docs.cyberark.com
Open in
urlscan Pro
23.100.50.156
Public Scan
Submitted URL: http://go.cyberark.com/MzE2LUNaUC0yNzUAAAGGSLng5fjvQ3sGa2cqfImH75Z3B8CR6K-YLh5KNZpyovGf8PMuXrti1NTMaWcv6GiunUk0sGk=
Effective URL: https://docs.cyberark.com/Product-Doc/OnlineHelp/PrivCloud/Latest/en/Content/Privilege%20Cloud/PrivCloud-upgrade-connector...
Submission: On August 17 via api from SG — Scanned from DE
Effective URL: https://docs.cyberark.com/Product-Doc/OnlineHelp/PrivCloud/Latest/en/Content/Privilege%20Cloud/PrivCloud-upgrade-connector...
Submission: On August 17 via api from SG — Scanned from DE
Form analysis 2 forms found in the DOM
#
<form class="search" action="#">
<div class="search-bar search-bar-container needs-pie">
<input class="search-field needs-pie" type="search" aria-label="Search Field" placeholder="Search">
<div class="search-filter-wrapper"><span class="invisible-label" id="search-filters-label">Filter: </span>
<div class="search-filter" aria-haspopup="true" aria-controls="sf-content" aria-expanded="false" aria-label="Search Filter" title="All" role="button" tabindex="0">
</div>
<div class="search-filter-content" id="sf-content">
<ul>
<li>
<button class="mc-dropdown-item" aria-labelledby="search-filters-label filterSelectorLabel-00001"><span id="filterSelectorLabel-00001">All</span>
</button>
</li>
</ul>
</div>
</div>
<div class="search-submit-wrapper" dir="ltr">
<div class="search-submit" title="Search" role="button" tabindex="0"><span class="invisible-label">Submit Search</span>
</div>
</div>
</div>
</form><form autocomplete="off" id="searchForm" class="su__search-forms su__m-0">
<div class="su__form-block su__w-100 su__position-relative">
<div class="su__radius-2 su__d-flex su__position-relative"><input autofocus="false" id="search-box-autocomplete" class="su__input-search su__w-100 su__su__font-14 su__text-black su__p-3 su__border-none su__radius-2 su__pr-60" type="input"
placeholder="Search the docs"><button type="button" class="su__btn su__search_btn su__animate-zoom su__flex-vcenter su__position-absolute su__zindex su__bg-transparent su__rtlleft"><svg width="24" height="24" viewBox="0 0 24 24">
<path
d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L20.49 19l-4.99-5zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z"
fill="#333"></path>
</svg></button></div>
</div>
</form>Text Content
Table of Contents
* Get Started
* Setup
* Setup
* Prepare for deployment
* Deploy and maintain Privilege Cloud connectors
* Configure authentication methods
* Add and manage users
* Connect to SIEM
* Integrate with other CyberArk products and services
* Upgrade Privilege Cloud connectors
* Upgrade Privilege Cloud connectors
* Upgrade the Privilege Cloud Connector
* Upgrade the Secure Tunnel
* Upgrade PSM for SSH (Unix connector)
* Administrators
* End Users
* Developers
* Videos
Skip To Main Content
Account
Settings
--------------------------------------------------------------------------------
Logout
Privilege CloudStandardVersion 12.6
Account
Settings
--------------------------------------------------------------------------------
Logout
Filter:
* All
Submit Search
*
* Our Products
* Privileged Access Manager - Self-Hosted
* Secrets Manager
* Credential Providers
* Conjur Enterprise
* CyberArk Identity
* Endpoint Privilege Manager
* Privilege Cloud
* Dynamic Privileged Access
* CyberArk Remote Access
* Cloud Entitlements Manager
* Shared Services
* Identity Administration
* Identity Security Intelligence
* Audit
* Docs portal
* * English
* Japanese
Home > Setup > Upgrade Privilege Cloud connectors > Upgrade the Privilege Cloud
Connector
Previous
Next
* Get Started»
* Setup»
* Administrators»
* End Users»
* Developers»
* Videos»
* Get Started Get Started
* Setup Setup
* Prepare for deployment Prepare for deployment
* Deploy and maintain Privilege Cloud connectors Deploy and maintain
Privilege Cloud connectors
* Configure authentication methods Configure authentication methods
* Add and manage users Add and manage users
* Connect to SIEM
* Integrate with other CyberArk products and services Integrate with other
CyberArk products and services
* Upgrade Privilege Cloud connectors Upgrade Privilege Cloud connectors
* Upgrade the Privilege Cloud Connector
* Upgrade the Secure Tunnel
* Upgrade PSM for SSH (Unix connector)
* Administrators
* End Users
* Developers
* Videos
UPGRADE THE PRIVILEGE CLOUD CONNECTOR
IN THIS TOPIC
* Upgrade the Privilege Cloud Connector
* Overview
* Connector version dependencies
* Upgrade steps
* Step 1: Before you begin
* Step 2: Upgrade the CPM component
* Step 3: Upgrade the PSM component
* Step 4: Deploy the updated GPO hardening package
* Step 4: Manually add CPM and PSM hardening settings
* Step 5: Verify the Connector upgrade is completed successfully
* Review installation logs
* Verify PSM connectors are operating properly
This topic describes how to upgrade the Privilege Cloud Connector from any
legacy version to the latest version by upgrading both the CPM and PSM
components on your Connector server.
