Using checksums to validate PAM upgrade patches
search cancel

Using checksums to validate PAM upgrade patches

book

Article ID: 401662

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM patches to upgrade to a new maintenance release tend to be very large, typically several GB in size. It takes a long time to get them downloaded, uploaded to PAM and then applied. If something goes wrong during the file download, while extracting the patch file from the zip archive that it typically is packaged in, or while uploading the patch to PAM, the attempt to apply the patch will run into a failure, but a lot of time will have been lost by then. What can be done to minimize the risk of failure?

Resolution

PAM upgrade patch archives, and other published patches, typically contain three files:

1. A file with extension .bin. This is the actual upgrade patch file.

2. A file with extension .sha256. This contains the SHA256 hash of the file, also referred to as the checksum, and the file name.

3. A README file.

 

The SHA256 hash should be used to validate the files, both after download and extraction, and then again after the file is uploaded into PAM. If you stage patches on a Windows host, you can use powershell command Get-FileHash to validate the hash. On Linux typically command sha256sum is available and can be used.

For an example consider the 4.2.2 upgrade patches. This has an additional complication in that there are two different upgrade files available for download, one for upgrades from releases 4.2.0 and lower, and one for upgrade from 4.2.1. Both versions are packaged in an archive named CAPAM_4.2.2.p.zip, as seen in this section of a screenshot from the PAM Solutions & Patches page:

 

The files inside the two archives are different. The first one contains files CAPAM_4.2.2_420-.p.bin, CAPAM_4.2.2_420-.p.sha256 and README.txt. The second archive contains files CAPAM_4.2.2.p.bin, CAPAM_4.2.2.p.sha256 and README.txt. To validate successful download and extraction, calculate the checksum and compare it to the contents of the .sha256 file. Typically it is sufficient to look at a few leading and trailing characters in the hash string.

Example for the files used to upgrade from 4.2.0 and lower:

PS D:\PAMImages\4.2.2_upgrade\420minus> dir


    Directory: D:\PAMImages\4.2.2_upgrade\420minus


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
------         4/9/2025   2:29 PM     4509050736 CAPAM_4.2.2_420-.p.bin
------         4/9/2025   2:31 PM            156 CAPAM_4.2.2_420-.p.sha256
------         4/9/2025   1:54 PM            383 README.txt


PS D:\PAMImages\4.2.2_upgrade\420minus> type CAPAM_4.2.2_420-.p.sha256
441519b2ca8043d3bbe9a82baaf8e5126842693922c295305079fa4addeab02e /export/home/jenkins/workspace/4.2.2/upgrade-patch/uaginstall/build/CAPAM_4.2.2_420-.p.bin


PS D:\PAMImages\4.2.2_upgrade\420minus> Get-FileHash -Path CAPAM_4.2.2_420-.p.bin -Algorithm SHA256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          441519B2CA8043D3BBE9A82BAAF8E5126842693922C295305079FA4ADDEAB02E       D:\PAMImages\4.2.2_upgrade\420minus\CAPAM_4.2.2_420-.p.bin


PS D:\PAMImages\4.2.2_upgrade\420minus>

Or using the sha256sum command on Linux:

[[email protected] ~]# sha256sum CAPAM_4.2.2_420-.p.bin
441519b2ca8043d3bbe9a82baaf8e5126842693922c295305079fa4addeab02e  CAPAM_4.2.2_420-.p.bin
[[email protected] ~]#

 

Example for the files used to upgrade from 4.2.1:

PS D:\PAMImages\4.2.2_upgrade> dir


    Directory: D:\PAMImages\4.2.2_upgrade


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/16/2025   3:42 PM                420minus
------         4/9/2025   2:24 PM     4509050784 CAPAM_4.2.2.p.bin
------         4/9/2025   2:29 PM            151 CAPAM_4.2.2.p.sha256
------         4/9/2025   1:54 PM            383 README.txt


PS D:\PAMImages\4.2.2_upgrade> type CAPAM_4.2.2.p.sha256
2122c8c42c7a6d28c2582d5f5477c1c77ab4c127887c90af4e5301e0ecab133e /export/home/jenkins/workspace/4.2.2/upgrade-patch/uaginstall/build/CAPAM_4.2.2.p.bin


PS D:\PAMImages\4.2.2_upgrade> Get-FileHash -Path CAPAM_4.2.2.p.bin -Algorithm SHA256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          2122C8C42C7A6D28C2582D5F5477C1C77AB4C127887C90AF4E5301E0ECAB133E       D:\PAMImages\4.2.2_upgrade\CAPAM_4.2.2.p.bin


PS D:\PAMImages\4.2.2_upgrade>

 

This verifies the integrity of the files. The output of the "Get-FileHash" command matches the contents of the .sha256 file.

The next step is to upload the desired .bin file to PAM from the Configuration > Upgrade page. For large patch files you always want to use the "Upload" option, not the "Upload and Apply" option. Say you were at 4.2.1 and wanted to upgrade to 4.2.2. This requires you to upload the CAPAM_4.2.2.p.bin file. Once uploaded, check the "Show Checksums" option to show the checksum (== sha256 hash) of the uploaded file:

 

The checksum matches the contents of the .sha256 file for patch file CAPAM_4.2.2.p.bin and therefore you have confirmed that the file upload was successful and this patch is ready to be applied.

Additional Information

While option "Show Checksums" is checked, PAM will calculate the checksum of all uploaded patch files every time you navigate to the Configuration > Upgrade page. For very large patch files this can take a minute of so. If you uploaded a large file and don't intend to apply it right away, you may want to turn the option off once you have the checksum confirmed to avoid this delay on subsequent visits to the Upgrade page.

Powered by Wolken Software