Software Updates

How to check for and update Privileged Access Management to the Latest Version.

The development of Privileged Access Management (PAM) follows an Agile development process which means a fast paced and frequent software release cycle. Due to this, the software provides an easy method to check for and ultimately deploy the latest version.

Before you update, review the latest Privileged Access Management Release Notes.

PAM updates may contain changes that require modifications to the PAM database. For this reason, please ensure that the PAM schema owner has DDL permissions on the database before starting the software update process.

Check and Update PAM Online

To Check and Update PAM Online (for offline update scroll down to the next section).

To perform an Online Update, your PAM node(s) must be able to communicate with the PAM distribution server to complete a version check and to download the software package. If required, whitelist the domain "bin.xtontech.com" using port 443 in your firewall.

  1. Login to PAM as a System Administrator.
  2. Navigate to Administration > Updates. The Application Update page will display all the components configured, their Current Version and the latest Available Version. If the available version is more recent than your current version, a Download button will be visible.
  3. Click Download to queue the download process. The download will be processed when possible and may take a few minutes to complete.

    4. FAQ-Update-DownloadScheduled

  4. Click Install when the download is finished. An Install button will become visible under the Actions column. Click Install to queue the installation process. The installation will be processed when possible and may take a few minutes to complete and during this time, connectivity to the system will be intermittent. We recommend performing the installation during “off peak” hours if possible.

    FAQ-Update-UpdateScheduled

  5. Verify the update. After the update is installed, the current Components and Available Version numbers will be identical and the Action message will state that the current version is up to date.

    FAQ-Update-CurrentVersionUpdated

Check and Update PAM Manually (Offline Method)

Use this method for air-gapped environments or when online updates are not available.

After manually copying xtam.war and xtamWorker.war files, PAM logs may stop updating. Follow the complete procedure below to avoid this issue.

To Check and Update PAM Offline:

  1. Download the offline update from here: https://bin.xtontech.com/product/pam-pkg.zip
  2. Copy the downloaded zip file to the PAM server.
  3. Extract the zip file to a temporary location on the PAM server.
  4. Navigate to the extracted files: In this temporary location, navigate to /pkg/pam and copy the files xtam.war and xtamWorker.war.
  5. Stop all PAM services (IMPORTANT: it prevents log freezing issue): PamManagement, PamDirectory, PamSession.
  6. Copy the .war files to $PAM_HOME/content, or the directory specified by the Administration / Settings / Parameters / Content Location parameter.
  7. Restart PAM services in the following order: PamManagement, PamDirectory, PamSession.
  8. Verify the update process: Wait approximately 5 minutes for the update to complete; open PAM and navigate to Administration > Updates to confirm when the process is complete. Verify that logs are udating properly in $PAM_HOME/logs/pam.log.

PAM and OS upgrade

PAM runs as an independent product that has operating system (OS) services added. Performing an in-place upgrade of the OS should complete without any PAM issues.

It is always good practice to perform these types of operations in a test/dev environment before doing so in a Production environment, as there are always things that can be learned through this process.

Before initiating the OS upgrade:

  • Stop all PAM services (PamManagement, PamDirectory, PamSession),

  • Take a backup of the PAM directory and store this in another location/folder.

Update PAM Components

Before you update, review the latest Privileged Access Management Release Notes.

Updating Federated Sign-in Module

The latest version of the Federated Sign-in Module version 6.5 component is 6.5.5.5 20260304.

https://bin.xtontech.com/product/pam-cas.65.zip

Updating the Framework

Updated application Framework to version 21.0.10 for new deployments.

Updating the WEB Container

PAM officially supports Tomcat version 9.0.115 as its WEB container.

https://bin.xtontech.com/product/pam-web.zip

Updating the Session Manager Component

The latest Web Session Manager component is version 1.6.0.

https://bin.xtontech.com/product/pam-session.zip

Updating log4j2

The latest log4j component is version 2.25.3.

https://bin.xtontech.com/product/xtam-log4j2-2.25.3.zip

Note for Windows Users: After upgrading log4j2 to version 2.25.3, the default behavior of log file contents has changed. Log files now contain ANSI escape sequences for coloring, which appear as visible characters ( e.g., `[32m`, `[m`, `[0m`) when viewed with standard Windows text editors like Notepad or standard text viewers.

To view logs with ANSI color codes properly rendered: 

  • Use PowerShell 7+ (recommended for Windows).

  • Use VS Code with appropriate log viewer plugins.

  • Use other ANSI-compatible log viewers.

Disabling ANSI Color Codes (recommended for Windows)

If you prefer to view logs without color codes and escape sequences, configure and apply changes to two files log4j2.pam.xml and log4j2.xml to disable ANSI formatting.

File 1: log4j2.pam.xml

The default location is typically:

Windows: $PAM_HOME\web\conf\log4j2.pam.xml

Linux: $PAM_HOME/conf/log4j2.pam.xml

Change Required: add disableAnsi="true" to the PatternLayout element:

Before:

Copy 
<PatternLayout pattern="%highlight{%d{yyyy-MM-dd HH:mm:ss} %-5p %c{3.}:%L (%t) - %m%n}" />

After:

Copy 
<PatternLayout pattern="%highlight{%d{yyyy-MM-dd HH:mm:ss} %-5p %c{3.}:%L (%t) - %m%n}" disableAnsi="true" />

File 2: log4j2.xml for CAS log4j2 Configuration

File location:

First, locate the file path specified by logging.config parameter in $PAM_HOME/web/conf/catalina.properties file.