Make sure to review the Privilege Cloud Connector end of support dates to help
determine when to upgrade your Connector .
OVERVIEWCOPY BOOKMARK
The Connector upgrade applies to the following:
* CPM and PSM components. The Privilege Cloud Connector hosts two components:
Central Policy Manager (CPM) and Privileged Session Manager (PSM). Each
component has a separate procedure for upgrade.
If you have multiple Connectors, you need to perform the upgrade on each one
of them.
* GPO hardening. The Connector machine is secured by the CPM and PSM hardening
settings, which are updated from time to time. If you have applied customized
settings of your own these will be overridden by the new GPO hardening (step
4). You can choose to perform the hardening in one of the following ways:
* Record your customized hardening settings, complete the hardening process,
and reapply your settings.
* Retain your current GPO settings. Run the upgrade process up to step 4, do
not apply the automatic GPO hardening update, and manually add the new GPO
hardening settings that have been added in this upgrade to your legacy GPO
settings.
CONNECTOR VERSION DEPENDENCIESCOPY BOOKMARK
Check your current installed version, as instructed in Step 1: Before you begin,
below.
When upgrading from v12.1.7 and up:
* In the PSM upgrade step, do not perform the steps related to the
PSMConfigureApplocker.xml file as they do not apply to these versions.
When upgrading from versions prior to v12.1.7:
* In the PSM upgrade step, perform the steps related to the
PSMConfigureApplocker.xml file.
For details about the version files and builds, see Release notes
Make sure to review the Privilege Cloud Connector end of support dates to help
determine when to upgrade your Connector .
UPGRADE STEPSCOPY BOOKMARK
On each Connector machine, perform the procedures in the following order:
Step 1: Before you begin
Step 2: Upgrade the CPM component
Step 3: Upgrade the PSM component
Step 4: Deploy the updated GPO hardening package
-or-
Step 4: Manually add CPM and PSM hardening settings
Step 5: Verify the Connector upgrade is completed successfully
Upgrading the CPM and PSM components requires downtime (typically a few
minutes). We recommend performing the upgrade at a time that will have the least
impact on your operations.
STEP 1: BEFORE YOU BEGINCOPY BOOKMARK
Before you begin the upgrade, do the following:
1. Check your current CPM and PSM versions before you proceed with the upgrade:
1. On the Connector, press Windows + R keys simultaneously to launch the Run
box.
2. In the Run box, enter appwiz.cpl, and click OK.
3. On the Programs and Features page, select CyberArk Privilege Session
Manager>CyberArk Central Policy Manager. The versions are displayed.
2. Check .NET Framework 4.8 is installed on the Connector.
For any Connector versions previous to 12.1 you will need to install .NET
Framework 4.8.
3. Check the CPM component mode:
The procedure for upgrading an active CPM component differs slightly from
the procedure for a passive (DR mode) CPM component. To determine the mode
of the CPM component, check if the service is running or not. If the service
is not running, this means the CPM is in DR mode.
4. Prepare credentials:
Make sure that you have both the Privilege Cloud admin credentials and the
admin credentials for the local machine on which the Connectors are
deployed.
5. Prepare the Privilege Cloud Connector machine:
1. Take a snapshot of the Connector machine before upgrading.
2. Download the latest Privilege Cloud software package:
* From the CyberArk Marketplace, from the CyberArk Software area
-Or-
* If instructed by CyberArk Support, from the CyberArk Privilege Cloud
Support vault (expand folders to CyberArk Privilege Cloud\v12.6\Latest
or similar folder)
and download the following (file names displayed below are the latest
available versions):
* Privileged Session Manager-Rls-12.6.zip
* Central Policy Manager-RI12.6.zip
* Privilege Cloud Connector PSM Hardening GPO-v01.zip
* Privilege Cloud Connector CPM Hardening GPO-v01.zip
* PSMConfigureAppLocker-Update Rls-12.6.zip
* PSM Hardening GPO.txt and CPM Hardening GPO.txt readme files
These file names may indicate a later version that is recently released.
