Updating the WEB Container

Updating your existing PAM deployment to the currently supported Apache Tomcat release.

While all new installations use the latest, PAM officially supported Tomcat version as the WEB container, existing deployments should be updated manually if needed.

PAM officially supports Tomcat version 9.0.97 as its WEB container.

Prerequisites

An operational PAM deployment with the latest software version.

Please update to the latest available version before proceeding.

Considerations

  • Each PAM node that is updated will be offline and inaccessible for the entirety of the upgrade.
  • The user performing the upgrade will be required to update files on the PAM host server. Appropriate privileges are required.
  • We recommend deploying a test instance of PAM that mirrors your production instance as closely as possible to test the migration (DB type, Federated Sign-In, certificates, MFA/SSO, AD Integration, etc). Once the upgrade is successful with the test instance you can reproduce the procedure on your production instance.
  • Updated WEB Container to version 9.0.97 for new deployments. Existing deployments require update of the Web Container.

  • An updated version of the software’s framework. Please update to the latest available version of the framework before continuing.

Please note that it is possible to operate the latest WEB Container on a version of the framework prior to 17. The additional steps for this configuration are detained in Step 3.

Please read the entire procedure outlined in the article before beginning. If you have any questions, please contact the Support team: https://support.imprivata.com/.

Step 1. Download and Extract WEB container Components

Download the latest supported WEB container for PAM Server to your PAM host server and extract this archive outside the $PAM_HOME directory. If you have multiple nodes, you will need to perform this procedure on all node servers:

https://bin.xtontech.com/product/pam-web.zip

Step 2. Stop the PAM Services

Once the service is stopped, this PAM node will become inaccessible until the upgrade is completed.

For Windows deployments, stop the PamManagement service:

Copy
net stop PamManagement

For Linux deployments, stop the pammanager service:

Copy
service pammanager stop

Step 3. Updating the WEB Container

  1. Make a backup copy of the current folders $PAM_HOME/web/bin and $PAM_HOME/web/lib to a location outside of $PAM_HOME (don’t rename and leave in place, make a copy outside of $PAM_HOME). In case of any issues, you can use these backup copies to roll back the update process.
  2. Copy all files from the web/bin folder of the extracted archive in Step 1 to the directory $PAM_HOME/web/bin. Replace all files including those that exist of the same names.
  3. Copy all files from the web/lib folder of the extracted archive in Step 1 to the directory $PAM_HOME/web/lib. Replace all including those that exist of the same names.

Step 4. Start the PAM Services

For Windows deployments, start the PamManagement service:

Copy
net start PamManagement

For Linux deployments, start the pammanager service:

Copy
service pammanager start

Step 5. Test and Verify

Once the service comes back online, you should now login and thoroughly test the system. This should include, but not be limited to:

  1. Login to PAM with all applicable types of user accounts: Local, AD/LDAP, MFA and SSO.
  2. Accessing existing records (and creating new records) in both the Record List and Personal Vault, including the unlock action.
  3. Creating remote sessions.
  4. Executing jobs and tasks (on demand and scheduled).
  5. Viewing and exporting reports.
  6. To confirm the update, check the WEB Container version on the Management > About screen. The displayed version should match the officially supported version mentioned in the beginning of this article.

Rollback

If the upgrade or testing fails and you need to roll back to the previous WEB Container, then follow this procedure. If you do not need to rollback, proceed to the next section.

  1. Stop the PAM service as described earlier.
  2. Delete $PAM_HOME\web\bin and restore the backup copy to this location.
  3. Delete $PAM_HOME\web\lib and restore the backup copy to this location.
  4. Start the PAM service as described earlier.

When the services come back online, PAM should be using the previous WEB Container.

You should now perform the testing and validation again.

Step 6. Cleanup

After all the testing is complete and the system is fully operational, you may choose to remove the following:

• The backup copies of the original WEB Container folders that was made outside of $PAM_HOME

• File downloaded in Step 1 and its extracted archive.

Disable WEB GUI check for the update

You can disable WEB GUI check for the latest version by providing system property

xtam.web.version.disable=true (default values is false) in $PAM_HOME/web/conf/catalina.properties file.

The option disables periodic connection to check for the latest version for the update repository for deployments operating in air-gaped or regulated environments.