Subscribe

UiPath Automation Suite

The UiPath Automation Suite Guide

Configuring the cluster

This page contains general instructions for configuring Automation Suite.

Configuration Tool


We provide the configureUiPathAS.sh script to control and manage Automation Suite. It comes with the installation bundle and can be found in the main installer folder.

Currently we support only few of the operations.

Run the following command to view more information about configureUiPathAS.sh:

sudo ./configureUiPathAS.sh --help

Output:

$ ./configureUiPathAS.sh --help

************************************************************************************

configureUiPathAS.sh controls and manage UiPath Automation Suites

Usage:
  configureUiPathAS.sh [command]
  configureUiPathAS.sh [flags]

Available Commands:
  tls-cert                             Manage tls and server certificate
  additional-ca-certs                  Manage additional ca certificates
  identity                             Manage identity service
  objectstore                          Manage objectstore
  registry                             Manage registry
  monitoring                           Manage monitoring
  rabbitmq                             Manage rabbitmq
  mongodb                              Manage mongo

Flags:
  -h|--help                           Display help

************************************************************************************

Below are the components that you can be manage in UiPath Automation Suite cluster using the configureUiPathAS.sh script.

  • Server Certificate - Manage tls and server certificate (update and get the certificate)

  • Additional CA Certificates - Manage additional CA certificates such as SQL server certificates, proxy server certificates, etc.

  • Identity service - Manage identity service configurations such as token signing certificate, SAML certificates, Kerberos and Windows authentication, etc.

  • Objectstore - Manage ceph objectstore (currently only supporting resizing of ceph pvc/storage)

  • Registry - Manage docker registry (currently only supporting resizing of registry pvc/storage)

  • Monitoring - Manage rancher server (currently only supporting resizing of rancher server pvc/storage)

  • RabbitMQ - Manage rabbitmq message queue (currently only supporting resizing of rabbitmq pvc/storage)

  • MongoDB - Manage mongodb datastore (currently only supporting resizing of mongodb pvc/storage and certificate management)

 

Managing server certificates


Run the following command to view more information about server certificates.

sudo ./configureUiPathAS.sh tls-cert --help

Output

************************************************************************************

Manage cluster tls and server certificate

Usage:
  configureUiPathAS.sh tls-cert [command]
  configureUiPathAS.sh tls-cert [flags]

Available Commands:
  update                              Update the tls / server certificate

  get                                 Get the tls / server certificate

Flags:
  -h|--help                           Display help

************************************************************************************

Below are the operation you can perform using the ./configureUiPathAS.sh tls-cert command.

Updating the server certificate


The certificate key must be decrypted. If the key is encrypted, run the following command to decrypt it:

# replace /path/to/encrypted/cert/key to absolute file path of key
# replace /path/to/decrypt/cert/key to store decrypt key
# Once prompted, please entry the passphrase or password to decrypt the key

openssl x509 -in /path/to/encrypted/cert/key -out /path/to/decrypt/cert/key

Run the configureUiPathAS.sh script to update the certificate as shown below. You need the path to each of the three certificate files. All the certificate file should be in PEM format.

  • Certificate Authority Bundle - This bundle should contain the certificate used to sign the TLS server certificate.
  • Server Certificate - Public server certificate
  • Private key - Private key for server certificate
sudo ./configureUiPathAS.sh tls-cert update --ca-cert-file /path/to/cacert --tls-cert-file /path/to/tlscert --tls-key-file /path/to/tlskey

Below files will be stored in in the /directory/path/to/store/certificate location.

Accessing the TLS certificate


To print out the certificate files, run the following command, specifying the directory where certificates are stored.

sudo ./configureUiPathAS.sh tls-cert get --outpath /directory/path/to/store/certificate

 

Managing additional CA certificates


Run the following command to view more information about additional CA certificates.

./configureUiPathAS.sh additional-ca-certs --help

Output

***************************************************************************************

Manage additional CA certificates, this can be used to add sql server CA

Usage:
  configureUiPathAS.sh additional-ca-certs [command]
  configureUiPathAS.sh additional-ca-certs [flags]

Available Commands:
  update                              Update the additional trusted CA certificates.

  get                                 Get the additional trusted CA certificates

Flags:
  -h|--help                           Display help

***************************************************************************************

Below are the operation you can perform using the ./configureUiPathAS.sh additional-ca-certs command.

