订阅

UiPath Installation and Upgrade

UiPath 安装和升级指南

安装前所需的必备程序

Orchestrator Server

  • Windows 服务器操作系统 - 最低要求版本:2012 R2。检查其他受支持版本的软件要求
  • Windows PowerShell - minimum required version: 5.1. To download Windows PowerShell version 5.1, visit this link and install Windows Management Framework 5.1. For additional help, see the Windows PowerShell 5.1 installation documentation.
  • .NET Framework - minimum required version: 4.7.2 To find out which .NET version is installed on your computer, please see Finding the Installed .NET Version.
  • IIS - 最低要求版本:8. 这是网页服务器 (IIS) 角色的一部分,由提供的 InstallRolesAndFeatures.ps1 脚本自动启用,可在此处找到。
  • ASP.NET Core IIS Module - minimum version 3.1.x, available here, or 6.0.x, available here. It is available as part of the Hosting Bundle. To download it, make sure you click Hosting Bundle, as shown in the following image.
662662

📘

备注:

仅需要 Core 模块,并且可以使用命令行中的 OPT_NO_RUNTIME=1 参数在没有任何运行时的条件下进行安装。

  • URL Rewrite - minimum required version 2.1. Enables the website to redirect the calls to HTTPS (https://servername), instead of HTTP (http://servername). Please download and install URL Rewrite by accessing this link.
  • 服务器角色和功能。我们提供 PowerShell 脚本,该脚本可自动将所需角色和功能添加到应用程序服务器。角色和功能列表在服务器角色和功能中显示。请注意,本章仅供参考。
  • Web-Deploy extension - minimum required version: 3.6, 64bit version. Please note that this is required only for PowerShell script installations, such as the Azure one. Enables you to deploy a website. Please download and install Web Deploy Extension 3.6 by accessing this link.
  • Web.Config - The <system.webServer> element in web.config must not contain any locked sections. If such sections exist, you need to manually unlock them in IIS.
  • The Application Pool user needs to have the following rights in the Local Computer Policy:
    • Log on as a batch job.
  • Anonymous Authentication must be enabled.
10131013

🚧

安装 Orchestrator 2021.10

确保运行安装程序的用户是域用户,并且在 WindowsAuth.Domain 设置中配置了 Active Directory 域访问权限

Web Certificates (SSL Certificate)

HTTPS protocol is mandatory for all communication between Robots and Orchestrator on all the browsers on which the web application is accessed by users.

The following 3 types of web certificates can be used.

  • 由受信任的证书颁发机构颁发的网页证书,如 GoDaddy、VeriSign 等。网页证书必须导入到 IIS 中的服务器证书。您需要知道“颁发给”实体的名称,该实体必须由 Windows 安装程序提示时提供。
  • You are a Certification Authority which can issue certificates trusted in the Windows domain. Please see Using a Certificate for the HTTPS Protocol.
  • A self-signed certificate, which is not recommended for Production. The certificate is not trusted inside the domain. For that reason, you need to export its public key, and then import it on all Robot machines. See Using a Certificate for the HTTPS Protocol for further information.

The name of the certificate you provide when prompted by the Windows installer, or the one mentioned in the command line using -sslCertificate is the same one that appears in the Issued To column in Server Certificates in IIS.

903903

🚧

重要

出于安全原因,身份服务器使用的证书需要:
具有 2048 位公钥
具有签名能力
处于有效期(未过期)。

证书的位置设置在身份服务器的配置文件 appsettings.Production.json签名凭据部分中。

如果使用自签名证书,则还必须将其放置在受信任的根证书颁发机构证书存储区(通常的个人位置旁边)。

证书用于对 OpenID 访问令牌进行签名,这些令牌则是用于通过浏览器执行用户识别以及 Orchestrator 与身份服务器之间的服务到服务通信 单击此处了解有关 OpenID 连接的更多详细信息。

SQL Server

  • SQL Server 产品可以与应用程序服务器安装在同一台计算机上(不建议用于生产环境),也可以作为单独的计算机提供。SQL Server 计算机可以与其他应用程序共享。它不需要专用于 Orchestrator。单击此处查看有关部署始终启用可用性组的必备程序、限制和建议,并单击此处了解有关物理部署选项的详细信息。
  • 如果计划使用 SQL Server 用户将 Orchestrator 连接到数据库,请启用 Windows 和 SQL Server 身份验证模式。否则,便只需启用“Windows 身份验证模式”。如果已安装 SQL Server,请选择此选项,如下图所示:

📘

备注:

SQL Server 用户必须具有服务器级别的访问权限,数据库级别的访问权限不足以成功安装。

487487 711711
  • The collation sequence has to be the default one - Latin1_General_CI_AS.
  • SQL Server Management Studio is necessary to configure the login of the domain user that accesses the SQL Server. The application pool runs on the application server under the name of the domain user.
  • If you are considering installing Insights, make sure that your database supports both columnstore indexes and JSON functions.

