Comments

Latest Posts

Upgrade CyberArk PAM Connector Components (CPM & PSM) for Privilege Cloud

This post summzrize some notes and steps to upgrade the Privilege Cloud Connector and the components for versions 12.7 and later.

Note: Upgrading the CPM and PSM components requires downtime (typically a few minutes). We recommend performing the upgrade at a time that will have the least impact on your operations.




Diagram


https://docs.cyberark.com/PrivCloud/Latest/en/Content/Privilege%20Cloud/PrivCloud-upgrade-connector-12.7-later.htm?tocpath=Setup%7CUpgrade%20Privilege%20Cloud%20connectors%7CUpgrade%20the%20Privilege%20Cloud%20Connector%7C_____1

 

Check .Net, CPM and PSM versions



For .Net:
  1. In the Registry Editor, open the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full. If the Full subkey isn't present, then you don't have .NET Framework 4.5 or later installed.

.NET Framework versionMinimum value
.NET Framework 4.5378389
.NET Framework 4.5.1378675
.NET Framework 4.5.2379893
.NET Framework 4.6393295
.NET Framework 4.6.1394254
.NET Framework 4.6.2394802
.NET Framework 4.7460798
.NET Framework 4.7.1461308
.NET Framework 4.7.2461808
.NET Framework 4.8528040
.NET Framework 4.8.1533320



For CPM and PSM
  1. On the Connector, press Windows + R keys simultaneously to launch the Run box.

  2. In the Run box, enter appwiz.cpl, and click OK.

  3. On the Programs and Features page, select CyberArk Privilege Session Manager>CyberArk Central Policy Manager. The versions are displayed.

  4. Based on your Connector version, choose the relevant upgrade flow In this section:

For details about the version files and builds, see Release notes v14.0




Connector Management


Install Connector to a new Connector server

To deploy a new connector, you first generate the installation script and then run it on the connector host machine.

To perform the following steps, your user must be assigned to the System Administrator role in Identity Administration.

  1. Sign in to the CyberArk Identity Security Platform Shared Services using the link provided in the CyberArk email.

  2. Click the service picker, and select Connector Management.

  3. On the Connectors page, click Add a connector.

  4. In the Add connector wizard > Define installation details tab define the following details for the Management Agent in the host machine:



  1. Click Next.

  2. In the Copy installation script tab, review the connector settings you defined:

Click Copy script to later copy it to the connector host machine.

The script is available for 5 minutes.

Optionally:

  • Click Renew to renew the script availability for an additional 5 minutes

  • Click Preview to view the script format

Click Close.

https://docs.cyberark.com/ConnectorManagement/Latest/en/Content/Setup/CM_AddConnector.htm?tocpath=Setup%7C_____2#Addaconnector1



Upgrade CPM and Other Components

 

At this moment, Jan 2024, it is still not able to upgrade PSM from Connector Management page.


Connector shows components details



Upgrade Components page

You will need to get your [email protected] credential to process. Reset the installeruser password first since it will be changed in 24 hours after reset.



Upgrade PSM

High Level Steps

  1. Download the Privilege Cloud Connector version 14 upgrade files from the CyberArk Marketplace:
  • Privileged Session Manager-Rls-14.zip 
  • Central Policy Manager-RI14.zip 
  • Privilege Cloud Connector Unified Hardening GPO-v2.2.0.zip 
  • Privilege Cloud Connector Unified Hardening GPO-v2.2.0.txt 
 
Installed versionPatch versionDownload link
PSM 13.2 or older14.0https://www.cyberark.com/CA24-04-PSM14
CPM 13.2 or older14.0https://www.cyberark.com/CA24-04-CPM14
Privilege Cloud Connector Unified Hardening GPO2.2.0
 
  1. Follow the instructions in the documentation to upgrade to version 14.

CyberArk Documentation : Upgrade the Privilege Cloud Connector
  • https://docs.cyberark.com/PrivCloud/Latest/en/Content/Privilege%20Cloud/PrivCloud-upgrade-connector.htm

Before you upgrade the PSM component:
  • Make sure you have performed the preparatory steps described in Before you begin, in this topic.

