Estimated Reading Time: 12–15 Minutes
Privileged access to Linux and Unix systems remains one of the most critical areas of enterprise security. Organizations running CyberArk Privileged Access Manager (PAM) rely on Privileged Session Manager for SSH (PSM for SSH) to securely isolate, monitor, and record SSH sessions without exposing privileged credentials to end users.
As organizations adopt newer versions of CyberArk PAM, upgrading PSM for SSH becomes an essential maintenance activity to ensure compatibility, security compliance, and supportability across the entire CyberArk ecosystem.
This guide walks through the complete CyberArk PSM for SSH upgrade process, including prerequisites, installation preparation, standard upgrades, upgrading from Idaptive/Idira SSHD mode, post-upgrade validation, SELinux considerations, and credential updates.
CyberArk PSM for SSH acts as a secure proxy between administrators and target Unix/Linux systems. Instead of connecting directly to servers, users authenticate through the PSM for SSH server, allowing organizations to:
In large environments, PSM for SSH is often deployed alongside Vault, PVWA, CPM, and traditional Windows-based PSM components to provide comprehensive privileged access coverage.
Before initiating the upgrade process, verify all prerequisites and validate the existing environment.
Ensure the existing Linux server continues to comply with your organization's security baseline and CyberArk Security Fundamentals documentation.
Confirm that the target PSM for SSH version is compatible with:
• CyberArk Vault
• PVWA
• CPM
• Traditional PSM
• DR Vault
• PTA (if deployed)
Ensure the /var/tmp/psmpparms file contains all required installation parameters before beginning the upgrade.
Confirm the following files are available in the installation directory:
• RPM/DEB package
• Vault.ini
• User.cred
• Prerequisites folder
• Supporting installation packages
CyberArk administrators should pay special attention to changes introduced in OpenSSH 7.1 and later.
OpenSSH versions 7.1 and above changed the default value of PermitRootLogin to prohibit-password. If your server still uses the default SSH configuration, the root user will no longer authenticate remotely using passwords after the PSM for SSH upgrade.
CyberArk recommends:
• SSH key-based root access.
• Creating a dedicated administrative account.
• Avoiding password-based root logins.
PSM for SSH supports multiple Linux distributions. Prior to upgrading, ensure your operating system is supported.
Always verify support against the CyberArk compatibility matrix before proceeding.
CyberArk RPM packages are digitally signed to prevent tampering.
Import the CyberArk public key:
rpm --import RPM-GPG-KEY-CyberArk
Validate the package:
rpm -K -v CARKpsmp-.rpm
Verifying package signatures is considered a best practice in production environments and should be included in all enterprise change procedures.
PSM for SSH installations require a valid CyberArk license.
User Type: PSMPServer
Interface: PSMPApp
Without a valid license, PSM for SSH installation and upgrades cannot be completed successfully.
The Vault user performing the installation or upgrade should possess the following permissions:
• Add Safes
• Audit Users
• Add/Update Users
• Manage Server File Categories
Additionally, the account must be an owner of the PVWAConfig Safe with:
CyberArk recommends enabling SELinux before installing or upgrading PSM for SSH.
Install the required package:
yum install -y policycoreutils-python-utils
If SELinux is enabled after installation, additional post-installation activities may be required.
Create a dedicated directory for installation files.
mkdir -p /opt/CARKpsmp
Copy the following into the directory:
CyberArk recommends disabling NSCD to prevent unexpected authentication behavior.
Stop the service:
systemctl stop nscd.service nscd.socket
Disable it permanently:
systemctl disable nscd.service nscd.socket
Log in to the PSM for SSH server as the root user.
rpm -Uvh CARKpsmp--.x86_64.rpm
dpkg -i CARKpsmp-..deb
Create the credential file:
/opt/CARKpsmp/bin/createcredfile user.cred
Run the finalize command:
/opt/CARKpsmp/bin/psmp_setup.sh --finalize --credfile user.cred
Upon successful completion:
If issues occur, review:
/var/opt/CARKpsmp/temp/psmp_setup.log
If SELinux is enabled:
systemctl restart sshd
On the PVWA server:
iisreset
Alternatively, wait for the PVWA configuration refresh interval to complete.
Organizations upgrading from Idaptive SSHD mode should perform additional cleanup activities.
Remove the Parameter
Edit:
/var/tmp/psmpparms
Remove:
InstallCyberArkSSHD
yum erase openssh openssh-server openssh-clients
yum install openssh openssh-server openssh-clients
Delete the following accounts:
Example:
userdel -r PSMConnect
Also remove associated home directories.
Delete:
groupdel PSMConnectUsers
Finally, perform the upgrade:
rpm -U CARKpsmp-.rpm
Verify PSM for SSH services are running.
service psmpsrv status
RHEL 8+
systemctl status psmpsrv-*
Review logs:
PSMPConsole.log
Location: /var/opt/CARKpsmp/logs
ADBConsole.log
Location: /var/opt/CARKpsmpadb/logs
During hardening, the SFTP subsystem may be disabled.
Edit:
/etc/ssh/sshd_config
Uncomment:
Subsystem sftp /usr/libexec/openssh/sftp-server
Restart SSHD after making changes.
If installation corruption or package issues occur, use the force upgrade option:
rpm -Uvh --force CARKpsmp--.x86_64.rpm
This can be particularly useful in lab environments or during interrupted upgrades.
If upgrading from versions earlier than 12.2, administrators may need to recreate credential files.
Affected accounts include:
Example:
./CreateCredFile psmpappuser.cred Password \
-Username \
-Password \
-OSUsername root \
-AppType PSMPApp \
-ExePath /opt/CARKpsmp/bin/psmpserver \
-EntropyFile
Modern CyberArk versions automatically perform these updates when:
• Take VM snapshots before upgrading.
• Validate backups of Vault and PSM configurations.
• Upgrade in lower environments first.
• Schedule maintenance windows.
• Verify component compatibility.
• Monitor logs post-upgrade.
• Test SSH session recordings after completion.
CyberArk PSM for SSH upgrades are relatively straightforward when proper planning and prerequisite validation are performed. Paying close attention to OpenSSH changes, SELinux configurations, credential updates, and service validation ensures a smooth and secure upgrade experience.
For enterprise deployments, always document rollback procedures, validate compatibility across all PAM components, and execute upgrades during approved maintenance windows.
Whether you are a CyberArk Engineer, PAM Architect, or Security Consultant, this comprehensive guide explains how real enterprise CyberArk upgrades are planned and executed safely in production environments.
Advance your CyberArk skills with hands-on, enterprise-focused training:
SecApps Learning helps cybersecurity professionals build real-world CyberArk expertise through enterprise-grade labs, instructor-led training, certification preparation, and production-focused upgrade workshops.
Your email address will not be published. Required fields are marked*
Copyright 2022 SecApps Learning. All Right Reserved
Comments ()