The installation files for your relevant version are made available to
you in the CyberArk Support vault.
If you do not see a folder called “CyberArk Privilege Cloud”, contact
your CyberArk support representative and request access to Privilege
Cloud software folder.
3. Check the properties of the zip files (Properties>General, Security
field) to verify the file is not blocked. If blocked, select the Unblock
checkbox.
Or, in the folder storing the CyberArk files, run the PowerShell
command:
dir -r | Unblock-File
4. Extract the CPM and PSM component zip packages and save the content under
a short path with no spaces in the folder names.
For example: D:\Install_pkg\CPM12_6
5. Save PSMConfigureAppLocker-Update Rls-12.6.zip (or your specific version)
to a short path with no spaces, to be used in the PSM upgrade process
below.
6. Copy the CPM and PSM GPO Hardening packages to the domain server and
extract the zip packages.
6. Stop the following services:
* PSM: Cyber-Ark Privileged Session Manager
* CPM: CybeArk Password Manager
* Scanner: CyberArk Central Policy Manager Scanner
STEP 2: UPGRADE THE CPM COMPONENTCOPY BOOKMARK
The CPM upgrade process upgrades both the CPM and the Scanner.
The procedure for upgrading an active CPM as opposed to a passive CPM (DR mode)
is slightly different. Make sure to follow the instructions accordingly.
To upgrade the CPM component:
1. Open the CPM installation package you created in Prepare the Privilege
Cloud Connector machine:.
Make sure the location of the upgrade files on the Connector machine does
not contain any spaces in the full path and folder name.
2. In the CPM\InstallationAutomation\Installation folder, locate and open the
InstallationConfig.xml file.
3. In the InstallationConfig.xml file, specify the following parameters, and
make sure that you set the isUpgrade parameter to True.
Parameter
Description
Username
The name of the local admin Windows user running the installation or a
domain user that has local admin rights on the machine. You do not need to
include the domain.
The user must have local admin rights on the machine in order to complete
the process successfully.
Valid values: Username
Default value: Local admin Windows user
Company
The name of the company running the installation.
Use only alpha-numeric characters and spaces. Do not include special
characters in the company name.
Valid values: Company name
Default value: My Company
CPMInstallDirectory
The path where CPM is installed.
Valid values: Pathname
Default value: C:\Program Files (x86)\CyberArk\
isUpgrade
Whether this is a CPM upgrade or a new CPM installation.
Set this parameter to True.
Valid values: True/False
Default value: False
4. In a PowerShell window, run the CPMInstallation.ps1 script as
Administrator.
Consider your next steps according to your CPM component mode, if active or
passive. See Check the CPM component mode:.
If you are upgrading an active CPM, continue to the next step.
If you are upgrading a passive CPM (DR mode), skip the next steps, and
continue all steps in this phase directly from step 8, Running the CPM
hardening.
5. In the CPM\InstallationAutomation\Registration folder, locate and open the
CPMRegisterComponentConfig.xml file.
6. In the CPMRegisterComponentConfig.xml file, specify the following
parameters, and make sure that you set the isUpgrade parameter to True.
Parameter
Description
accepteula
Acceptance of the end user License agreement.
Valid values: Yes/No
vaultIP
The IP address or hostname of the Vault server, provided to you by CyberArk
support.
You can find it in the following file:
C:\Program Files (x86)\CyberArk\Password Manager\Vault\vault.ini
Valid values: IP address or hostname
vaultuser
The name of the Privilege Cloud admin user performing the installation.
Valid values: Username
username
The CPM app user name that you defined during the installation process.
You can find it in the following file:
C:\Program Files (x86)\CyberArk\Password Manager\Vault\user.ini
Default value: PasswordManager
Note: If you have multiple CPMs, each CPM will have a different app user
name. For example, PasswordManager, PasswordManager1, PasswordManager2, and
so on.
Make sure to use the app user name that is relevant to the specific CPM.
isUpgrade
Indicates whether the registration is for a clean installation or an
upgrade.
Set this parameter to True.
Valid values: True\False
Default value: False
7. In a PowerShell window, run the CPMRegisterComponent.ps1 script as
Administrator, and, when prompted, provide the Privilege Cloud admin
password:
Copy to clipboardCD “<installation package Path>InstallationAutomation\Registration” .\CPMRegisterComponent.ps1
8. In the CPM/InstallationAutomation folder, locate and open the
CPM_Hardening_Config.xml file.
