Upgrading Secret Server

To upgrade Secret Server, you need valid support licenses. To renew your support, please use our online Web form or contact sales. Once you have valid support licenses, see Upgrading Secret Server with Web Clustering to upgrade.

Please see the Secret Server On-Premises Upgrade Checklist prior to upgrading.

Ensuring the Upgrade Is Secure

We take the following measure to ensure the upgrade is secure:

Secret Server on-Premises upgrades are packaged in a wrapper zip file for delivery. These upgrade zip files are named with the release version, such as Version_11_1_000006.zip. Each wrapper zip file contains two files, a security catalog file named hashes.crt and yet another zip file named ss_update.zip.

The ss_update.zip file holds the changes for the new Secret Server version (database and file changes). The hashes.crt file is a signed security catalog containing the hash of the ss_update.zip file, which is used to ensure the authenticity and integrity of the ss_update.zip file.

A hash is a long string of characters that represents a unique digital "fingerprint" of any file the hash function is run on. Any change to a hashed file causes future hashes of the altered file to differ from the original hash, proving the file is different.

When the upgrader processes ss_update.zip, the following occurs:

  1. The hashes.crt file is validated to ensure that its digital signature is the original produced by Delinea.
  2. The same hash function that created the original hash is run on the ss_update.zip file, creating a new hash.
  3. The original hash is compared to the new hash, ensuring the two match and ss_update.zip has not been tampered with.
  4. The original wrapper zip file is inspected to ensure it does not contain any unexpected, likely malicious, files.

As a result of this inspection process, the upgrader is positive both ss_update.zip and hashes.crt are genuine and there are no foreign files present.