How to Prepare for a Privileged Access Manager Upgrade
search cancel

How to Prepare for a Privileged Access Manager Upgrade


Article ID: 367349


Updated On:


CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)


It is required to routinely upgrade Privileged Access Manager in order to add the newest features and fixes. Use this KB article to download the upgrade patch and prepare for a Privileged Access Manager upgrade.


This KB article was last updated in May 2024 using documentation links for the 4.1.7 version. If upgrading to a different version, use the drop down menu in the documentation to select the proper version.


Since the Privileged Access Manager appliance is a closed appliance, upgrading the appliance is done through an automated process. The upgrade patch is an encrypted binary file which gets uploaded to each appliance in the environment prior to being applied. The upgrade patch can either be found on the Broadcom Support website on the My Downloads page for major versions (4.0.0, 4.1.0, etc.) or on the Privileged Access Manager Solutions & Patches page for minor versions (4.1.1, 4.1.2, 4.1.3, etc.).

Depending on how long the target version has been released, there may also be hotfixes available on the Solutions & Patches. If there are, it is generally advised to apply them during the same upgrade window. Refer to the Privileged Access Manager Hotfixes documentation for a list of all published hotfixes for a given version along with a description of what defects are fixed.

When planning a PAM upgrade, the first step should be to review the Upgrade Prerequisites section of the documentation to learn any version-specific requirements for the upgrade.

Next, determine the upgrade path from the current version to the target one. In most scenarios the upgrade will be directly from the current to the new version, but there may be a scenario where an intermediate version is required. Please refer to the Upgrading section of the documentation in order to plan the upgrade path.

After determining the upgrade path, review the Release Information documentation section for each intermediate version to learn about any functional changes between versions. For example, if upgrading from 4.1.2 to 4.1.7, review the release information for 4.1.3, 4.1.4, 4.1.5, 4.1.6, and 4.1.7 to be aware of any changes which could impact the environment.

Once the prerequisites have been met and the upgrade path determined, it is advised to backup and download the database using the instructions in the Configuration and Database Backups section of the documentation as a precaution.

In addition to the database backups, it is also recommended to backup at least one appliance in the environment. For VMware, use the Cluster Maintenance section of the documentation for guidance on how to take a snapshot of the appliance. For AWS, use the AWS AMI Backup and Recovery section of the documentation to backup the AMI.

For a physical appliance, the PAM UI will ask to backup the appliance during the upgrade. Please be advised that the physical appliance can only have one backup. If a hotfix is being applied in addition to the upgrade, perform the appliance backup before the upgrade and skip it when applying the hotfix to ensure that the original version is the backup. In case there is an issue with the upgrade and the physical appliance needs to be restored, use the instructions in Recover a 404L Hardware Appliance to recover the appliance.

It is suggested to have the SSH debug patch installed and SSH debugging services enabled before upgrading in case there is an issue and Broadcom Support needs to connect to the backend of the appliance. In the PAM UI for each appliance in the cluster, go to Configuration > Upgrade and verify that PAM_SUPPORT_SSH_DEBUG has been applied within the last 3 months. If it has been more than 3 months, open a case with Broadcom Support to obtain the newest SSH debug patch and use the How to Apply and Enable PAM SSH Debugging Services KB article to apply the patch and enable SSH debugging services. This must be done on each appliance in the environment.

It is best practice to enable maintenance mode before upgrading PAM so new user logins cannot occur during the upgrade. Refer to the Maintenance and Cluster Tuning Options section of the Configure System Diagnostics, Maintenance, and Cluster Tuning Options documentation page for the instructions to enable maintenance mode.

Uploading the upgrade patch can take a long amount of time, depending on the size of the upgrade patch and the network bandwidth between the user’s workstation and PAM appliance. In order to prevent the user’s session from timing out while uploading the upgrade patch, go to Global Settings in the PAM UI and set the Login Timeout value to 0. Once the upgrade is complete, remember to set Login Timeout back to the original value.

Additional Information

Once the environment has been prepared for the upgrade, use either the Upgrade a Single Appliance, Upgrade Appliances in a Cluster, or Upgrading Across a Multi-Site Cluster section of the documentation for the steps to perform the upgrade in the environment.

If Utility Appliances are configured in the environment, refer to Upgrade PAM SC Utility Appliances in the documentation for instructions on how to upgrade them.

If external agents such as the A2A client, Socket Filter Agent, or Windows Proxy are also in the environment, it is recommended to upgrade them as well. Newer PAM appliances are backwards compatible with the older agents, but there may be communication issues if the difference in versions between them is too large. Use the Upgrade a Credential Manager A2A Client or Upgrade a Socket Filter Agent (SFA) documentation link to learn how to upgrade the A2A agent or SFA. For the Windows Proxy, first use the Uninstall a Windows Proxy instructions to uninstall the old version and How to Install a Windows Proxy instructions to install the new version.