>
</div>
</form>
<form autocomplete="off" id="searchForm" class="su__search-forms su__m-0">
<div class="su__form-block su__w-100 su__position-relative">
<div class="su__radius-2 su__d-flex su__position-relative"><input autofocus="false" id="search-box-autocomplete" class="su__input-search su__w-100 su__su__font-14 su__text-black su__p-3 su__border-none su__radius-2 su__pr-60" type="input"
placeholder="Search the docs"><button type="button" class="su__btn su__search_btn su__animate-zoom su__flex-vcenter su__position-absolute su__zindex su__bg-transparent su__rtlleft"><svg width="24" height="24" viewBox="0 0 24 24">
<path
d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L20.49 19l-4.99-5zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z"
fill="#333"></path>
</svg></button></div>
</div>
</form>
Text Content
Table of Contents * Get Started * Setup * Setup * Prepare for deployment * Deploy and maintain Privilege Cloud connectors * Configure authentication methods * Add and manage users * Connect to SIEM * Integrate with other CyberArk products and services * Upgrade Privilege Cloud connectors * Upgrade Privilege Cloud connectors * Upgrade the Privilege Cloud Connector * Upgrade the Secure Tunnel * Upgrade PSM for SSH (Unix connector) * Administrators * End Users * Developers * Videos Skip To Main Content Account Settings -------------------------------------------------------------------------------- Logout Privilege CloudStandardVersion 12.6 Account Settings -------------------------------------------------------------------------------- Logout Filter: * All Submit Search * * Our Products * Privileged Access Manager - Self-Hosted * Secrets Manager * Credential Providers * Conjur Enterprise * CyberArk Identity * Endpoint Privilege Manager * Privilege Cloud * Dynamic Privileged Access * CyberArk Remote Access * Cloud Entitlements Manager * Shared Services * Identity Administration * Identity Security Intelligence * Audit * Docs portal * * English * Japanese Home > Setup > Upgrade Privilege Cloud connectors > Upgrade the Privilege Cloud Connector Previous Next * Get Started» * Setup» * Administrators» * End Users» * Developers» * Videos» * Get Started Get Started * Setup Setup * Prepare for deployment Prepare for deployment * Deploy and maintain Privilege Cloud connectors Deploy and maintain Privilege Cloud connectors * Configure authentication methods Configure authentication methods * Add and manage users Add and manage users * Connect to SIEM * Integrate with other CyberArk products and services Integrate with other CyberArk products and services * Upgrade Privilege Cloud connectors Upgrade Privilege Cloud connectors * Upgrade the Privilege Cloud Connector * Upgrade the Secure Tunnel * Upgrade PSM for SSH (Unix connector) * Administrators * End Users * Developers * Videos UPGRADE THE PRIVILEGE CLOUD CONNECTOR IN THIS TOPIC * Upgrade the Privilege Cloud Connector * Overview * Connector version dependencies * Upgrade steps * Step 1: Before you begin * Step 2: Upgrade the CPM component * Step 3: Upgrade the PSM component * Step 4: Deploy the updated GPO hardening package * Step 4: Manually add CPM and PSM hardening settings * Step 5: Verify the Connector upgrade is completed successfully * Review installation logs * Verify PSM connectors are operating properly This topic describes how to upgrade the Privilege Cloud Connector from any legacy version to the latest version by upgrading both the CPM and PSM components on your Connector server. Make sure to review the Privilege Cloud Connector end of support dates to help determine when to upgrade your Connector . OVERVIEWCOPY BOOKMARK The Connector upgrade applies to the following: * CPM and PSM components. The Privilege Cloud Connector hosts two components: Central Policy Manager (CPM) and Privileged Session Manager (PSM). Each component has a separate procedure for upgrade. If you have multiple Connectors, you need to perform the upgrade on each one of them. * GPO hardening. The Connector machine is secured by the CPM and PSM hardening settings, which are updated from time to time. If you have applied customized settings of your own these will be overridden by the new GPO hardening (step 4). You can choose to perform the hardening in one of the following ways: * Record your customized hardening settings, complete the hardening process, and reapply your