SungHoon_Kim

PAM Upgrade from 2.8.4.1 to 3.0.0

Blog Post created by SungHoon_Kim Employee on Feb 16, 2018

Previous Article: Upgrade PAM 2.8.3/2.8.4 to 2.8.4.1 

 

Now that you are on PAM 2.8.4.1(you can also upgrade from 2.8.3), we can now perform the migration to 3.0.0

There is no direct upgrade path to 3.1.1, you must migrate to 3.0.0 first then upgrade to 3.0.1 3.0.2(recommending to upgrade to 3.0.2 to avoid any known issue) followed by whatever upgrade (3.1.1) available.

 

Logon to support.ca.com and navigate to Download Management.

Then enter "Privileged" at the dropdown menu and select "Privileged Access Management" as below.

 

Navigate and locate "CA Privileged Access Manager DEBIAN" (it should appear at the top).

It would show the latest version in the "Release" dropdown list, you need to select 3.0.1.

 

Once you selected 3.0.1, click on the CART icon and add to cart.

Then click on the cart.

 

Click on "All files" to get a full list.

 

Download the following 2 files.

 

For the Migration Itself, you only need to download 2 files.

"CA PRIVILEGED ACCESS MANAGER MIGRATION PATCH PAYLOAD R3.0 - ESD ONLY" which is referred to as "Payload".

"PRIVILEGED ACCESS MANAGER MIGRATION PATCH R3.0B" which is referred to as "Migration Patch"

 

Payload is the one you copy to the Session Recording network shared folder.

Migration Patch is what you apply on PAM as any other Patches and this will initiate migration.

 

 

Once you have downloaded the 2 files, you can empty the cart and select "3.1.1" and add to cart.

Download the "PRIVILEGED ACCESS MANAGER UPGRADE PATCH R3.1.1 - ESD ONLY"

 

 

Downloading the 3.0.2 patch is at a different location.

Visit the following link(after logon to support.ca.com) and download 3.0.2 patch.

CA Privileged Access Manager Solutions & Patches - CA Technologies 

 

Copy the files where you would perform the upgrade from.

 

Before performing any upgrade,  check the following.

  1. Session Recording Network Mount is successful
    1. If this is not successful you cannot upgrade!
    2. You must ensure this on all PAM Servers!
    3. If you are using hostname (\\host\share) and unable to mount, try IP address (\\ip\share) instead
    4. Proceed only if you pass this.
  1. DB Backup is made (preferably external storage)
  2. Cluster is turned off
  3. VMWare Snapshot is taken.

 

And note the following too.

 

 

Now, let's begin.

[EDIT: 2018-04-16]-------------[BEGIN]---------------

The PAM 2.x has 8GB HDD Disc Size.

This is going to be insufficient when you move to 3.x so you will need to increase the disc size prior to the migration.

However, increasing the disc size requires that you remove all the snapshots!!!

So, please do a full backup of your VM instance first so you can revert back if anything goes wrong.

(For example, you could download the whole VM instance folder)

 

Once you have backed up, remove all snapshots from the VM instance.

Then modify the disc size by increasing it to 80GB(or higher).

Once the disc size has been expanded to 80GB, the partition will be resized automatically adjusted during the migration.

If this has not been performed and the migration was performed, customers can contact CA Support to increase the partition manually.

[EDIT: 2018-04-16]-------------[END]---------------

Take VMWare Snapshot so you can revert to this stage.

Take DB Backup

 

Back at the "Database Configuration", click on "Save Database and Configuration" button.

 

Download the DB and Configuration.

 

Turn off the Cluster.

 

Power off

 

Add 2nd HDD with 20GB space

 

In my sample I was using 2GB RAM for PAM 2.8.4.1 but that is insufficient for PAM 3.x.x so you must have at least 4GB RAM even for just a boot up.

Otherwise, you may fail to logon or see blank screen when you logon.

 

Set the RAM to 4GB at the very minimum. (This is just a demo env for upgrade)

 

### Repeat the same on all the instances of PAM

 

Power on the PAM Server

Logon to PAM

 

FYI. The 2nd HDD would not be visible to PAM GUI.

 

Check the Session Recording network folder is mounted correctly.

Again, you cannot migrate if you cannot mount or if it is not available.

Try using IP Address if the hostname does not work.

 

Copy the payload file to the Session Recording Network Shared folder.

 

 

Extract the Migration Patch file

 

Apply the Migration Patch

 

PAM Server will reboot

 

If you have access to the VMWare Console, you can see the following. If not, you will have to patiently wait.

 

It will stay at the following screen for some time.

Wait for couple of minutes and do not power off or reset.

 

You will later see it booting and the version would show 3.0.0

And the 2nd HDD would be used.

 

It is at Phase 2

 

It will again spend some time at the following screen.

You can see the payload file is being extracted and deployed.

 

Now almost at the end.

 

Reboot

 

You can already see it is at Phase 3.

 

And finally it shows the new screen and the wording has changed from "xceedium" to "CA PAM"

 

Close all PAM Clients and launch a new instance.

Connect to PAM server.

 

 

You should be able to confirm the version from sysinfo as well.

 

You can power off the PAM server and discard the 2nd HDD.

 

Next Article is PAM Upgrade from 3.0.0 to 3.0.2 and 3.1.1 

Outcomes