  • Note that as part of the upgrade, legacy PSM logs are grouped in a zip file and copied to internal archive folders for future access if necessary.

To upgrade the PSM component:

  1. Open the PSM installation package you created in Prepare the Privilege CloudConnector machine:.

  2. Right-click Setup.exe, and then select Run as Administrator.

  3. The installation wizard appears. Click Next and follow these steps within the wizard:

    Tab/event

    Step

    Microsoft Visual C++ 2013 Redistributable Package (x64) errorIgnore and click Yes to Continue

    If Connector machine is domain-joined, and you logged on with a local user, the following message appears:

    • Click Yes if you are not using the RemoteApp user experience capability.

    • Click No to stop the upgrade, log on with a domain user who is a local administrator, and start the upgrade again.

    Password Vault Web Access Environment page

    Retain the default settings and click Next .

    Vault's Connection Details page

    Retain the default settings and click Next .

    Vault's Username and Password details page

    Enter the same Privilege Cloud admin credentials used for the Connector installation (<subdomain>_admin) and click Next.

    API Gateway connection details page

    Optionally, to apply the PSM automatically unlock accounts capability, enter the Privilege Cloud portal hostname in the Host field:

    <subdomain>.privilegecloud.cyberark.com

    Otherwise, click Next .

    PKI Authentication configuration page

    Optionally, to benefit from the Smart Card authentication for RDP connection capability, select Enable PKI authentication for PSM.

    Otherwise, click Next .

    If message appears, click Yes

  4. In the Hardening page, click Advanced and enter the following selections, depending on in-domain or out-of-domain hardening solution:

    Click Next .

  5. On the Update Complete page, click Finish.

     

    You can restart the Connector machine at a later stage. In any case, you must restart the Connector machine before you can use it.



Make sure reset [email protected] 's password during upgrading wizard. 


Troubleshooting


During upgrading process, here are some common errors I met:

1. ITATS053E Object PSMServer_<name> doesn't exist








02/02/2024, 12:30:02 Checking if Microsoft Visual C++ 2015-2022 x64 Redistributable Package is installed (by GUID).
02/02/2024, 12:30:02 Checking if Microsoft Visual C++ 2015-2022 x86 Redistributable Package is installed (by GUID).
02/02/2024, 12:30:02 Microsoft Visual C++ 2015-2022 Redistributable Packages are installed.
02/02/2024, 12:30:10 Checking operating system version. Additional information: 3
02/02/2024, 12:30:24 Found existing service CyberArk Privileged Session Manager
02/02/2024, 12:30:24 Start archiving logs...
02/02/2024, 12:30:26 End archive logs.
02/02/2024, 12:30:31 Installing Oracle Instant Client
02/02/2024, 12:30:31 SQLNET.ORA configuration file will be backed up to the support directory
02/02/2024, 12:30:32 A problem occurred while uninstalling deprecated version of Oracle Instant Client. Code: 1605
02/02/2024, 12:30:35 Checking the registry for X Server
02/02/2024, 12:30:36 VcXsrv Server is already installed
02/02/2024, 12:30:36 Going to Rename location : C:\Program Files (x86)\Cyberark\PSM\Hardening\PSMConfigureAppLocker.xml
02/02/2024, 12:30:36 Backing up Vault.ini
02/02/2024, 12:31:02 PSMConfigureAppLocker.xml was successfully merged with the latest CyberArk version.
02/02/2024, 12:31:02 Components folder already exists in PATH
02/02/2024, 12:31:15 The PSM remote application is already configured in your environment.
02/02/2024, 12:31:15 Loading EnvMgr
02/02/2024, 12:31:16 Vault.ini restored Successfully
02/02/2024, 12:35:08 Updating Vault environment ...
02/02/2024, 12:35:09 initializing internal process ...
02/02/2024, 12:35:09 Logging on to the Vault ...
02/02/2024, 12:35:09 Checking user permissions...
02/02/2024, 12:35:09 Checking if group PSMMaster exists.
02/02/2024, 12:35:09 PSMMaster exists. Checking if user is in the group.
02/02/2024, 12:35:09 Checking if user [email protected] is in group PSMMaster
02/02/2024, 12:35:09 User is not in group. Adding
02/02/2024, 12:35:09 Adding user [email protected] to group PSMMaster ...
02/02/2024, 12:35:09 User added to group
02/02/2024, 12:35:09 Updating Safes ...
02/02/2024, 12:35:10 Working on Safe PSM ...
02/02/2024, 12:35:11 Working on Safe PSMSessions ...
02/02/2024, 12:35:11 Working on Safe PSMLiveSessions ...
02/02/2024, 12:35:11 Working on Safe PSMUniversalConnectors ...
02/02/2024, 12:35:12 Working on Safe PSMNotifications ...
02/02/2024, 12:35:12 Storing configuration files and passwords...
02/02/2024, 12:35:13 Working on File SessionControl ...
02/02/2024, 12:35:13 Working on password PSMServer_d19777 in Safe PSM ...
02/02/2024, 12:35:13 The password object PSMServer_d19777 doesn't exist in the Safe PSM, the password will not be created in Upgrade mode.
02/02/2024, 12:35:13 Working on password PSMAdminConnect in Safe PSM ...
02/02/2024, 12:35:13 The password object PSMAdminConnect already exists in the Safe PSM, the password will not be overriden.
02/02/2024, 12:35:13 Updating Password Vault Web Access configuration files in the Vault...
02/02/2024, 12:35:22 Found PVWA version 140000
02/02/2024, 12:35:22 Start attempt to load User Management Settings from PVConfiguration.xml
02/02/2024, 12:35:22 Reading User Management settings from Password Vault Configuration...
02/02/2024, 12:35:22 Identity flag was found under PVConfiguration XML, it is being used.
02/02/2024, 12:35:22 Start attempt to load connection users object names from PVConfiguration.xml
02/02/2024, 12:35:23 Using connection user object name from PVConfiguration.xml
02/02/2024, 12:35:23 Using connection admin user object name from PVConfiguration.xml
02/02/2024, 12:35:28 Appending OIC 19c AuditFilters section
02/02/2024, 12:35:28 Not creating the General tag - tag already exists
02/02/2024, 12:35:28 Reaching to update PrivilegeCloudSessionRiskManagers group
02/02/2024, 12:35:28 About to add PSM-PTA connection component
02/02/2024, 12:35:28 PSM-PTA had been added!
02/02/2024, 12:35:28 About to add PSM-WebAppDispatcher connection component
02/02/2024, 12:35:28 PSM-WebAppSample had been added!
02/02/2024, 12:35:28 About to add PSM-MS-AzurePortal connection component
02/02/2024, 12:35:28 PSM-MS-AzurePortal had been added!
02/02/2024, 12:35:28 About to add PSM-WebAppDispatcher connection component