9. In the CPM_Hardening_Config.xml file, set the following:
* In all steps in the file, set each step to Enable=No
* In parameter PasswordManagerServicesLocalUser, set Enable=Yes
* For three (3) instances of the parameter IsPSMInstalled, set the
parameter to True
10. In a PowerShell window, run the CPM_Hardening.ps1 script as Administrator.
STEP 3: UPGRADE THE PSM COMPONENTCOPY BOOKMARK
Upgrade the PSM component using the installation wizard.
To upgrade the PSM component:
1. For versions prior to v12.1.7 only.
* If your Connector is v12.1.7 and up, skip this step.
* If you are unsure of your version, check your version as instructed in
Step 1: Before you begin.
Prepare a new PSMConfigureAppLocker.xml file
1. Access the folder where you stored the PSMConfigureAppLocker-Update zip
file and extract the package to display the UpdateXML.ps1 script and
default folders.
2. In the PSMConfigureAppLocker-Update folder, open a PowerShell window
and run .\UpdateXml.ps1 as Administrator.
3. Access the MergedXml subfolder, which includes the
PSMConfigureApplocker.xml file you will need for the PSM upgrade.
2. Open the PSM installation package you created in Prepare the Privilege
Cloud Connector machine:.
3. Right-click Setup.exe, and then select Run as Administrator.
4. The installation wizard appears. Click Next.
If you receive the following message:
"The installation of Microsoft Visual C++ 2013 Redistributable Package
(x64) appears to have failed. Do you want to continue the installation?"
Click Yes to continue the installation.
5. If the Connector machine is domain-joined, and you logged on with a local
user you receive the following message:
Click Yes if you are not using the RemoteApp user experience capability.
Click No to stop the upgrade, log on with a domain user who is a local
administrator, and start the upgrade again.
6. On the Password Vault Web Access Environment page, click Next (do not
change the settings).
7. On the Vault's Connection Details page, click Next (do not change the
settings).
8. On the Vault's Username and Password details page, enter the same Privilege
Cloud admin credentials that you used for the Connector installation, and
then click Next.
9. On the API Gateway connection details page, if you want to benefit from the
automatically unlock accounts capability, enter the Privilege Cloud portal
hostname in the Host field (for example:
mycyber.privilegecloud.cyberark.com). If not, click Next (do not change the
settings). For details on the automatically unlock capability, see
Automatically unlock accounts.
10. On the PKI Authentication configuration page, If you want to benefit from
the Smart Card authentication for RDP connection capability, select the
Enable PKI authentication for PSM checkbox. Otherwise, leave it as is.
Click Next.
If you are prompted with a message, click Yes to proceed.
11. On the Hardening page, click Advanced and:
* In the Post-installation list, clear all the check boxes.
* In the Hardening list:
* Retain the check marks for Run the Hardening Script, Post hardening
tasks, and Set up AppLocker Rules
* Clear the TLS hardening check box, if selected
* In cases of Out-of-domain hardening, retain the check box setting that is
automatically assigned by the installer, either if selected or not.
Do not click Next yet.
12. Depending on version, rename/replace the PSMConfigureAppLocker.xml file:
For versions v12.1.7 and up
1. Outside the wizard, on the PSM server, access the path <Connector
installation path>\PSM\Hardening.
2. Backup the existing file PSMConfigureAppLocker.xml .
3. Rename PSMConfigureAppLocker_<date of upgrade>.bak to
PSMConfigureAppLocker.xml.
For versions prior to v12.1.7
1. Outside the wizard, on the PSM server, access the path
PSMConfigureAppLocker-Update/MergedXml .
2. Copy the PSMConfigureAppLocker.xml file generated in Step 1 above to
the folder <Connector installation path>\PSM\Hardening and override the
legacy xml file.
13. In the wizard, in the Hardening page, click Next.
14. On the Update Complete page, click Finish.
You can restart the Connector machine at a later stage. In any case, you
must restart the Connector machine before you can use it.
15. For In Domain Connector machines, update the GPO hardening package as
described in the following step.
STEP 4: DEPLOY THE UPDATED GPO HARDENING PACKAGECOPY BOOKMARK
1. Download the version's Privilege Cloud CPM and PSM Hardening GPO files from
your support Vault account.
2. Import the GPO file to your Active Directory domain.
Perform the following procedure twice, once for the PSM GPO, and then repeat
for the CPM GPO.
1. Open the Group Policy Management Console (GPMC.msc).
2. Create a new GPO:
1. Expand Group Policy Management> <yourDomain>, then right-click Group
Policy Objects and select New. The New GPO window appears.
2. In the Name field, specify a name for the PSM GPO indicating the
purpose and current version (for example, PSM Hardening vN.N), and
click OK.