settings. * Retain your current GPO settings. Run the upgrade process up to step 4, do not apply the automatic GPO hardening update, and manually add the new GPO hardening settings that have been added in this upgrade to your legacy GPO settings. CONNECTOR VERSION DEPENDENCIESCOPY BOOKMARK Check your current installed version, as instructed in Step 1: Before you begin, below. When upgrading from v12.1.7 and up: * In the PSM upgrade step, do not perform the steps related to the PSMConfigureApplocker.xml file as they do not apply to these versions. When upgrading from versions prior to v12.1.7: * In the PSM upgrade step, perform the steps related to the PSMConfigureApplocker.xml file. For details about the version files and builds, see Release notes Make sure to review the Privilege Cloud Connector end of support dates to help determine when to upgrade your Connector . UPGRADE STEPSCOPY BOOKMARK On each Connector machine, perform the procedures in the following order: Step 1: Before you begin Step 2: Upgrade the CPM component Step 3: Upgrade the PSM component Step 4: Deploy the updated GPO hardening package -or- Step 4: Manually add CPM and PSM hardening settings Step 5: Verify the Connector upgrade is completed successfully Upgrading the CPM and PSM components requires downtime (typically a few minutes). We recommend performing the upgrade at a time that will have the least impact on your operations. STEP 1: BEFORE YOU BEGINCOPY BOOKMARK Before you begin the upgrade, do the following: 1. Check your current CPM and PSM versions before you proceed with the upgrade: 1. On the Connector, press Windows + R keys simultaneously to launch the Run box. 2. In the Run box, enter appwiz.cpl, and click OK. 3. On the Programs and Features page, select CyberArk Privilege Session Manager>CyberArk Central Policy Manager. The versions are displayed. 2. Check .NET Framework 4.8 is installed on the Connector. For any Connector versions previous to 12.1 you will need to install .NET Framework 4.8. 3. Check the CPM component mode: The procedure for upgrading an active CPM component differs slightly from the procedure for a passive (DR mode) CPM component. To determine the mode of the CPM component, check if the service is running or not. If the service is not running, this means the CPM is in DR mode. 4. Prepare credentials: Make sure that you have both the Privilege Cloud admin credentials and the admin credentials for the local machine on which the Connectors are deployed. 5. Prepare the Privilege Cloud Connector machine: 1. Take a snapshot of the Connector machine before upgrading. 2. Download the latest Privilege Cloud software package: * From the CyberArk Marketplace, from the CyberArk Software area -Or- * If instructed by CyberArk Support, from the CyberArk Privilege Cloud Support vault (expand folders to CyberArk Privilege Cloud\v12.6\Latest or similar folder) and download the following (file names displayed below are the latest available versions): * Privileged Session Manager-Rls-12.6.zip * Central Policy Manager-RI12.6.zip * Privilege Cloud Connector PSM Hardening GPO-v01.zip * Privilege Cloud Connector CPM Hardening GPO-v01.zip * PSMConfigureAppLocker-Update Rls-12.6.zip * PSM Hardening GPO.txt and CPM Hardening GPO.txt readme files These file names may indicate a later version that is recently released. The installation files for your relevant version are made available to you in the CyberArk Support vault. If you do not see a folder called “CyberArk Privilege Cloud”, contact your CyberArk support representative and request access to Privilege Cloud software folder. 3. Check the properties of the zip files (Properties>General, Security field) to verify the file is not blocked. If blocked, select the Unblock checkbox. Or, in the folder storing the CyberArk files, run the PowerShell command: dir -r | Unblock-File 4. Extract the CPM and PSM component zip packages and save the content under a short path with no spaces in the folder names. For example: D:\Install_pkg\CPM12_6 5. Save PSMConfigureAppLocker-Update Rls-12.6.zip (or your specific version) to a short path with no spaces, to be used in the PSM upgrade process below. 6. Copy the CPM and PSM GPO Hardening packages to the domain server and extract the zip packages. 6. Stop the following services: * PSM: Cyber-Ark Privileged Session Manager * CPM: CybeArk Password Manager * Scanner: CyberArk Central Policy Manager Scanner STEP 2: UPGRADE THE CPM COMPONENTCOPY BOOKMARK The CPM upgrade process upgrades both the CPM and the Scanner. The procedure for upgrading an active CPM as opposed to a passive CPM (DR mode) is slightly different. Make sure to follow the instructions accordingly. To upgrade the CPM component: 1. Open the CPM installation package you created in Prepare the Privilege Cloud Connector machine:. Make sure the location of the upgrade files on the Connector machine does not contain any spaces in the full path and folder name. 2. In the CPM\InstallationAutomation\Installation folder, locate and open the InstallationConfig.xml file. 3. In the InstallationConfig.xml file, specify the following parameters, and make sure that you set the isUpgrade parameter to True. Parameter Description Username The name of the local admin Windows user running the installation or a domain user that has local admin rights on the machine. You do not need to include the domain. The user must have local admin rights on the machine in order to complete the process successfully. Valid values: Username Default value: Local admin Windows user Company The name of the company running the installation. Use only alpha-numeric characters and spaces. Do not include special characters in the company name. Valid values: Company name Default value: My Company CPMInstallDirectory The path where CPM is installed. Valid values: Pathname Default value: C:\Program Files (x86)\CyberArk\ isUpgrade Whether this is a CPM upgrade or a new CPM installation. Set this parameter to True. Valid values: True/False Default value: False 4. In a PowerShell window, run the CPMInstallation.ps1 script as Administrator. Consider your next steps according to your CPM component mode, if active or passive. See Check the CPM component mode:. If you are upgrading an active CPM, continue to the next step. If you are upgrading a passive CPM (DR mode), skip the next steps, and continue all steps in this phase directly from step 8, Running the CPM hardening. 5. In the CPM\InstallationAutomation\Registration folder, locate and open the CPMRegisterComponentConfig.xml file. 6. In the CPMRegisterComponentConfig.xml file, specify the following parameters, and make sure that you set the isUpgrade parameter to True. Parameter Description accepteula Acceptance of the end user License agreement. Valid values: Yes/No vaultIP The IP address or hostname of the Vault server, provided to you by CyberArk support. You can find it in the following file: C:\Program Files (x86)\CyberArk\Password Manager\Vault\vault.ini Valid values: IP address or hostname vaultuser The name of the Privilege Cloud admin user performing the installation. Valid values: Username username The CPM app user name that you defined during the installation process. You can find it in the following file: C:\Program Files (x86)\CyberArk\Password Manager\Vault\user.ini Default value: PasswordManager Note: If you have multiple CPMs, each CPM will have a different app user name. For example, PasswordManager, PasswordManager1, PasswordManager2, and so on. Make sure to use the app user name that is relevant to the specific CPM. isUpgrade Indicates whether the registration is for a clean installation or an upgrade. Set this parameter to True. Valid values: True\False Default value: False 7. In a PowerShell window, run the CPMRegisterComponent.ps1 script as Administrator, and, when prompted, provide the Privilege Cloud admin password: Copy to clipboardCD “<installation package Path>InstallationAutomation\Registration” .\CPMRegisterComponent.ps1 8. In the CPM/InstallationAutomation folder, locate and open the CPM_Hardening_Config.xml file. 9. In the CPM_Hardening_Config.xml file, set the following: * In all steps in the file, set each step to Enable=No * In parameter PasswordManagerServicesLocalUser, set Enable=Yes * For three (3) instances of the parameter IsPSMInstalled, set the parameter to True 10. In a PowerShell window, run the CPM_Hardening.ps1 script as Administrator. STEP 3: UPGRADE THE PSM COMPONENTCOPY BOOKMARK Upgrade the PSM component using the installation wizard. To upgrade the PSM component: 1. For versions prior to v12.1.7 only. * If your Connector is v12.1.7 and up, skip this step. * If you are unsure of your version, check your version as instructed in Step 1: Before you begin. Prepare a new PSMConfigureAppLocker.xml file 1. Access the folder where you stored the PSMConfigureAppLocker-Update zip file and extract the package to display the UpdateXML.ps1 script and default folders. 