02/02/2024, 12:35:28 PSM-VSPHERE-New had been added!
02/02/2024, 12:35:28 About to add PSM-PVWA-v10 connection component
02/02/2024, 12:35:28 PSM-PVWA-v10 had been added!
02/02/2024, 12:35:28 About to add PSM-SQLServerMgmtStudio-Win connection component
02/02/2024, 12:35:28 PSM-SQLServerMgmtStudio-Win already exist
02/02/2024, 12:35:28 About to add PSM-SQLServerMgmtStudio-Database connection component
02/02/2024, 12:35:28 PSM-SQLServerMgmtStudio-Database already exist
02/02/2024, 12:35:28 About to add PSM-PVWA connection component
02/02/2024, 12:35:28 PSM-PVWA already exist
02/02/2024, 12:35:28 About to add PSM-PrivateArkClient connection component
02/02/2024, 12:35:28 PSM-PrivateArkClient already exist
02/02/2024, 12:36:16 Checking Secure Connect support...
02/02/2024, 12:36:16 Secure Connect feature supported.
02/02/2024, 12:36:16 Secure Connect settings found.
02/02/2024, 12:36:16 Re-logging on to the Vault ...
02/02/2024, 12:36:17 Reading category UserName on file/password PSMConnect in Safe PSM ...
02/02/2024, 12:36:17 Reading category Address on file/password PSMConnect in Safe PSM ...
02/02/2024, 12:36:17 Reading category LogonDomain on file/password PSMConnect in Safe PSM ...
02/02/2024, 12:36:17 Reading category UserName on file/password PSMAdminConnect in Safe PSM ...
02/02/2024, 12:36:18 Reading category Address on file/password PSMAdminConnect in Safe PSM ...
02/02/2024, 12:36:18 Reading category LogonDomain on file/password PSMAdminConnect in Safe PSM ...
02/02/2024, 12:36:18 Checking whether Secure Connect Safe [PSMUnmanagedSessionAccounts] exists...
02/02/2024, 12:36:18 Secure Connect Safe does not exist or Secure connect settings allready exists
02/02/2024, 12:36:18 Creating Secure Connect Safe.
02/02/2024, 12:36:18 Working on Safe PSMUnmanagedSessionAccounts ...
02/02/2024, 12:36:18 Working on Safe PSMUnmanagedSessionAccounts share agent PVWAGWAccounts ...
02/02/2024, 12:36:18 Working on Safe PSM share agent PVWAGWAccounts ...
02/02/2024, 12:36:18 Working on Safe PSMUniversalConnectors share agent PVWAGWAccounts ...
02/02/2024, 12:36:18 Updating users and groups for the Privileged Session Manager in the Vault ...
02/02/2024, 12:36:19 Working on user PSMApp_d19777 ...
02/02/2024, 12:36:19 IsCredFileInLastVersion file:C:\Program Files (x86)\Cyberark\PSM\Vault psmapp.cred TRUE.
02/02/2024, 12:36:19 Working on user PSMGw_d19777...
02/02/2024, 12:36:19 IsCredFileInLastVersion file:C:\Program Files (x86)\Cyberark\PSM\Vault psmgw.cred TRUE.
02/02/2024, 12:36:20 Creating credential file for the User PSMGw_d19777 ...
02/02/2024, 12:36:21 Working on group PSMAppUsers ...
02/02/2024, 12:36:21 Group already exists ... 
02/02/2024, 12:36:21 Working on group PSMMaster ...
02/02/2024, 12:36:21 Group already exists ... 
02/02/2024, 12:36:21 Working on group PSMLiveSessionTerminators ...
02/02/2024, 12:36:21 Group already exists ... 
02/02/2024, 12:36:21 Adding user PSMApp_d19777 to group PSMAppUsers ...
02/02/2024, 12:36:22 Adding user PSMGw_d19777 to group PVWAGWAccounts ...
02/02/2024, 12:36:23 Updating ownerships on Safes ...
02/02/2024, 12:36:24 Working on Owner PVWAAppUsers in Safe PSM ...
02/02/2024, 12:36:24 Working on Owner PVWAAppUsers in Safe PSMSessions ...
02/02/2024, 12:36:24 Working on Owner PSMApp_d19777 in Safe PVWAConfig ...
02/02/2024, 12:36:24 Working on Owner PSMAppUsers in Safe PSM ...
02/02/2024, 12:36:24 Working on Owner PSMMaster in Safe PSM ...
02/02/2024, 12:36:24 Checking if Session Admin group exists.
02/02/2024, 12:36:24 Session Admin group exists. Add all required permissions on PSM safe.
02/02/2024, 12:36:24 Working on Owner Privilege Cloud Session Admin in Safe PSM ...
02/02/2024, 12:36:25 Working on Owner PSMApp_d19777 in Safe PSMSessions ...
02/02/2024, 12:36:25 Working on Owner PSMMaster in Safe PSMSessions ...
02/02/2024, 12:36:25 Checking Owner [email protected] for Safe PSMSessions ...
02/02/2024, 12:36:25 Working on Owner PVWAAppUsers in Safe PSMLiveSessions ...
02/02/2024, 12:36:25 Working on Owner PSMAppUsers in Safe PSMLiveSessions ...
02/02/2024, 12:36:25 Working on Owner PSMMaster in Safe PSMLiveSessions ...
02/02/2024, 12:36:25 Working on Owner PSMAppUsers in Safe PSMUniversalConnectors ...
02/02/2024, 12:36:25 Working on Owner Vault Admins in Safe PSMUniversalConnectors ...