SQL Server 配置

Before installing Orchestrator, it is necessary to configure the SQL Server instance that you want to use.

📘

备注:

The Orchestrator SQL database has to be case insensitive (“OrchDB” = “orchdb”). If it is created during the Orchestrator installation process, it is automatically set as such. If not, you have to manually configure it as case insensitive.

Requirements:

  • the name of the SQL Server machine;
  • the name of the instance, if it’s not the default instance;
  • the value of the TCP port, if it’s not the default port - 1433;
  • the SQL Server port is open in the firewall of the SQL Server machine;
  • the TCP Protocol in SQL Server Configuration Manager has to be enabled;
  • the SQL Server service needs to listen on a fixed port, not on a dynamically allocated one;
  • public access to the SQL master database is required for the service account running Orchestrator. This is necessary both for installation and for future upgrades.

重要
为提高性能、避免死锁并防止 SQL 中的脏读,请确保将 READ_COMMITTED_SNAPSHOT 选项设置为 ON

使用以下查询检查 READ_COMMITTED_SNAPSHOT 是否已启用:

SELECT is_read_committed_snapshot_on FROM sys.databases
   WHERE name= 'UiPath'

如果已启用,则返回的值为 1
如果已禁用,则返回的值为 0。使用以下查询启用它:

ALTER DATABASE UiPath
SET READ_COMMITTED_SNAPSHOT ON
  • 如果您对测试自动化和/或更新服务器使用不同的数据库,则还必须在这些数据库上启用 READ_COMMITTED_SNAPSHOT

Select one of the following options through which Orchestrator can connect to the SQL Server database.

Windows 集成身份验证

对于此选项,SQL Server 需要作为服务帐户进行新的登录。服务帐户应是密码永不过期的域用户。

若要在 SQL Server 管理 Studio 中创建新登录,请执行以下操作:

  1. 在“对象资源管理器”面板中,前往“安全”>“登录”。
  2. 右键单击“登录名”文件夹,然后选择“新建登录名”。系统将显示“登录名 - 新建”窗口。
  3. 选择“Windows 身份验证”选项。窗口会相应地更新。
704704
  1. 在“登录名”字段中,键入要用作服务帐户的用户域。
  2. 从“默认语言”列表中选择“English”。

🚧

重要

Ensure that the Default Language is set to English. If it isn't, the website cannot start, and the Event Viewer on the computer on which Orchestrator is installed displays the following error message: “The conversion of a varchar data type to a datetime data type resulted in an out of range value”.

  1. 单击“确定”。您的配置已保存。
    如果服务帐户已创建并添加到 SQL Server 的“安全”>“登录”部分,请检查该 SQL 帐户的默认语言是否设置为英语。如果不是,请进行必要的调整。

 

SQL Server 用户名和密码

在这种情况下,需要 SQL Server 用户。我们强烈建议不要使用 sa 帐户。

若要在 SQL Server 管理 Studio 中创建新 SQL 登录,请执行以下操作:
a. 在“对象资源管理器”面板中,导航到“安全”>“登录”
b. 右键单击“登录”文件夹并选择“新登录”。将显示“登录 - 新”窗口。
c. 选择“SQL Server 身份验证”选项,则窗口将相应地更新。

700700

d. 适当填写“登录名”、“密码”和“确认密码”字段。
e. 确保未选择“强制密码过期”和“用户必须在下次登录时更改密码”选项。

🚧

重要

Ensure that the Default Language is set to English. If it isn't, the website cannot start, and the Event Viewer on the computer on which Orchestrator is installed displays the following error message: “The conversion of a varchar data type to a datetime data type resulted in an out of range value”.

如果 SQL Server 帐户已创建并添加到 SQL Server 的“安全”>“登录”部分,请检查其默认语言是否设置为英语。如果不是,请进行必要的调整。

Regardless of the type of user (domain or SQL) you want to connect to SQL Server, please note that you need to assign it the dbcreator Server Role BEFORE installing Orchestrator, as the database is created during this installation process.