2. In the PSMConfigureAppLocker-Update folder, open a PowerShell window and run .\UpdateXml.ps1 as Administrator. 3. Access the MergedXml subfolder, which includes the PSMConfigureApplocker.xml file you will need for the PSM upgrade. 2. Open the PSM installation package you created in Prepare the Privilege Cloud Connector machine:. 3. Right-click Setup.exe, and then select Run as Administrator. 4. The installation wizard appears. Click Next. If you receive the following message: "The installation of Microsoft Visual C++ 2013 Redistributable Package (x64) appears to have failed. Do you want to continue the installation?" Click Yes to continue the installation. 5. If the Connector machine is domain-joined, and you logged on with a local user you receive the following message: Click Yes if you are not using the RemoteApp user experience capability. Click No to stop the upgrade, log on with a domain user who is a local administrator, and start the upgrade again. 6. On the Password Vault Web Access Environment page, click Next (do not change the settings). 7. On the Vault's Connection Details page, click Next (do not change the settings). 8. On the Vault's Username and Password details page, enter the same Privilege Cloud admin credentials that you used for the Connector installation, and then click Next. 9. On the API Gateway connection details page, if you want to benefit from the automatically unlock accounts capability, enter the Privilege Cloud portal hostname in the Host field (for example: mycyber.privilegecloud.cyberark.com). If not, click Next (do not change the settings). For details on the automatically unlock capability, see Automatically unlock accounts. 10. On the PKI Authentication configuration page, If you want to benefit from the Smart Card authentication for RDP connection capability, select the Enable PKI authentication for PSM checkbox. Otherwise, leave it as is. Click Next. If you are prompted with a message, click Yes to proceed. 11. On the Hardening page, click Advanced and: * In the Post-installation list, clear all the check boxes. * In the Hardening list: * Retain the check marks for Run the Hardening Script, Post hardening tasks, and Set up AppLocker Rules * Clear the TLS hardening check box, if selected * In cases of Out-of-domain hardening, retain the check box setting that is automatically assigned by the installer, either if selected or not. Do not click Next yet. 12. Depending on version, rename/replace the PSMConfigureAppLocker.xml file: For versions v12.1.7 and up 1. Outside the wizard, on the PSM server, access the path <Connector installation path>\PSM\Hardening. 2. Backup the existing file PSMConfigureAppLocker.xml . 3. Rename PSMConfigureAppLocker_<date of upgrade>.bak to PSMConfigureAppLocker.xml. For versions prior to v12.1.7 1. Outside the wizard, on the PSM server, access the path PSMConfigureAppLocker-Update/MergedXml . 2. Copy the PSMConfigureAppLocker.xml file generated in Step 1 above to the folder <Connector installation path>\PSM\Hardening and override the legacy xml file. 13. In the wizard, in the Hardening page, click Next. 14. On the Update Complete page, click Finish. You can restart the Connector machine at a later stage. In any case, you must restart the Connector machine before you can use it. 15. For In Domain Connector machines, update the GPO hardening package as described in the following step. STEP 4: DEPLOY THE UPDATED GPO HARDENING PACKAGECOPY BOOKMARK 1. Download the version's Privilege Cloud CPM and PSM Hardening GPO files from your support Vault account. 2. Import the GPO file to your Active Directory domain. Perform the following procedure twice, once for the PSM GPO, and then repeat for the CPM GPO. 1. Open the Group Policy Management Console (GPMC.msc). 2. Create a new GPO: 1. Expand Group Policy Management> <yourDomain>, then right-click Group Policy Objects and select New. The New GPO window appears. 2. In the Name field, specify a name for the PSM GPO indicating the purpose and current version (for example, PSM Hardening vN.N), and click OK. 3. In the list of Group Policy Objects, right-click the new Hardening GPO and select Import Settings. 