02/02/2024, 12:36:26 Working on Owner PVWAAppUsers in Safe PSMUnmanagedSessionAccounts ...
02/02/2024, 12:36:26 Working on Owner Vault Admins in Safe PSMUnmanagedSessionAccounts ...
02/02/2024, 12:36:26 Working on Owner PSMMaster in Safe PSMUnmanagedSessionAccounts ...
02/02/2024, 12:36:26 Working on Owner PSMApp_d19777 in Safe PSMUnmanagedSessionAccounts ...
02/02/2024, 12:36:26 Checking Owner [email protected] for Safe PSMUnmanagedSessionAccounts ...
02/02/2024, 12:36:26 Working on Owner PSMMaster in Safe PSMNotifications ...
02/02/2024, 12:36:26 Working on Owner PSMAppUsers in Safe PSMNotifications ...
02/02/2024, 12:36:27 Working on Owner PVWAAppUsers in Safe PSMNotifications ...
02/02/2024, 12:36:27 Updating Vault file categories ...
02/02/2024, 12:36:28 Working on file category PSMStartTime ...
02/02/2024, 12:36:28 Working on file category PSMEndTime ...
02/02/2024, 12:36:28 Working on file category PSMSourceAddress ...
02/02/2024, 12:36:28 Working on file category PSMStatus ...
02/02/2024, 12:36:28 Working on file category PSMVaultUserName ...
02/02/2024, 12:36:29 Working on file category PSMFullUserName ...
02/02/2024, 12:36:29 Working on file category PSMProtocol ...
02/02/2024, 12:36:29 Working on file category PSMClientApp ...
02/02/2024, 12:36:29 Working on file category PSMRemoteMachine ...
02/02/2024, 12:36:29 Working on file category PSMPasswordID ...
02/02/2024, 12:36:29 Working on file category PSMSafeID ...
02/02/2024, 12:36:30 Working on file category PSMRecordingType ...
02/02/2024, 12:36:30 Working on file category PSMRecordingEntity ...
02/02/2024, 12:36:30 Working on file category ProviderID ...
02/02/2024, 12:36:30 Working on file category ExpectedRecordingsList ...
02/02/2024, 12:36:30 Working on file category ActualRecordings ...
02/02/2024, 12:36:30 Working on file category RecordingUploadError ...
02/02/2024, 12:36:30 Working on file category EntityVersion ...
02/02/2024, 12:36:31 Working on file category ConnectionComponentID ...
02/02/2024, 12:36:31 Working on file category _PSMLiveSessions_1 ...
02/02/2024, 12:36:31 Working on file category _PSMLiveSessions_2 ...
02/02/2024, 12:36:31 Working on file category _PSMLiveSessions_3 ...
02/02/2024, 12:36:31 Working on file category _PSMLiveSessions_4 ...
02/02/2024, 12:36:31 Working on file category _PSMLiveSessions_5 ...
02/02/2024, 12:36:31 Working on file category DSN ...
02/02/2024, 12:36:32 Working on file category Port ...
02/02/2024, 12:36:32 Working on file category ConnectAs ...
02/02/2024, 12:36:32 Working on file category Database ...
02/02/2024, 12:36:32 Working on file category LogonDomain ...
02/02/2024, 12:36:32 Working on file category UserDN ...
02/02/2024, 12:36:32 Working on file category Location ...
02/02/2024, 12:36:33 Working on file category OwnerName ...
02/02/2024, 12:36:33 Working on file category AllowConnectToConsole ...
02/02/2024, 12:36:33 Working on file category PSMRemoteMachine ...
02/02/2024, 12:36:33 Working on file category AllowMappingLocalDrives ...
02/02/2024, 12:36:33 Working on file category PSMSingleUsePasswordObject ...
02/02/2024, 12:36:33 Working on file category TicketID ...
02/02/2024, 12:36:33 Working on file category RedirectSmartCards ...
02/02/2024, 12:36:33 Working on file category StorageLocation ...
02/02/2024, 12:36:34 Working on file category StorageObject ...
02/02/2024, 12:36:34 Removing user [email protected] from group PSMMaster.
02/02/2024, 12:36:34 Removed user from PSMMaster group.
02/02/2024, 12:36:34 Secure Connect settings creation skipped because they already exist
02/02/2024, 12:36:34 Updating PSM ini files...
02/02/2024, 12:36:35 Old PSM Version: 13.1.0.28
02/02/2024, 12:36:35 The Old 3 Parts of the PsmVersion: 131
02/02/2024, 12:36:35 Actual Recordings Folder: C:\Program Files (x86)\Cyberark\PSM\Recordings\
02/02/2024, 12:36:35 Invoking the API Key Manager...
02/02/2024, 12:36:35 apiManagerPath = C:\Program Files (x86)\Cyberark\PSM\Vault\ApiKeyManager.exe
 addupdate = add
 credfile=C:\Program Files (x86)\Cyberark\PSM\Vault\apigw.cred
 psmUser = PSMApp_d19777
 user = [email protected]
 szApiAddr = HTTPS://netsecprivilegecloud.cyberark.cloud/passwordVault/api
02/02/2024, 12:36:37 Updating Vault.ini with API GW details...
