Offline upgrade

The offline upgrade model requires turning off all services on all servers simultaneously. This causes an outage of the Trust Protection Foundation service, but allows the upgrade to happen faster. In addition, it's often suitable for environments that have lower up-time requirements. This model is familiar to many CyberArk system administrators because it was the only upgrade model that was supported in 19.x and below.

When performing this upgrade, follow all the steps in each of the following sections.

Getting Started

  1. Download, distribute, and unzip installation files for the 25.3.x upgrade.

  2. [Optional] Export your software encryption key (if used).

    For more information, see Backing up the software encryption key.

Begin the upgrade

  1. On the Trust Protection Foundation server being upgraded, open CyberArk Configuration Console and click the Product node.

  2. Stop all Trust Protection Foundation services running on the Windows Server, including:

    • CyberArk Trust Protection Foundation - Self-Hosted

    • Log Server (Logging)

    • API Host

    • Website (IIS)

    • JavaKeyHost Service

    • Enrollment over Secure Transport Service

    NOTE  When you stop CyberArk Windows services, be aware that the services may have been manually configured to recover on failures by automatically restarting services. In this case you will either want to reset your recovery options to "Take no Action" or disable the service altogether before proceeding.

    If services are set to automatically restart, the upgrade can fail.

  3. Close the CyberArk Configuration Console and all other CyberArk-related applications (CyberArk Configuration Console, CyberArk Support Tool, etc.).

    If multiple user accounts connect to the Trust Protection Foundation server, use the Task Manager Users tab to terminate any background user sessions from other logged-in users. This ensures that no CyberArk files are in use by any user, making the upgrade process more efficient.

  4. Repeat these steps on all Trust Protection Foundation servers to ensure the entire cluster is shut down before continuing.

Database configuration

  1. Back up your database.

    For instructions on how to perform the database backup, visit Microsoft's SQL documentation: Create a Full Database Backup.

  2. [Conditional] If using answer file(s): Update the answer file so the DBO credentials are included, and new components (if desired) are added to the appropriate servers.

    For detailed information about the schema and settings of the answer file, see Creating and using answer files.

Run the installation MSI

  1. Verify that the extracted CyberArk Trust Protection Foundation 25.3.x.zip is available on the server.

  1. From an elevated command prompt, change your directory to the extracted zip folder and enter the following command:

    CyberArkTrustProtectionFoundationInstall-25.3.x.msi

    1. From the Start menu, search for CMD.
    2. In the search results, right-click on Command Prompt, and choose Run as administrator.

    Running CyberArkTrustProtectionFoundationInstall-25.3.x.msi from an elevated command prompt ensures that:

    • The CyberArk Configuration Console launches properly after the installation is complete.
    • You can uninstall Trust Protection Foundation from Windows' Programs and Features tool without needing to run a special command in an elevated command prompt.

  2. When the Welcome window appears, click Next.

  3. Read the terms stated in the License Agreement window. If you agree, select I accept the terms in the license agreement, and then click Next.

  1. Run the previous step on all Trust Protection Foundation servers. This can be done one at a time, or can be done simultaneously.

Configure the server

  1. Either use the configuration wizard GUI to complete the configuration steps for the upgrade, or use the TPPConfiguration.exe CLI to do a silent upgrade using the appropriate updated answer file.

    If you have questions about the command line interface, see Upgrade using the command line.

    For information about the TPPConfiguration utility, see Using the TppConfiguration command line tool.

    1. On the Welcome screen, review the information, and then click Next.

      If you have any questions about fields in this wizard, refer to the field-specific information in Configure CyberArk Trust Protection Foundation - Self-Hosted from the CyberArk Configuration Console.

    2. On the Administrative Account screen, enter the local master admin credentials for Trust Protection Foundation, and then click Next.

    3. On the Database Settings screen, enter the information for the database owner account: type, login, and password.

      For information about the Settings tab, see Field descriptions - Settings tab.

      For information about the Expert tab, see Field descriptions - Expert tab.

    4. On the Customer Experience screen, review the information on how data is collected.

      NOTE  Participation in the Customer Experience Improvement Project is required for all customers, enabling CyberArk to gather license utilization and product usage telemetry. This does not include any personally-identifiable data. Read more about our data collection policy in the CyberArk Data Privacy Policy for Trust Protection Foundation.

    5. On the Upgrade Server screen, review the information, and then click Finish.

    6. When the configuration is complete, click Close.

    Once you have completed the configuration wizard, the CyberArk Configuration Console window automatically opens. For more information about how to use the CyberArk Configuration Console, see CyberArk Configuration Console.

  2. [Conditional] If you used the upgrade wizard GUI in step 1: In the CyberArk Configuration Console, enable any new components that you want for each server.
  3. In the CyberArk Configuration Console, click the Product node.
  4. Start all Trust Protection Foundation Windows services.
  5. Repeat on all Trust Protection Foundation servers.

Validate the installation

  • Validate that each server in the cluster is performing its assigned role.

    For example, on a server that has the Web Console, try renewing a certificate or rotating an SSH key. On a code signing server, try signing code. For a server, validate that connections are happening as expected.