Master Cybersecurity Skills. Build a Real Career.

CyberArk PSM for SSH Upgrade Guide 2026: Complete Step-by-Step Privileged Session Manager for SSH Upgrade Process

  • Home
  • Blog
  • CyberArk PSM for SSH Upgrade Guide 2026: Complete Step-by-Step Privileged Session Manager for SSH Upgrade Process
Image
  • July 16 2026

CyberArk PSM for SSH Upgrade Guide 2026: Complete Step-by-Step Privileged Session Manager for SSH Upgrade Process

Estimated Reading Time: 12–15 Minutes

Privileged access to Linux and Unix systems remains one of the most critical areas of enterprise security. Organizations running CyberArk Privileged Access Manager (PAM) rely on Privileged Session Manager for SSH (PSM for SSH) to securely isolate, monitor, and record SSH sessions without exposing privileged credentials to end users.

As organizations adopt newer versions of CyberArk PAM, upgrading PSM for SSH becomes an essential maintenance activity to ensure compatibility, security compliance, and supportability across the entire CyberArk ecosystem.

This guide walks through the complete CyberArk PSM for SSH upgrade process, including prerequisites, installation preparation, standard upgrades, upgrading from Idaptive/Idira SSHD mode, post-upgrade validation, SELinux considerations, and credential updates.

Why Upgrade CyberArk PSM for SSH?

Enhanced Security:
Benefit from the latest hardening improvements, SSH enhancements, and security patches released by CyberArk.
Component Compatibility:
Maintain compatibility with upgraded Vault, PVWA, CPM, and other PAM Self-Hosted components.
Operational Stability:
Receive bug fixes, improved service reliability, and better integration with modern Linux distributions.
Compliance Requirements:
Meet internal audit, cybersecurity, and regulatory requirements by staying on supported CyberArk versions.

What is CyberArk PSM for SSH?

CyberArk PSM for SSH acts as a secure proxy between administrators and target Unix/Linux systems. Instead of connecting directly to servers, users authenticate through the PSM for SSH server, allowing organizations to:

  • Record privileged SSH sessions.
  • Enforce centralized access policies.
  • Eliminate direct credential exposure.
  • Enable session monitoring and auditing.
  • Support enterprise compliance initiatives.

In large environments, PSM for SSH is often deployed alongside Vault, PVWA, CPM, and traditional Windows-based PSM components to provide comprehensive privileged access coverage.


Before Upgrading PSM for SSH

Before initiating the upgrade process, verify all prerequisites and validate the existing environment.

Security Compliance Check

Ensure the existing Linux server continues to comply with your organization's security baseline and CyberArk Security Fundamentals documentation.

 

Component Compatibility Validation

 

Confirm that the target PSM for SSH version is compatible with:

• CyberArk Vault

• PVWA

• CPM

• Traditional PSM

• DR Vault

• PTA (if deployed)

 

 

Verify psmpparms File

Ensure the /var/tmp/psmpparms file contains all required installation parameters before beginning the upgrade.

 

 

Validate Installation Files

Confirm the following files are available in the installation directory:

• RPM/DEB package

• Vault.ini

• User.cred

• Prerequisites folder

• Supporting installation packages

 

 


Important OpenSSH Notice

CyberArk administrators should pay special attention to changes introduced in OpenSSH 7.1 and later.

Important:

OpenSSH versions 7.1 and above changed the default value of PermitRootLogin to prohibit-password. If your server still uses the default SSH configuration, the root user will no longer authenticate remotely using passwords after the PSM for SSH upgrade.

CyberArk recommends:


• SSH key-based root access.

• Creating a dedicated administrative account.

• Avoiding password-based root logins.


Verify Operating System Support

PSM for SSH supports multiple Linux distributions. Prior to upgrading, ensure your operating system is supported.

Examples include:

• Red Hat Enterprise Linux (RHEL)
• Rocky Linux
• Ubuntu
• SUSE Linux

Always verify support against the CyberArk compatibility matrix before proceeding.


Verify Package Digital Signature

CyberArk RPM packages are digitally signed to prevent tampering.

Import the CyberArk public key:

rpm --import RPM-GPG-KEY-CyberArk

Validate the package:

rpm -K -v CARKpsmp-.rpm

Verifying package signatures is considered a best practice in production environments and should be included in all enterprise change procedures.


Licensing Requirements

PSM for SSH installations require a valid CyberArk license.

Required License Type

User Type: PSMPServer

Interface: PSMPApp

Without a valid license, PSM for SSH installation and upgrades cannot be completed successfully.


Required Vault Permissions

The Vault user performing the installation or upgrade should possess the following permissions:

Vault Permissions

• Add Safes

• Audit Users

• Add/Update Users

• Manage Server File Categories

Additionally, the account must be an owner of the PVWAConfig Safe with:

  • List Accounts
  • Retrieve Accounts
  • View Owners
  • Manage Safe Owners

Enable SELinux Before Installation

CyberArk recommends enabling SELinux before installing or upgrading PSM for SSH.

Install the required package:

yum install -y policycoreutils-python-utils

If SELinux is enabled after installation, additional post-installation activities may be required.


