PAM Server upgrade procedure

This section looks at how to inline upgrade a standalone or clustered deployment.

Prerequisites

Before starting your inline upgrade make sure the following prerequisites are met:

Prerequisite	Description
Upgrade path	Review the Upgrade paths to ensure you are applying the correct upgrade method based on the version you are upgrading from and to.
Hardware & Software	Ensure the correct resources are available before deploying. The following outlines the hardware and software requirements.
Templates	When upgrading to v7.5.1 and above, an upgrade will be required to the latest template bundle to ensure templates continue to work. This may need to be done before the upgrade. The steps required to perform the upgrade will depend upon the template. For details on the templates affected, and how to upgrade them click here.
Ports	Ensure TCP ports 443 and 9002 are open as they are required for the client-side and PAM UI. TCP 2380 (etcd, i.e. key-value store), 2390 (cluster setup API), 2391 (cluster delegation API), 5432 (postgres, i.e. database) For a full list of ports used by the PAM Server click here.
Software downloads	Download the latest upgrade kit click here.
Recent backup	We recommend that you have a recent Osirium backup as well as VM Level backup or Snapshot of all PAM Servers being upgrading.
User connections	Ensure there are no active user connections.
Regenerate Account Credentials for all devices tasks	Within the Admin Interface, disable all scheduled Regenerate Account Credentials for all devices tasks within profiles.
Osirium Support account	Within the Admin Interface ensure the Osirium Support account has been enabled and a password set.

Upgrading a standalone PAM Server

The diagram provides a high-level overview of the process for upgrading a standalone PAM Server.

Standalone PAM Server upgrade procedure flowchart

Upgrade standalone

Upgrade steps

Open a file transfer tool of your preference and copy the upgrade kit onto the PAM Server using the osirium_support account.
Open the PAM Server Console window, then press ALT + F2. The server login prompt appears.

Note
Alternatively, you could use an SSH connection to the PAM Server.
Enter osirium_support at the login prompt and press ENTER.
When prompted, enter the password of the osirium_support account and press ENTER.
Extract the upgrade kit copied to the server using the following command:

sudo bash Osirium_PAM_Server_vA.B.C_upgrade.bin

Where A.B.C is the version you are upgrading to.
Enter the osirium_support account password when prompted and press ENTER.
When the kit has been extracted, type the command specified on the screen and press ENTER.
Press ENTER when prompted to start the setup and configuration.
The EULA screen will be displayed. Press ENTER once you have read it.
Press ENTER when prompted to Continue without restoring a backup.
Press ENTER when prompted to Continue without joining cluster.
Wait while the upgrade completes and the server is rebooted.

Post upgrade tasks

Once the upgrade has successfully completed, logon to Osirium PAM and check the following before allowing users to reconnect:

Before opening any device connections that use an Active Directory account, an audit needs to be manually triggered on all provisioned Active Directories. You can do this by right clicking the Active Directory on the Manage Active Directory page, and select Trigger audit from the menu. This will allow additional fields on the Active Directory account page to be populated.
Check device status to ensure they are running successfully.
Check users can connect to devices.
Re-enable scheduled Regenerate Account Credentials for all devices tasks.
Take a VM level backup of the node.
Use the PAM Component Compatibility Matrix to check if other PAM components need updating inline with the version you are upgrading to and upgrade as appropriate.

Upgrading clustered PAM Servers

Inline clustered upgrades are not supported. Please contact Osirium support for instructions and assistance in upgrading your cluster.