Upgrading Privilege Secure Access Manager in Service Mesh node configuration

Overview

The steps required to upgrade Privilege Secure version in an environment that has Service Mesh node configuration.

Description

To upgrade a service mesh node setup in Netwrix Privilege Secure, you must upgrade both the main server and each remote service node individually.
After upgrading, you must synchronize encryption keys (for Action and Scheduler services), and re-register the services in the console. Below are the detailed, step-by-step instructions.

Details

Step-by-Step: Upgrading a Service Mesh (Remote Service) Node in Netwrix Privilege Secure

1. Upgrade the Main Netwrix Privilege Secure Server:

  • Stop the NPS services on all nodes:
 Stop-Service SbPAM* -Force
 Stop-Service w3svc
  • On the main server, run NPS_Setup.exe as an administrator.
  • Select the upgrade option and complete the upgrade process. Do not interrupt the installer.
  • After the upgrade, restart the server if prompted.
  • Log in to the Privilege Secure Console to verify the upgrade.

2. Upgrade Each Remote Service Node:

  • On each remote host (service mesh node), run the appropriate service-specific installer (e.g., ActionService.exe for Action Service, ProxyService.exe for Proxy Service, etc.).
  • Complete the installation and close the installer.

3. Synchronize Encryption Keys (Action and Scheduler Services Only):

  • On the main server, open a command prompt as Administrator and run:
    cd "C:\Program Files\Stealthbits\PAM\KeyTools"
    .\SbPAM.RotateKey.exe export -n keys.exp
    
  • Note the password for the export file.
  • Copy keys.exp to C:\Program Files\Stealthbits\PAM\KeyTools on each remote host.
  • On each remote host, import the keys:
    cd "C:\Program Files\Stealthbits\PAM\KeyTools"
    .\SbPAM.RotateKey.exe import -n keys.exp
    
  • Enter the password when prompted, then delete the export file from all locations.
  • Note: This step is only required for Action and Scheduler services, not Proxy services.

4. Re-register Services:

  • Log in to the Privilege Secure web console as an administrator.
  • Click Register Services.
  • Go to Service Nodes and verify all remote service nodes show as online.

5. Restart Services:

  • On each remote node, restart all NPS services using PowerShell:
    Restart-Service SbPAM* -Force
    Restart-Service w3svc
    

6. (Optional) Test Managed Domains:

  • Open each managed domain under Resources and run a test to verify the service account is correct. If the service account password was affected, re-enter it and retest.

Additional Notes:

  • Always back up your environment before starting the upgrade.
  • Do not uninstall the previous version; the new version installs over the existing one.
  • Cancelling or interrupting the installer may result in irreparable database damage.
4 Likes

Great stuff - thank you, Alex! :flexed_biceps: