Security and compliance

Enabling FIPS 140-2

Federal Information Processing Standards 140-2 (FIPS 140-2) is a security standard that validates the effectiveness of cryptographic modules.

You can enable FIPS 140-2 on the machines on which you install Automation Suite in the following scenarios:

Scenario 1: new installations - Enable FIPS 140-2 before performing a clean installation of Automation Suite 2023.4 or later.
Scenario 2: existing installations - Enable FIPS 140-2 after peforming an Automation Suite installation on a machine with FIPS-140-2 disabled.

Scenario 1: new installations

To enable FIPS 140-2 on the machines where you plan to perform a fresh installation of Automation Suite, take the following steps:

Before starting the Automation Suite installation, enable FIPS 140-2 on your machines.
For details, see:
- Configuring the machines in a single-node environment
- Configuring the machines in a multi-node environment
Perform the Automation Suite installation by following the installation instructions in this guide.
- If you install AI Center on a FIPS 140-2-enabled machine and also use Microsoft SQL Server, some additional configuration is required. For details, see:
  - Configuring Microsoft SQL Server in a single-node environment
  - Configuring Microsoft SQL Server in a multi-node environment
- Make sure Insights is disabled as it is not supported on FIPS 140-2.
Make sure your certificates are FIPS 140-2-compatible.
Note:
By default, Automation Suite 2023.4 and later generates self-signed FIPS 140-2-compatible certificates whose expiry date depends on the type of Automation Suite installation you choose.

You are strongly recommended to replace these self-signed certificates with CA-issues certificates at installation time. To use Automation Suite on FIPS 140-2-enabled machines, the newly provided certificates must be FIPS 140-2-compatible. For a list of eligible ciphers supported by RHEL, see RHEL documentation.
- To update the token-signing certificates, run:
  sudo ./configureUiPathAS.sh identity token-cert update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkeysudo ./configureUiPathAS.sh identity token-cert update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkey
- To update the TLS certificates, run:
  ./configureUiPathAS.sh additional-ca-certs update --ca-cert-file /path/to/ca/certs./configureUiPathAS.sh additional-ca-certs update --ca-cert-file /path/to/ca/certs
For more on certificates, see Managing the certificates.

Scenario 2: existing installations

You can install Automation Suite on machines with FIPS 140-2 disabled, and then enable the security standard on the same machines. This is also possible when you upgrade to a new Automation Suite version.

To enable FIPS 140-2 on the machines where you already performed an Automation Suite installation, take the following steps:

Perform a regular Automation Suite installation or upgrade operation on machines with FIPS 140-2 disabled.
Enable FIPS 140-2 by running the following command on all your machines:
```
fips-mode-setup --enablefips-mode-setup --enable
```
Make sure your certificates are FIPS 140-2-compatible.
Note:
To use Automation Suite on FIPS 140-2-enabled machines, you must replace your certificates with new FIPS 140-2-compatible certificates signed by a CA. For a list of eligible ciphers supported by RHEL, see RHEL documentation.
- To update the token-signing certificates, run:
  sudo ./configureUiPathAS.sh identity token-cert update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkeysudo ./configureUiPathAS.sh identity token-cert update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkey
- To update the TLS certificates, run:
  ./configureUiPathAS.sh additional-ca-certs update --ca-cert-file /path/to/ca/certs./configureUiPathAS.sh additional-ca-certs update --ca-cert-file /path/to/ca/certs
For more on certificates, see Managing the certificates.
Make sure your product selection is in line with the FIPS-140-2 requirements:
- If you install AI Center on a FIPS 140-2-enabled machine and also use Microsoft SQL Server, some additional configuration is required. For details, see:
  - Configuring Microsoft SQL Server in a single-node environment
  - Configuring Microsoft SQL Server in a multi-node environment
- If you previously enabled Insights, you must disable it as it is not supported on FIPS 140-2. For details on how to disable products post-installation, see Managing products.
Reboot your machines and check if you successfully enabled FIPS 140-2 by running the following command:
```
fips-mode-setup --checkfips-mode-setup --check
```

Rerun the install-uipath.sh service installer:

In an online environment, run:

./install-uipath.sh -i cluster_config.json -o output.json -s --accept-license-agreement – Online -- online./install-uipath.sh -i cluster_config.json -o output.json -s --accept-license-agreement – Online -- online

In an offline environment, run:

./install-uipath.sh -i ./cluster_config.json -o ./output.json -s --offline-bundle /uipath/tmp/sf.tar.gz --offline-tmp-folder /uipath/tmp --accept-license-agreement./install-uipath.sh -i ./cluster_config.json -o ./output.json -s --offline-bundle /uipath/tmp/sf.tar.gz --offline-tmp-folder /uipath/tmp --accept-license-agreement

Using a firewall

Important:

We do not support firewalld. The Automation Suite installer automatically disables firewalld during installation; make sure it remains in a disabled state post-installation as well.

Automation Suite sets up default IP table rules on the host machines for necessary inter-node communication. We do not support custom IP table rules, such as those configured via firewalld, as they might conflict with IP table rules configured by Automation Suite. You can, however, apply extra firewall rules at the network level.

We recommend enabling firewall applications at the network gateway, but not between clusters.

On this page