02/02/2024, 12:36:37 Updating PSM users and groups
02/02/2024, 12:36:37 Creating OS User [PSMConnect]
02/02/2024, 12:36:37 CreateOsUserHidePassword: NetUserAdd failed, code 2224, index 0
02/02/2024, 12:36:47 Creating OS User [PSMAdminConnect]
02/02/2024, 12:36:47 CreateOsUserHidePassword: NetUserAdd failed, code 2224, index 0
02/02/2024, 12:36:54 Creating OS group [PSMShadowUsers]
02/02/2024, 12:36:54 Rotating password for PSMConnect user
02/02/2024, 12:36:54 Logging on to the Vault ...
02/02/2024, 12:36:54 Adding user [email protected] to group PSMMaster ...
02/02/2024, 12:36:54 Reading category LogonDomain on file/password PSMServer_d19777 in Safe PSM ...
02/02/2024, 12:37:58 An error occurred while creating the Vault environment: ITATS053E Object PSMServer_d19777 doesn't exist.
02/02/2024, 12:37:58 Working on password PSMServer_d19777 in Safe PSM ...
02/02/2024, 12:37:58 Failed to access password object PSMServer_d19777.
02/02/2024, 12:37:58 Removing user [email protected] from group PSMMaster.
02/02/2024, 12:38:03 Retrying password rotation...
02/02/2024, 12:38:03 Logging on to the Vault ...
02/02/2024, 12:38:04 Adding user [email protected] to group PSMMaster ...
02/02/2024, 12:38:04 Reading category LogonDomain on file/password PSMServer_d19777 in Safe PSM ...
02/02/2024, 12:39:46 An error occurred while creating the Vault environment: ITATS053E Object PSMServer_d19777 doesn't exist.
02/02/2024, 12:39:46 Working on password PSMServer_d19777 in Safe PSM ...
02/02/2024, 12:39:46 Failed to access password object PSMServer_d19777.
02/02/2024, 12:39:46 Removing user [email protected] from group PSMMaster.
02/02/2024, 12:39:51 Retrying password rotation...
02/02/2024, 12:39:51 Logging on to the Vault ...
02/02/2024, 12:39:51 Adding user [email protected] to group PSMMaster ...
02/02/2024, 12:39:52 Reading category LogonDomain on file/password PSMServer_d19777 in Safe PSM ...
02/02/2024, 12:50:24 An error occurred while creating the Vault environment: ITATS053E Object PSMServer_d19777 doesn't exist.
02/02/2024, 12:50:24 Working on password PSMServer_d19777 in Safe PSM ...
02/02/2024, 12:50:25 Failed to access password object PSMServer_d19777.
02/02/2024, 12:50:25 Removing user [email protected] from group PSMMaster.
02/02/2024, 13:01:26 Password rotation failed for PSMServer_d19777, the password has not been updated. Check the logs for more details and invoke password rotation via CPM or contact CyberArk support.
02/02/2024, 13:01:26 Rotating password for PSMAdminConnect user
02/02/2024, 13:01:26 Logging on to the Vault ...
02/02/2024, 13:01:27 Adding user [email protected] to group PSMMaster ...
02/02/2024, 13:01:27 Reading category LogonDomain on file/password PSMAdminConnect in Safe PSM ...
02/02/2024, 13:01:27 Password object PSMAdminConnect references a domain users - password will not be rotated.
02/02/2024, 13:01:27 Removing user [email protected] from group PSMMaster.
02/02/2024, 13:01:28 Unloading EnvMgr
02/02/2024, 13:01:28 Registering PSM DLLs...
02/02/2024, 13:01:36 Setting folder permissions...
02/02/2024, 13:01:43 Setting RDS shadowing permissions...
02/02/2024, 13:01:44 RDS shadowing permissions was updated successfully
02/02/2024, 13:01:44 Applying security policy...
02/02/2024, 13:01:48 The hardening procedure has completed successfully
02/02/2024, 13:01:54 Service seclogon startup type was successfully updated to Automatic
02/02/2024, 13:01:59 Windows Defender exclusion for C:\Program Files (x86)\Cyberark\PSM\Components was added successfully
02/02/2024, 13:01:59 Installing service ...
02/02/2024, 13:02:00 Running PostInstallation...
02/02/2024, 13:02:00 The following steps are going to be executed:  DisableScreenSaver ConfigurePSMUsers ImproveNonRDPConnectorPerformance WebApplications
02/02/2024, 13:27:01 Failed to find '"isSucceeded":  ' in 'C:\windows\Temp\LastPSScriptLauncherOutput.log', Code: '-4'
02/02/2024, 13:27:01 Failed to find '"errorData":  ' in 'C:\windows\Temp\LastPSScriptLauncherOutput.log', Code: '-4'
02/02/2024, 13:27:01 Failed to find '"logPath":  ' in 'C:\windows\Temp\LastPSScriptLauncherOutput.log', Code: '-4'
02/02/2024, 13:27:01 Failed to find '"restartRequired":  ' in 'C:\windows\Temp\LastPSScriptLauncherOutput.log', Code: '-4'



