- Automation Suite products
- Cross-product dependencies
- Cross-deployment feature comparison
- Security and compliance
- Certificates overview
- Q&A: Deployment templates
- Manual: Preparing the installation
- Step 1: Configuring the OCI-compliant registry for offline installations
- Step 2: Configuring the external objectstore
- Step 3: Configuring Microsoft SQL Server
- Step 4: Configuring the load balancer
- Step 5: Configuring the DNS
- Step 6: Configuring the disks
- Step 7: Configuring the node ports
- Step 8: Applying miscellaneous settings
- Step 10: Validating and installing the required RPM packages
- Step 11: Generating cluster_config.json
- Certificate configuration
- Database configuration
- External Objectstore configuration
- Pre-signed URL configuration
- External OCI-compliant registry configuration
- Disaster recovery: Active/Passive configuration
- Orchestrator-specific configuration
- Insights-specific configuration
- Process Mining-specific configuration
- Document Understanding-specific configuration
- Automation Suite Robots-specific configuration
- Monitoring configuration
- Optional: Configuring the proxy server
- Optional: Enabling resilience to zonal failures in a multi-node HA-ready production cluster
- Optional: Passing custom resolv.conf
- Optional: Increasing fault tolerance
- install-uipath.sh parameters
- Enabling Redis High Availability Add-On for the cluster
- Adding a dedicated agent node with GPU support
- Adding a dedicated agent Node for Task Mining
- Connecting Task Mining application
- Adding a Dedicated Agent Node for Automation Suite Robots
- Step 13: Configuring the temporary Docker registry for offline installations
- Step 14: Validating the prerequisites for the installation
- Managing products
- Getting Started with the Cluster Administration portal
- Migrating objectstore from persistent volume to raw disks
- Migrating data between objectstores
- Migrating in-cluster objectstore to external objectstore
- Step 1: Moving the Identity organization data from standalone to Automation Suite
- Step 2: Restoring the standalone Orchestrator database
- Step 3: Backing up the platform database in Automation Suite
- Step 4: Merging organizations in Automation Suite
- Step 5: Updating the Orchestrator connection strings
- Step 6: Migrating standalone Orchestrator
- Step 7: Deleting the default tenant
- B) Single tenant migration
- Migrating from Automation Suite on Linux to Automation Suite on EKS/AKS
- Upgrading Automation Suite
- Downloading the installation packages and getting all the files on the first server node
- Retrieving the latest applied configuration from the cluster
- Updating the cluster configuration
- Configuring the OCI-compliant registry for offline installations
- Migrating to an external OCI-compliant registry
- Executing the upgrade
- Performing post-upgrade operations
- Using the Orchestrator Configurator Tool
- Configuring Orchestrator parameters
- Orchestrator appSettings
- Configuring appSettings
- Configuring the maximum request size
- Overriding cluster-level storage configuration
- Configuring credential stores
- Configuring encryption key per tenant
- How to troubleshoot services during installation
- How to uninstall the cluster
- How to clean up offline artifacts to improve disk space
- How to clear Redis data
- How to enable Istio logging
- How to manually clean up logs
- How to clean up old logs stored in the sf-logs bundle
- How to disable streaming logs for AI Center
- How to debug failed Automation Suite installations
- How to delete images from the old installer after upgrade
- Unable to run an offline installation on RHEL 8.4 OS
- Error in downloading the bundle
- Offline installation fails because of missing binary
- Certificate issue in offline installation
- First installation fails during Longhorn setup
- SQL connection string validation error
- Prerequisite check for selinux iscsid module fails
- Azure disk not marked as SSD
- Failure after certificate update
- Antivirus causes installation issues
- Automation Suite not working after OS upgrade
- Automation Suite requires backlog_wait_time to be set to 0
- Cluster unhealthy after automated upgrade from 2021.10
- Upgrade fails due to unhealthy Ceph
- RKE2 not getting started due to space issue
- Volume unable to mount and remains in attach/detach loop state
- Upgrade fails due to classic objects in the Orchestrator database
- Ceph cluster found in a degraded state after side-by-side upgrade
- Unhealthy Insights component causes the migration to fail
- Service upgrade fails for Apps
- In-place upgrade timeouts
- Docker registry migration stuck in PVC deletion stage
- AI Center provisioning failure after upgrading to 2023.10
- Setting a timeout interval for the management portals
- Authentication not working after migration
- Kinit: Cannot find KDC for realm <AD Domain> while getting initial credentials
- Kinit: Keytab contains no suitable keys for *** while getting initial credentials
- GSSAPI operation failed due to invalid status code
- Alarm received for failed Kerberos-tgt-update job
- SSPI provider: Server not found in Kerberos database
- Login failed for AD user due to disabled account
- ArgoCD login failed
- Update the underlying directory connections
- Failure to get the sandbox image
- Pods not showing in ArgoCD UI
- Redis probe failure
- RKE2 server fails to start
- Secret not found in UiPath namespace
- ArgoCD goes into progressing state after first installation
- MongoDB pods in CrashLoopBackOff or pending PVC provisioning after deletion
- Unhealthy services after cluster restore or rollback
- Pods stuck in Init:0/X
- Running the diagnostics tool
- Using the Automation Suite Support Bundle Tool
- Exploring Logs
This page describes all the certificates required by an Automation Suite installation as well as the principle of the certificate rotation process.
While two different Automation Suite products must use the FQDN of the cluster, they can also contain multiple microservices. These microservices can use internal URLs to communicate with each other.
The following diagram and flow explain how the client connects to a service and how the authentication is done via the Identity Service.
- The client makes a connection with the service using URL, i.e., Orchestrator, Apps, Insights, etc. using the following URL:
- Istio intercepts the call, and based on the path of the
service_, forwards the call to the specific service.
- The service calls Identity Service to authenticate the incoming request from the robot via
- Istio intercepts the call, and based on the path
identity_, forwards the request to Identity Service.
- Identity Service returns the response with the result to Istio.
- Istio returns the response to the service. Since the call is made using the HTTPS protocol, Istio returns the response with the TLS certificate so that the connection is secure. If the service trusts the server certificate returned by Istio, it approves the response. Otherwise, the service rejects the response.
- The service prepares the response and sends it back to Istio.
Istio forwards the request back to the client. If the client machine trusts the certificate, then the entire request is successful. Otherwise the request fails.
This section describes a scenario where a robot tries to connect to Orchestrator in Automation Suite. The following diagram and flow explain how the robot connects to Orchestrator, and how authentication is done via Identity Server.
- Robot makes a connection with Orchestrator using the following URL:
- Istio intercepts the call, and based on the
orchestrator_path, it forwards it to the Orchestrator service.
- The Orchestrator service calls Identity Server to authenticate the incoming request from the robot via
- Istio intercepts the call, and based on the
identity_path, it forwards the request to Identity Server.
- Identity Server returns the response with the results to Istio.
- Istio returns the response to Orchestrator. Since the call is made using the HTTPS protocol, Istio returns the response with the TLS certificate, so that connection is secure. If Orchestrator trusts the server certificate returned by Istio, it also approves the response. Otherwise, Orchestrator rejects the response.
- Orchestrator prepares the response and sends it back to Istio.
Istio forwards the request back to robot. If the robot machine trusts the certificate, then the entire request is successful. Otherwise, the request fails.
In this example, the container has its own operating system (RHEL OS), and Service can represent an Orchestrator running on top of RHEL OS.
This path is where RHEL OS stores all certificates. Every container will have its own Certificate Trust Store. As part of the Automation Suite configuration, we inject the entire chain certificate that contains the root certificate, all the intermediate certificates, as well as the leaf certificate, and we store them in this path. Since services trust the root and intermediate certificates, they automatically trust any other certificates created by the root and intermediate certificates.
There are hundreds of containers running within Automation Suite. Manually adding certificates for each of these containers for all the services would be a demanding task. However, Automation Suite includes a shared volume and an Init container cert-trustor to help with this task. Init is a specialized container that runs before app containers in a Pod, and its lifecycle ends as soon as it completes its job.
In the following example, the Orchestrator service is running in one pod. As a reminder, a pod can contain more than one container. In this pod, we inject one more Init container called Cert-trustor. This container will contain the root certificate, the intermediate certificates, and the leaf certificate.
/etc/pki/ca-trust/ca/source/anchors location and terminates.
Certificates will be available for Orchestrator service through the shared volume.
As part of the Automation Suite installation, the following certificates are generated:
Self-signed certificate generated at the time of installation, which is valid for 3 months. You must replace the self-signed certificate with a domain certificate post-installation. See Managing certificates
- Identity Server certificate for signing JWT tokens used in authentication. If the certificate for signing the JWT token is not provided, Automation Suite uses the currently configured TLS certificate (self-signed or customer-provided), which expires in 90 days. If you want to have your own certificate for signing identity tokens, see Managing certificates.
- RKE2 certificates are generated, and by default expire in 12 months. If the certificates are already expired or they expire in less than 90 days, they are rotated when RKE2 is restarted.
- If enabled, SAML2 Authentication protocol can use a service certificate.
- If you configure Active Directory using a username and password, LDAPS (LDAP Over SSL) is optional. If you opt for LDAPS, you must provide a certificate. This certificate will be added into Automation Suite’s Trusted Root Certification Authorities. For details, see Microsoft documentation.
This certificate will be added into Automation Suite’s Trusted Root Certification Authorities.
The certificates are stored in two places:
uipath namespaces, you must run the
sudo ./configureUiPathAS.sh tls-cert update command.
uipath namespace cannot access the secrets stored in
istio-system namespace. Hence, certificates are copied in both namespaces.
uipath namespace, we mount the certificates to the pods that need certificates and restart the pods so they can use the new certificates.
For single-node evaluation installations, the update will scale down the pods. All the pods will be shut down and restarted. This operation will cause downtime.
For multi-node HA-ready production installations, the update happens using the rolling deployment method. If microservices have two pod for high availability purpose, the update will delete one of the pod, and a new version of the pod will come up. Once the new one is started successfully, the old one will removed. There will be a brief downtime period while the old pod is not yet terminated.
tls.crt are used. Certificates are used in ArgoCD and Docker Registry, and they are then stored in both Docker and ArgoCD namespaces.
You can verify the secrets using the following command :
# For docker registry
kubectl -n docker-registry get secrets docker-registry-tls -o yaml
# For Argocd
argocd cert list --cert-type https# For docker registry
kubectl -n docker-registry get secrets docker-registry-tls -o yaml
# For Argocd
argocd cert list --cert-type https
- Understanding how trust certificates work
- Understanding how communication works
- Understanding how robots and Orchestrator communicate
- Understanding the container architecture related to certificates
- Container level
- Pod level
- Inventory of all certificates in Automation Suite
- Certificates generated during installation
- Additional certificates
- Understanding how the certificate update/rotation works
- Online installation
- Offline installation