Updating the CA certificates


This command helps you update or replace the existing configured CA certificates.

./configureUiPathAS.sh additional-ca-certs update --ca-cert-file /path/to/ca/certs

📘

Note:

The command above adds a new certificate to the list of existing certificates. if you want to replace all the previously configured certificates, make sure to append --replace at the end.

The CA Certificate bundle file should be a valid .pem format and can have more than one certificate present in it.

Accessing the CA certificates


Please run the following command to download the already configured CA certificates.

./configureUiPathAS.sh additional-ca-certs get --outpath /path/to/download/certs

 

Managing identity token signing certificate


Run below command to view more information about identity token signing certificates.

sudo ./configureUiPathAS.sh identity token-cert --help

Output

************************************************************************************

Manage Identity token signing certificate

Usage:
  configureUiPathAS.sh identity token-cert [command]
  configureUiPathAS.sh identity token-cert [flags]

Available Commands:
  update                              Update secondary certificate to signing
                                        the authentication token
  rotate                              Switch secondary certificate as a primary
                                        token signing certificate
  get                                 Get token signing certificate

Flags:
  -h|--help                           Display help

************************************************************************************

Below are the operation you can perform using ./configureUiPathAS.sh identity token-cert command

For the token signing certificate, you need to rotate using two steps.

Updating the certificate


This will upload new certificate to sign the token. However, it will not replace the existing token signing certificate. Note certificate should be in pkcs12 format with .pfx extension.

sudo ./configureUiPathAS.sh identity token-cert update --cert-file-path /path/to/cert --password <cert_pass>

Rotating the certificate


This will rotate or switch the old certificate with the new one uploaded using update certificate.

sudo ./configureUiPathAS.sh identity token-cert rotate

📘

Note:

There should be the lead time of about 24 - 48 hours between certificate update and rotate.
We need this lead time to keep supporting the authentication for cached token signed by old certificate.
If you rotate the certificate too soon before the expiry of cache token can result in downtime. And you may have to restart all your robots.

Accessing the certificate


Please run the following command to download the current token signing certificate:

sudo ./configureUiPathAS.sh identity token-cert get --outpath /directory/path/to/store/certificate

 

Managing Objectstore (ceph)


Right now we are only supporting resizing of pvc for objectstore.

Run below command to view more information about objectstore.

sudo ./configureUiPathAS.sh objectstore --help

Output

************************************************************************************

Manage objectstore configuration

Usage:
  configureUiPathAS.sh objectstore [command]
  configureUiPathAS.sh objectstore [flags]

Available Commands:
  resize-pvc                          Resize PVC

Flags:
  -h|--help                           Display help

************************************************************************************

Resizing PVC


📘

Note:

PVC resize can be dangerous and will result in downtime of entire or few of the effect components of cluster. So please, take caution before you are performing this operation.

Run below command to view more information about resizing objectstore PVC.

sudo ./configureUiPathAS.sh objectstore resize-pvc --help

Output

***************************************************************************************

Resize PVC provided by different CSI drivers

Arguments
  -s|--size            [Required] : Size of PVC. Allowed formats are
                       - Plain integer
                       - A fixed-point number using one of these suffixes: E, P, T, G, M, k
                       - A fixed-point number using one of power-of-two equivalents suffixes: Ei, Pi, Ti, Gi, Mi, Ki
  -b|--sub-component   [Required] : Sub-component to resize. Possible Values [mon|data]
  -d|--debug           Increase logging verbosity to show all debug logs
  -h|--help            Show this help message and exit
  -f|--force           Allow deletion of pods to resize the PVC. This may cause downtime

Examples
  Update PVC size for objectstore mon to 105 Gi
  configureUiPathAS.sh objectstore resize-pvc --size 105Gi  --sub-component "mon"

***************************************************************************************

To resize the data storage of ceph objectstore perform below command.

sudo ./configureUiPathAS.sh objectstore resize-pvc --size 1024Gi --sub-component data

Above command will resize the data storage PVC to 1 TiB.

Before starting the PVC resize operation, tool will warn you about the impact. You must accept and only then proceed. You can also use --force flag to skip the warning.

📘

Note:

If the attempt to resize the objstore pvc operation failed, see the Troubleshooting section for a fix.

 

Updating the SQL Server connection

To update the connection string or credentials to the SQL Server, directly edit the cluster_config.json file on the primary the server node. You can directly edit the SQL fields (sql.username, sql.password, and sql.server_url) in the file based on what you need to update.

After updating the file, rerun the interactive installation wizard on the same machine with the updated config as the parameter. You only need to rerun the installation on the primary server.

 

Updating Kerberos Auth


Updating Kerberos Auth configuration

To update the common Kerberos Auth configuration, take the following steps:

  1. SSH into any server machine.
  2. Run the following command:
./configureUiPathAS.sh identity kerberos-auth global-config update --enabled [kerberos-enabled] --adDomain [ad-domain] --username [default-ad-username]  --keytab [default-ad-user-keytab] --lifeTime [ticketLifeTimeInHour]

📘

Note:

  • To manually generate the keytab file, see Setting up Kerberos authentication.

  • The AD domain controller has the Maximum lifetime for user ticket Kerberos setting inside the Default Domain Policy. Make sure the ticket lifetime configured here is not longer than the setting on the domain controller.

Console output success
Updating kerberos auth.....Success!
If you wish to utilize SQL Integrated Auth using Kerberos, 
please update the SQL connection string to enable Integrated Auth. 
For more info on kerberos auth, <link>
Console output failure
Updating kerberos auth.....Failed!
Please provided a valid kerberos auth configuration values.
For more info on kerberos auth, <link>

 

Updating AD username and AD user’s keytab for a Service Group

To update the AD username and/or AD user’s keytab for a specific service, take the following step:

  1. Run the following command:
./configureUiPathAS.sh identity kerberos-auth service-config update --sg [service-group]  --username [new-ad-username] --keytab [new-ad-user-keytab]

The following Service Groups are available (case-sensitive):

  • orchestrator
  • platform
  • discoverygroup
  • testmanager
  • automationops
  • aicenter
  • documentunderstanding
  • insights

📘

Note:

To manually generate the keytab file, see Setting up Kerberos authentication.

Console output success
Updating kerberos config for <service-group> service group.....Success!
If you want to enable sql integrated auth for the <service-group> service goup, 
please update the service's sql connection string. For more info on kerberos auth, <link>
Console output failure
Updating kerberos config for <service-group> service group.....Failed!
Please provided a valid kerberos auth configuration values.
For more info on kerberos auth, <link>

 

Adding system administrators


One system administrator is created in Automation Suite by default with the username admin on the host organization. See Managing system administrator for more details.

If access to the host organization is lost - for example, if the password for the system administrator is lost or the only users with system administrator accounts leave the company - there is a tool to add or restore a system administrator.

This script does not work if the SQL connection string parameter "Integrated Security=true" exists for platform services.

./configureUiPathAS.sh identity add-host-admin --username [new-admin-username] --email [new-admin-email] --password [new-admin-password]
  • --username is a required field.
  • --password is required only if the new administrator uses basic authentication to login.
  • --email is optional unless your external identity provider requires it (for example, Google matches by email, not username).

There are a few important notes about how the administrator is created or restored:

  • New administrators cannot have the same username or email as an existing administrator. If you use the same username or email as an existing administrator, the existing administrator is updated. This is useful if you want to change the password.
  • If an administrator was deleted and you use the same username or email for a new user, the deleted administrator will be restored instead of creating a new one. The password field is not overwritten in this case. An exceptional case is if multiple administrators were deleted with the same username or email, which results in a new administrator being created.
  • If any of the external identity providers configured on the host are forced, that imposes restrictions on the parameters. For instance, if Windows AD is forced, the username must be in the form [email protected]. If Google is forced, then email is required.
  • When logging in to a new administrator account for the first time, the password must be changed.

 

Re-enabling basic authentication


Organization and system administrators may be unable to log in due to an issue with their configured Azure Active Directory or other external identity provider. Organization administrators may be locked out because the Disable basic authentication flag is checked in the Authentication Settings. Organization and system administrators may be locked out because an external identity provider was configured as force/exclusive. This tool will try to re-enable basic authentication for an organization.

This script does not work if the SQL connection string parameter Integrated Security=true exists for platform services.

./configureUiPathAS.sh identity enable-basic-auth --orgname [org-name]

📘

Note:

--orgname is a required field. If basic authentication is restricted at the host level, set the orgname to host.

Updated 5 days ago


Configuring the cluster


This page contains general instructions for configuring Automation Suite.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.