Upgrade Privileged Cloud PSM to 14.4

This post is to record all steps for upgrading PSM component from 14.2 to 14.4, which is latest version.

Strongly suggest to get CyberArk support engineer be online with you since it always has some surprise.

Upgrade via CM: ========== https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-upgrade-connector-12.7-later-cm.htm?tocpath=Upgrade%20CyberArk%20services%7CUpgrade%20Privilege%20Cloud%20connectors%7CUpgrade%20the%20Privilege%20Cloud%20Connector%7C_____1 Upgrade via Pcloud installer: =================== https://docs.cyberark.com/ispss-deployment/latest/en/content/privilege%20cloud/privcloud-upgrade-connector-12.7-later.htm?tocpath=Upgrade%20CyberArk%20services%7CUpgrade%20Privilege%20Cloud%20connectors%7CUpgrade%20the%20Privilege%20Cloud%20Connector%7C_____2 Once upgrade is done to rerun the PSMhardneing.ps1 and PSMConfigurAppLocker.ps1 scripts here is link to follow: https://docs.cyberark.com/ispss-deployment/latest/en/content/pas%20inst/optional-moving-the-psmconnec-and-psmadminconnect-users-to-your-domain.htm?Highlight=psm%20domain%20accounts#RunthePSMHardeningandApplockerscripts Here is the market place link to download the package: https://community.cyberark.com/marketplace/s/#software-aK4Ht0000008PWcKAM-

Pre-requisites

1. change installuser's password

2. Get a domain admin username and password

 

Connector Manager Upgrade

CyberArk has made a nice improvement to upgrade PSM directly from Connector Manager. But unfortunately, there is a long way to go. Hopefully 15.x version is more stable and mature enough for customer to use. 

Installing component failed

Error : The installation stage of the installation is blocked due to 1 error(s) and 0 warning(s). Error #1: An error occurred during installation. For more information check the log: C:\Windows\Temp\PSM\ManifestInstallationTool.log. Check the log to resolve the error(s) and then click Reinstall.

Restart CyberArk Management Agent to get rid of this error message. 

Manual Upgrade PSM

Since Connector Manager upgrade failed, we will have to go through this classic manual upgrade process:

1 Download package

rename package to a shorter folder name such as PSM14.4

2 unblock download files

PS C:\CyberArk\PSM14.4> dir -r | Unblock-File

PS C:\CyberArk\PSM14.4> dir C:\CyberArk\PSM14.4 -r | Unblock-File

PS C:\CyberArk\PSM14.4>

3 Run setup.exe as administrator

Follow wizard to complete the installation. 

make sure not fully harden. click advanced to uncheck two settings which we will need to run manually:

We will need to manual adjust hardening script and applocker script for two users. 

Ignore following error if you got this:

This is a legacy registry key for IE. 

4 Restart System after completed the upgrade. 

Manual changes after rebooted machine

 

1. Administration Options - Privileged Session Management 

Configured PSM Servers

There will be a new PSM server added in for each existing PSM server. Copy settings from old PSM server item to this new one 

Before the change:

The PSM server address is ip, and it has to be changed. Object and AdminObject has wrong info as well. 

After the change:

You will need to copy PSM Gateway settings to new PSM server as well. 

2. Change PSMServerAdminID in basic_psm.ini file

C:\Program Files (x86)\Cyberark\PSM

basic_psm.ini :

Do not forget restart service:

• CyberArk Privileged Session Manager 

3. Change Hardening files

Search PSMConnect  in PSMHardening.ps1

Since we are using domain accounts for PSMConnect and PSMAdminConnect, here is what I changed to :

For PSMConfigureAppLocker.ps1 file

Before the change:

After the change:

4. Execute both ps files one by one

PS C:\Program Files (x86)\Cyberark\PSM\Hardening> .\PSMHardening.ps1
Notice: In order to prevent unauthorized access to the PSM server, the local RemoteDesktopUsers group should contain ONLY the following users:
1) Maintenance users who login remotely to the PSM server through Remote Desktop Services.
2) Vault LDAP users who wish to connect to target systems through PSM directly from their desktop using an RDP client application such as MSTSC.
These are the current members of the local RemoteDesktopUsers group:
WinNT://CTY/Domain Users
WinNT://CTY/EE-CARK01/PSMConnect
WinNT://CTY/EE-CARK01/PSMAdminConnect
WinNT://CTY/svc_CArk_PSMConnect
WinNT://CTY/svc_CArk_PSMAdmn
WinNT://CTY/SEC-Infrastructure Administrators
WinNT://CTY/SEC-Infrastructure Operators
WinNT://CTY/SEC-Infrastructure Managers
Would you like to remove all members of this group? (yes/no): no
True
WinSCP password storing has been disabled
WinSCP editor definition has been disabled
CyberArk Hardening script ended successfully.
True
PS C:\Program Files (x86)\Cyberark\PSM\Hardening>

PS C:\Program Files (x86)\Cyberark\PSM\Hardening> .\PSMConfigureAppLocker.ps1
PSM connection user is CTY\svc_CArk_PSMConnect
PSM admin connection user is CTY\svc_CArk_PSMAdmn
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsshclient.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmprivatearkclientdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpvwadispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\mssqlmanagementstudiowindowsauthenticationdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psm3270client.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwebformdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwinscpdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\winscp.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmrealvncdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmxfocus.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmtokenholder.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsessionalert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsuspendsession.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmpreventwindowhide.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmmessagealert.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmwindowseventslogger.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.psm.webappdispatcher.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\dllinjector64.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\cyberark.progressbar.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmticketvalidator.exe
Evaluating the dlls consumed by c:\windows\system32\conhost.exe
Evaluating the dlls consumed by c:\windows\system32\taskhostw.exe
Evaluating the dlls consumed by c:\windows\system32\wermgr.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\vcxsrv.exe
Evaluating the dlls consumed by c:\program files (x86)\vcxsrv\xkbcomp.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\psmsapgui.exe
Evaluating the dlls consumed by c:\program files\google\chrome\application\chrome.exe
Evaluating the dlls consumed by c:\program files (x86)\cyberark\psm\components\chromedriver.exe
Evaluating the dlls consumed by c:\program files (x86)\internet explorer\iexplore.exe
Evaluating the dlls consumed by c:\program files\internet explorer\iexplore.exe
Loading new AppLocker configuration...
Configuring Application Identity service...
CyberArk AppLocker's configuration script ended successfully.
True
PS C:\Program Files (x86)\Cyberark\PSM\Hardening>

Some Issues Found After Upgrade

In my environment, there are three PSM servers. Now it shows old ones disconnected. Three new ones are showing correct component_users, but version is showing 14.3, which should be 14.4. 

References