Updating the Framework

Updating Existing PAM Deployment to the Currently Supported OpenJDK Release.

 

While all new installations use the latest, PAM officially supported OpenJDK components (https://jdk.java.net/) as the default configuration, existing deployments should be updated manually if needed

As of October 2023, PAM officially supports OpenJDK 21.0.1 and this framework will be used for all new installations.

For existing deployments that are currently using OpenJDK 11, 12, 13, 14, 15 or 17 this guide will update you to the latest supported version.

For existing deployments that are currently using JRE 1.8_x, please see this guide for the update procedure.

Prerequisites

  • An operational PAM deployment with the latest software version. Please update to the latest available version before proceeding.
  • Updated application Framework to version 21.0.1 for new deployments. Existing deployments require update of the Framework.

  • An operational PAM deployment with framework version 11, 12,13, 14, 15 or 17. If you are using 1.8_x, please use this guide to update.

To check your Framework version, login to PAM with a System Administrator account, navigate to Management > About and locate the Framework parameter. If you see a version like Framework: 11.x.x or higher, please continue with this guide.

Please read the entire procedure outlined in the article before beginning. If you have any questions, please contact the Support team: https://support.imprivata.com/.

Considerations

  • Each PAM node that is updated will be offline and inaccessible for the entirety of the migration.
  • The user performing the migration will be required to update files and configurations on the PAM host server. Appropriate privileges are required.
  • We highly recommend deploying a test instance of PAM that mirrors your production instance as closely as possible to test the migration (DB type, Federated Sign-In, certificates, MFA/SSO, AD Integration, etc). Once the migration is successful with the test instance you can reproduce the procedure on your production instance.

Please read the entire procedure outlined in the article before beginning. If you have any questions, please contact our Support Team https://support.imprivata.com/.

Step 1. Download and Extract Framework Components

  1. Download the latest supported framework packaged for PAM Server to your PAM host server and extract this archive outside the $PAM_HOMEdirectory. If you have multiple nodes, you will need to perform this procedure on all node servers.

  2. Download the PAM JDK Update Pack to your PAM host server (Windows and Linux) and extract the archive to your$PAM_HOMEdirectory. The extracted archive will create a new directory with the name $PAM_HOME/pam-jdk17-pack.

Step 2. Stop the PAM Services

Once the services are stopped, PAM will become inaccessible until the update is completed.

  1. For Windows deployments, stop the PamManagement and PamDirectory services:
  2. Copy
    net stop PamManagement
    Copy
    net stop PamDirectory

  3. For Linux deployments, stop the pammanager and pamdirectory services:

    Copy
    service pammanager stop
    Copy
    service pamdirectory stop

Step 3. Updating the OpenJDK Framework

  1. Replace the existing PAM jre directory.

    • Rename the directory $PAM_HOME/jre to $PAM_HOME/jre.old

    • Move the jre directory downloaded in Step 1 to $PAM_HOME/jre

  2. Copy existing PAM Certificates and Configurations

    • Copy the file $PAM_HOME/jre.old/lib/security/cacerts to $PAM_HOME/jre/lib/security overwriting the current file.

  3. Note: This step will migrate the existing certificates loaded into the previous PAM deployment including ADS, AD connection certificates as well as SSL certificate for CAS integration.

  4. Update PAM container files.

  5. Copy all files from $PAM_HOME/pam-jdk17-pack/ to $PAM_HOME/bin overwriting the current files.

  6. Redeploy Services:

    • Windows

    From an administrative command prompt, navigate to $PAM_HOME and run the commands:

    Copy
    bin\ServiceManagement.cmd remove
    bin\ServiceManagement.cmd install

    Note: The PamManagement service resets to the default Local System account Log on property once this service for PAM is reinstalled. If you are using a Log account other than an Local System account for this service then you must restore it prior to restarting the PamManagement service. Navigate to Services on Windows and find PamManagement, right-click and select Properties. Go to the Log on tab, select This account: and restore the required service account.

    PamManagement-Property.png

    • Linux

    From the command prompt navigate to $PAM_HOME and run the command:

    Copy
    sh bin/update-jdk-17.sh

Step 4. Start the PAM Services

  1. For Windows deployments, start the PamManagement and PamDirectory services:
  2. Copy
    net start PamDirectory
    Copy
    net start PamManagement

  3. For Linux deployments, start the pammanager and pamdirectory services:

    Copy
    service pamdirectory start
    Copy
    service pammanager start

These services may take a few minutes to fully start.

Step 5. Test and Verify

Once the services come back online, you should now login and thoroughly test the system. This should include, but not be limited to:

  1. Login with all applicable types of user accounts; Local, AD/LDAP, MFA and SSO.
  2. Accessing existing records (and creating new records) in both the Record List and Personal Vault, including the unlock action.
  3. Creating remote sessions.
  4. Executing jobs and tasks (on demand and scheduled).
  5. Viewing and exporting reports.

To confirm the update, check the Framework version on the Management > About screen. The displayed version should match the version that was downloaded.

Rollback

If the migration or testing fails and you need to rollback to the previous Framework, then follow this procedure. If you do not need to rollback, proceed to the next section.

  1. Stop the PAM services as described earlier.
  2. Rename the new $PAM_HOME/jre to $PAM_HOME/jre.new
  3. Rename the previous $PAM_HOME/jre.old back to $PAM_HOME/jre
  4. Start the PAM services as described earlier.

When the services come back online, PAM should be using the previous framework. You should now perform the testing and validation again.

Step 6. Cleanup

After all the testing is complete and the system is fully operational, you may choose to remove the following directories:

  • $PAM_HOME/jre.old
  • Files downloaded in Step 1 and extracted archives.