Look for a line similar to logging.config=file:///opt/pam/web/webapps/cas/WEB-INF/classes/log4j2.xml

The default location is typically:

Windows: $PAM_HOMEweb\webapps\cas\WEB-INF\classes\log4j2.xml

Linux: $PAM_HOME/web/webapps/cas/WEB-INF/classes/log4j2.xml

Change Required: add disableAnsi="true" to all the PatternLayout blocks in this file:

Before:

Copy 
<PatternLayout pattern="%d %p [%c] - &lt;%m&gt;%n"/> 

After:

Copy 
<PatternLayout pattern="%d %p [%c] - &lt;%m&gt;%n" disableAnsi="true"/>

Apply the changes:

  1. Save all modified configuration files.

  2. Restart all PAM services for changes to take an effect:  PamManagement, PamDirectory, PamSession.

  3. Verify logs display correctly without escape sequences by viewing $PAM_HOME/logs/pam.log

Troubleshooting Updates

Issue: Logs Stop Updating After Manual Update

Symptoms:

  • After manually copying .war files, pam.log stops receiving new entries.

  • Log file timestamp does not update.

  • No new log entries appear despite PAM activity.

Solution:

  1. Stop all PAM services: PamManagement, PamDirectory, PamSession.

  2. Verify .war files are in correct location: check that xtam.war and xtamWorker.war are in $PAM_HOME/content.

  3. Check file permissions: ensure PAM service account has read/write access to the files:

    1. Windows: Right-click files > Properties > Security.

    2. Linux: Use `ls -l` to verify ownership and permissions.

  4. Restart PAM services in order: PamManagement (wait 30 seconds), PamDirectory (wait 30 seconds), PamSession.

  5. Monitor logs for 2-3 minutes to confirm updates resume:

    1. Windows

      Copy 
      tail -f C:\pam\logs\pam.log

      (using PowerShell or Git Bash)

    2. Linux

      Copy 
      tail -f /opt/pam/logs/pam.log
  6. If the logs still don't update:
    1. Check $PAM_HOME/logs/ directory permissions.
    2. Review system event logs for service errors.
    3. Contact Imprivata Support support@imprivata.com.

Issue: Log Files Show Strange Characters on Windows

Symptoms:

  • Log files contain sequences like `[32m`, `[m`, `[0m`. Example:

    Copy 
    `[32m2026-01-27 18:09:02 INFO com.pam.api.gui.upd.ContainerLibrariesUpdateManager:46 (main) - Checking C:\pam\web\webapps\xtam for libraries to update[m`

  • Logs are difficult to read in Notepad or standard text editors.

Cause:

  • log4j2 version 2.25.3 introduced ANSI color codes by default.

  • Windows text editors do not render ANSI escape sequences.

Solution: See the "Disabling ANSI Color Codes" section under "Updating log4j2" above for detailed instructions.

Issue: Update Process Verification

After any update (online or manual), verify the following:

  1. Check Update Status:

    • Navigate to Administration > Updates.

    • Confirm "Current Version" matches "Available Version".

    • Verify Action column shows "Up to date".

  2. Review Logs for Errors:

    • Check $PAM_HOME/logs/pam.log for any ERROR or WARN messages.

    • Look for successful startup messages.

    • Verify no exceptions or stack traces appear.

  3. Test Basic PAM Functionality:

    • Login as a regular user.

    • Access a managed account.

    • Launch a session.

    • Verify session recording (if enabled).

  4. Verify All Services are Running:

    • Windows: Check Services console (services.msc).

    • Linux: Use `systemctl status pam*` or equivalent.

  5. Check Database Connectivity:

    • Navigate to Administration > System Health.

    • Verify database connection is active.

    • Check for any warnings or errors.

Best Practices

Before Any Update:

  • Review the latest PAM Release Notes.

  • Perform updates in a test/dev environment first.

  • Schedule updates during off-peak hours.

  • Backup the PAM database.

  • Backup the PAM installation directory.

  • Verify PAM schema owner has DDL permissions.

  • Notify users of planned maintenance window.

During Update:

  • Monitor the update process.

  • Keep the Administration > Updates page open.

  • Do not interrupt the update process.

  • Expect intermittent connectivity during installation.

After Update:

  • Verify version numbers match.

  • Check all logs for errors.

  • Test core functionality.

  • Verify all services are running.

  • Monitor system for 24-48 hours.

  • Document the update in your change management system.

Quick Reference

Manual Update Checklist

  • Download https://bin.xtontech.com/product/pam-pkg.zip.

  • Copy the pam-pkg.zip file to PAM server.

  • Extract the pam-pkg.zip file to temporary location.

  • Stop all PAM services (PamManagement, PamDirectory, PamSession).

  • Copy xtam.war and xtamWorker.war to $PAM_HOME/content.

  • Restart all PAM services.

  • Wait for 5 minutes.

  • Verify in Administration > Updates.

  • Check pam.log is updating.

Log4j2 ANSI Fix Checklist (Windows)

  • Edit $PAM_HOME\web\conf\log4j2.pam.xml adding disableAnsi="true" to PatternLayout.

  • Edit $PAM_HOME\web\webapps\cas\WEB-INF\classes\log4j2.xml adding disableAnsi="true" to all PatternLayout blocks.

  • Restart all PAM services.

  • Verify logs display correctly.