4. In the Welcome to the Import Settings Wizard window, click Next. The Backup GPO window appears. 5. Click Next. The Backup location screen appears. 6. Click Browse, and select the location where you stored the version's PSM Hardening GPO settings, for example Privilege Cloud Connector PSM Hardening GPO and click OK. The folder path appears in the Backup Location window. 7. Click Next. The Source GPO window appears. 8. Click Next. The Scanning Backup window appears. 9. Click Next. The Completing the Import Settings Wizard window appears. 10. Click Finish. The Import window appears indicating the progress of the GPO import. 11. When the GPO import process has been completed, click OK. 3. Repeat the previous import step for the CPM Hardening GPO. 4. Link the GPO files to the dedicated CyberArk OU containing CyberArk servers. 1. Make sure all Connector servers are located under the dedicated OU, so the GPO will not affect any other server. 2. Delete the previous GPO links according to the following steps: * In the Group Policy Management Console, click the OU to which the current PSM and CPM GPOs are linked. * Right-click each of the links and select Delete. Click OK to approve. 3. In the Group Policy Management Console, right-click the OU, then select Link an Existing GPO. 4. Select this version's GPO policies: * First the PSM Hardening GPO * Second the CPM Hardening GPO and click OK. 5. Set the PSM Hardening GPO as top priority for the server hardening: In the Linked Group Policy Objects tab, select the PSM Hardening GPO and click the Up arrow to locate it topmost in the list. STEP 4: MANUALLY ADD CPM AND PSM HARDENING SETTINGSCOPY BOOKMARK If you want to retain customized GPO settings applied to the Connector machine, add the following hardening settings, that are part of this version. For full details about the Connector's GPO hardening parameters, see Connector GPO parameters. 1. Open the Group Policy Management Console (GPMC.msc). 2. Click the OU that stores your legacy CPM and PSM hardening setup. 3. Apply the following changes, which are the updates made to the GPO settings in this version: Go to User Rights Assignment: Location: Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment Apply the following: Policy Setting Adjust memory quotas for a process NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, BUILTIN\Administrators, PasswordManagerUser Allow log on locally BUILTIN\Administrators, PSMShadowUsers, PluginManagerUser Log on as a service NT AUTHORITY/LOCAL SERVICE, NT AUTHORITY/NETWORK SERVICE, PasswordManagerUser, ScannerUser Replace a process level token NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, PasswordManagerUser STEP 5: VERIFY THE CONNECTOR UPGRADE IS COMPLETED SUCCESSFULLYCOPY BOOKMARK REVIEW INSTALLATION LOGSCOPY BOOKMARK Review the installation logs to make sure that there are no errors in the upgrade process. You can find the logs in the following locations: Component Location CPM %USERPROFILE%\AppData\Local\Temp\ CPMInstall.log PSM <Windows installation directory>\Temp\PSMInstall.log VERIFY PSM CONNECTORS ARE OPERATING PROPERLY COPY BOOKMARK In the event that any of the PSM connectors are not functioning properly, ensure the relevant executiables are included in the PSMConfigureApplocker.xml file. See details in Verify the Privilege Cloud Connector installation. Was this topic helpful? IN THIS TOPIC * Upgrade the Privilege Cloud Connector * Overview * Connector version dependencies * Upgrade steps * Step 1: Before you begin * Step 2: Upgrade the CPM component * Step 3: Upgrade the PSM component * Step 4: Deploy the updated GPO hardening package * Step 4: Manually add CPM and PSM hardening settings * Step 5: Verify the Connector upgrade is completed successfully * Review installation logs * Verify PSM connectors are operating properly In this topic What's new2022-04-03 Privilege CloudStandard12.6 Explore CyberArk CyberArk Docs Support and Technical Resources Connect Technical Community Learn Resources Contact Send us feedback Support Documentation@CyberArk.comsupport@cyberark.com > Follow us Copyright © 2022 CyberArk Software Ltd. All rights reserved. | Terms and Conditions | Privacy Policy | Third-Party Notices | End-of-Life Policy Build 5.2.8 [14 August 2022 02:18:45 PM] Send feedback Send feedback Have an enhancement idea? Found a bug? Let us know what's on your mind. Send email