https://www.reddit.com/r/CyberARk/comments/xyz3vt/psm_upgrade_from_120_to_126_hangs_at_post/

From powershell: 
  • dir -recurse l unblock-file


Since it is in domain, you will have to find out your connect user and admin connect user in domian.
c:\Program Files (x86)\CyberArk\PSM\Hardening
Then you will need to hange hardening script PSMHardening.ps1 for following valus:


$Global:PSM_CONNECT_USER           = "COMMUNITY\svc_CArk_PSMAdmn"
$Global:PSM_ADMIN_CONNECT_USER     = "COMMUNITY\svc_CArk_PSMConnect"

Run Hardening program again

  • ./PSMHardening.ps1

If you did not change those two lines, you will get an error to say you could not find PSMInitSession.exe file. During hardening, if script asking you to remove users from remotedesktopuser group, say no. 


To fix the initial program could not start PSMInitSession.exe issue, you will need to run AppLocker Rules: (C:\Program Files (x86)\CyberArk\PSM\Hardening)

  • ./PSMConfigureAppLocker.ps1



PS C:\Program Files (x86)\Cyberark\PSM\Hardening> .\PSMConfigureAppLocker.ps1
PSM connection user is PSMConnect
PSM admin connection user is PSMAdminConnect
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsshclient.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmprivatearkclientdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpvwadispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\mssqlmanagementstudiowindowsauthenticationdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psm3270client.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwebformdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwinscpdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\winscp.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmrealvncdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmxfocus.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmtokenholder.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsessionalert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsuspendsession.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpreventwindowhide.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmmessagealert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwindowseventslogger.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.psm.webappdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector64.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.progressbar.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmticketvalidator.exe
Evaluating the dlls consumed by c:\windows\system32\conhost.exe
Evaluating the dlls consumed by c:\windows\system32\taskhostw.exe
Evaluating the dlls consumed by c:\windows\system32\wermgr.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\vcxsrv.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\xkbcomp.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsapgui.exe
Evaluating the dlls consumed by c:\program files\google\chrome\application\chrome.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\chromedriver.exe
Loading new AppLocker configuration...
Configuring Application Identity service...
CyberArk AppLocker's configuration script ended successfully.
True
PS C:\Program Files (x86)\Cyberark\PSM\Hardening>


You might get following error for recording component failed to create recording file:


Grant those two domain users read and write permissions:





No comments