Prepare the Installation Environment

Create a dedicated directory for installation files.

mkdir -p /opt/CARKpsmp

Copy the following into the directory:

• CARKpsmp package
• Vault.ini
• User.cred
• Prerequisite packages
• RPM-GPG-KEY-CyberArk
• Installation scripts

Disable NSCD

CyberArk recommends disabling NSCD to prevent unexpected authentication behavior.

Stop the service:

systemctl stop nscd.service nscd.socket

Disable it permanently:

systemctl disable nscd.service nscd.socket

Standard PSM for SSH Upgrade Procedure

Log in to the PSM for SSH server as the root user.

RPM-Based Systems

rpm -Uvh CARKpsmp--.x86_64.rpm

Ubuntu/Debian Systems

dpkg -i CARKpsmp-..deb

Finalize the Vault Environment

Create the credential file:

/opt/CARKpsmp/bin/createcredfile user.cred

Run the finalize command:

/opt/CARKpsmp/bin/psmp_setup.sh --finalize --credfile user.cred

Upon successful completion:

  • PSM for SSH services start automatically.
  • Vault objects are updated.
  • Configuration changes are applied.

If issues occur, review:

/var/opt/CARKpsmp/temp/psmp_setup.log

Restart Services

If SELinux is enabled:

systemctl restart sshd

On the PVWA server:

iisreset

Alternatively, wait for the PVWA configuration refresh interval to complete.


Upgrading from Idaptive (Idira) SSHD Mode

Organizations upgrading from Idaptive SSHD mode should perform additional cleanup activities.

Remove the Parameter

Edit:

/var/tmp/psmpparms

Remove:

InstallCyberArkSSHD

Reinstall OpenSSH

yum erase openssh openssh-server openssh-clients

yum install openssh openssh-server openssh-clients

Remove Legacy Users

Delete the following accounts:

• PSMConnect
• PSMShadowUser

Example:

userdel -r PSMConnect

Also remove associated home directories.


Remove Legacy Groups

Delete:

• PSMConnectUsers
• PSMShadowUsers
• PSMInternalUsers

groupdel PSMConnectUsers

Finally, perform the upgrade:

rpm -U CARKpsmp-.rpm

Validate Services After Upgrade

Verify PSM for SSH services are running.

RHEL 7 / SUSE

service psmpsrv status

RHEL 8+

systemctl status psmpsrv-*

Review logs:

Important Log Files

PSMPConsole.log

Location: /var/opt/CARKpsmp/logs

ADBConsole.log

Location: /var/opt/CARKpsmpadb/logs


Enable SFTP Support

During hardening, the SFTP subsystem may be disabled.

Edit:

/etc/ssh/sshd_config

Uncomment:

Subsystem sftp /usr/libexec/openssh/sftp-server

Restart SSHD after making changes.


Repairing a PSM for SSH Installation

If installation corruption or package issues occur, use the force upgrade option:

rpm -Uvh --force CARKpsmp--.x86_64.rpm

This can be particularly useful in lab environments or during interrupted upgrades.


Reset PSM for SSH Credentials

If upgrading from versions earlier than 12.2, administrators may need to recreate credential files.

Affected accounts include:

• appuser
• gwuser
• adbuser

Example:

./CreateCredFile psmpappuser.cred Password \
-Username  \
-Password  \
-OSUsername root \
-AppType PSMPApp \
-ExePath /opt/CARKpsmp/bin/psmpserver \
-EntropyFile

Modern CyberArk versions automatically perform these updates when:

  • UpdateCredFile = Yes
  • UpdateCredFile = Inferred
  • ADBridgeUpdateCredFile = Yes
  • ADBridgeUpdateCredFile = Inferred

Best Practices for Production Upgrades

Enterprise Recommendations

• Take VM snapshots before upgrading.

• Validate backups of Vault and PSM configurations.

• Upgrade in lower environments first.

• Schedule maintenance windows.

• Verify component compatibility.

• Monitor logs post-upgrade.

• Test SSH session recordings after completion.


Final Thoughts

CyberArk PSM for SSH upgrades are relatively straightforward when proper planning and prerequisite validation are performed. Paying close attention to OpenSSH changes, SELinux configurations, credential updates, and service validation ensures a smooth and secure upgrade experience.

For enterprise deployments, always document rollback procedures, validate compatibility across all PAM components, and execute upgrades during approved maintenance windows.


πŸ“– Read the Complete CyberArk Upgrade Handbook

CyberArk PAM Self-Hosted Upgrade Guide 2026 – Complete Vault, DR, Cluster & Distributed Upgrade Handbook

Whether you are a CyberArk Engineer, PAM Architect, or Security Consultant, this comprehensive guide explains how real enterprise CyberArk upgrades are planned and executed safely in production environments.

Additional Upgrade Guides


Continue Your CyberArk Learning Journey

Advance your CyberArk skills with hands-on, enterprise-focused training:

SecApps Learning helps cybersecurity professionals build real-world CyberArk expertise through enterprise-grade labs, instructor-led training, certification preparation, and production-focused upgrade workshops.

 

Comments ()

Leave a reply

Your email address will not be published. Required fields are marked*

Recent Post

Copyright 2022 SecApps Learning. All Right Reserved