3. In the list of Group Policy Objects, right-click the new Hardening GPO
and select Import Settings.
4. In the Welcome to the Import Settings Wizard window, click Next. The
Backup GPO window appears.
5. Click Next. The Backup location screen appears.
6. Click Browse, and select the location where you stored the version's PSM
Hardening GPO settings, for example Privilege Cloud Connector PSM
Hardening GPO and click OK. The folder path appears in the Backup
Location window.
7. Click Next. The Source GPO window appears.
8. Click Next. The Scanning Backup window appears.
9. Click Next. The Completing the Import Settings Wizard window appears.
10. Click Finish. The Import window appears indicating the progress of the
GPO import.
11. When the GPO import process has been completed, click OK.
3. Repeat the previous import step for the CPM Hardening GPO.
4. Link the GPO files to the dedicated CyberArk OU containing CyberArk servers.
1. Make sure all Connector servers are located under the dedicated OU, so
the GPO will not affect any other server.
2. Delete the previous GPO links according to the following steps:
* In the Group Policy Management Console, click the OU to which the
current PSM and CPM GPOs are linked.
* Right-click each of the links and select Delete. Click OK to approve.
3. In the Group Policy Management Console, right-click the OU, then select
Link an Existing GPO.
4. Select this version's GPO policies:
* First the PSM Hardening GPO
* Second the CPM Hardening GPO
and click OK.
5. Set the PSM Hardening GPO as top priority for the server hardening: In
the Linked Group Policy Objects tab, select the PSM Hardening GPO and
click the Up arrow to locate it topmost in the list.
STEP 4: MANUALLY ADD CPM AND PSM HARDENING SETTINGSCOPY BOOKMARK
If you want to retain customized GPO settings applied to the Connector machine,
add the following hardening settings, that are part of this version. For full
details about the Connector's GPO hardening parameters, see Connector GPO
parameters.
1. Open the Group Policy Management Console (GPMC.msc).
2. Click the OU that stores your legacy CPM and PSM hardening setup.
3. Apply the following changes, which are the updates made to the GPO settings
in this version:
Go to User Rights Assignment:
Location: Computer Configuration\Policies\Windows Settings\Security
Settings\LocalPolicies\User Rights Assignment
Apply the following:
Policy
Setting
Adjust memory quotas for a process
NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,
BUILTIN\Administrators, PasswordManagerUser
Allow log on locally
BUILTIN\Administrators, PSMShadowUsers, PluginManagerUser
Log on as a service
NT AUTHORITY/LOCAL SERVICE, NT AUTHORITY/NETWORK SERVICE, PasswordManagerUser,
ScannerUser
Replace a process level token
NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, PasswordManagerUser
STEP 5: VERIFY THE CONNECTOR UPGRADE IS COMPLETED SUCCESSFULLYCOPY BOOKMARK
REVIEW INSTALLATION LOGSCOPY BOOKMARK
Review the installation logs to make sure that there are no errors in the
upgrade process.
You can find the logs in the following locations:
Component
Location
CPM
%USERPROFILE%\AppData\Local\Temp\ CPMInstall.log
PSM
<Windows installation directory>\Temp\PSMInstall.log
VERIFY PSM CONNECTORS ARE OPERATING PROPERLY COPY BOOKMARK
In the event that any of the PSM connectors are not functioning properly, ensure
the relevant executiables are included in the PSMConfigureApplocker.xml file.
See details in Verify the Privilege Cloud Connector installation.
Was this topic helpful?
IN THIS TOPIC
* Upgrade the Privilege Cloud Connector
* Overview
* Connector version dependencies
* Upgrade steps
* Step 1: Before you begin
* Step 2: Upgrade the CPM component
* Step 3: Upgrade the PSM component
* Step 4: Deploy the updated GPO hardening package
* Step 4: Manually add CPM and PSM hardening settings
* Step 5: Verify the Connector upgrade is completed successfully
* Review installation logs
* Verify PSM connectors are operating properly
In this topic
What's new2022-04-03
Privilege CloudStandard12.6
Explore
CyberArk
CyberArk Docs
Support and Technical Resources
Connect
Technical Community
Learn
Resources
Contact
Send us feedback
Support
Documentation@CyberArk.comsupport@cyberark.com >
Follow us
Copyright © 2022 CyberArk Software Ltd. All rights reserved. | Terms and
Conditions | Privacy Policy | Third-Party Notices | End-of-Life Policy
Build 5.2.8 [14 August 2022 02:18:45 PM]
Send feedback
Send feedback
Have an enhancement idea? Found a bug? Let us know what's on your mind.
Send email