If security restrictions do not allow the use of the dbcreator Server Role in the service account, create the empty database in SQL Server.

The Windows installer connects to SQL Server to verify the existence of the database.

After creating the database, you need to provide the user which connects to the SQL database with the db_owner user mapping role, as in the following screenshot.

704704

If security restrictions do not allow you to use the db_owner user mapping role with the UiPath login, grant the following:

  • db_datareader
  • db_datawriter
  • db_ddladmin 1
  • dbo 架构上的 EXECUTE 权限
705705

1 db_ddladmin 角色仅在安装或迁移期间需要。出于安全原因,我们建议您在安装或迁移后(使用 ALTER ROLE db_ddladmin DROP MEMBER [SQLReadWrite])将其删除,并在升级前将其重新添加(使用 ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite])。

The EXECUTE permission has to be granted by using the GRANT EXECUTE SQL command, as follows.

  • if Windows Integrated Authentication is used:
USE UiPath
GO
GRANT EXECUTE ON SCHEMA::dbo TO [domain\user]
GO
  • if SQL Server Authentication is used:
USE UiPath
GO
GRANT EXECUTE ON SCHEMA::dbo TO [sql_user]
GO

 

Azure AD authentication

要将 Azure AD 身份验证与 SQL Server 一起使用,您必须在 Azure 应用程序服务或 Azure 虚拟机中安装 Orchestrator。

在 Azure 应用程序服务中运行的 Orchestrator

  1. 在资源组中创建新的用户托管标识,并复制客户端 ID 以供将来使用。
18901890
  1. 将身份添加到 Orchestrator 应用程序服务的用户分配的身份列表中:
784784
  1. 为托管 Orchestrator 数据库的 SQL Server 启用 Azure Active Directory 管理员。
13231323
  1. 为在步骤 1 中为 Orchestrator 数据库和数据库创建的身份创建 SQL 登录名。使用在步骤 3 中设置的管理员帐户登录数据库,然后运行以下命令
CREATE USER [SQLReadWrite] FROM EXTERNAL PROVIDER
  1. 在 Orchestrator 数据库上添加用户角色(主数据库也不需要此操作):
    • 如果 db_owner 角色不受限制,则添加以下角色:ALTER ROLE db_owner ADD MEMBER [SQLReadWrite]
    • 如果 db_owner 角色不可用,请添加以下角色,其中 SQLReadWrite 是在步骤 3 中创建的身份名称:
ALTER ROLE db_datareader ADD MEMBER [SQLReadWrite]
ALTER ROLE db_datawriter ADD MEMBER [SQLReadWrite]
ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite]
GRANT EXECUTE ON SCHEMA::dbo TO [SQLReadWrite]

The db_ddladmin role is only needed during installation or migration. For security reasons, we recommend that you:

  • 安装或迁移后将其删除
ALTER ROLE db_ddladmin DROP MEMBER [SQLReadWrite]
  • 在升级前重新添加
ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite]
  1. 通过运行以下命令更新 Orchestrator 中的连接字符串:
<add name="Default" providerName="Microsoft.Data.SqlClient" connectionString="Data Source=aad-paas-sql.database.windows.net;Initial Catalog=UiPath;User ID=7e8df0ba-bc41-46d1-bd46-6101e45200a8;Authentication=Active Directory Managed Identity;" />

📘

备注:

  • USER ID 设置为在步骤 1 中创建的客户端 ID 的值。
  • 确保使用 Authentication=Active Directory Managed Identity
  • 不需要密码或令牌。

 

在 Azure 虚拟机中运行的 Orchestrator

  1. 在资源组中创建新的用户托管标识,并复制客户端 ID 以供将来使用。
18901890
  1. 将身份添加到运行 Orchestrator 的虚拟机的用户分配的身份列表中。
11561156
  1. 为托管 Orchestrator 数据库的 SQL Server 启用 Azure Active Directory 管理员。
13231323
  1. 为在步骤 1 中为 Orchestrator 数据库和数据库创建的身份创建 SQL 登录名。使用在步骤 3 中设置的管理员帐户登录数据库,然后运行以下命令:
CREATE USER [SQLReadWrite] FROM EXTERNAL PROVIDER
  1. 在 Orchestrator 数据库上添加用户角色(主数据库也不需要此操作):
    • 如果 db_owner 角色不受限制,则添加以下角色:ALTER ROLE db_owner ADD MEMBER [SQLReadWrite]
    • 如果 db_owner 角色不可用,请添加以下角色,其中 1SQLReadWrite1 是在步骤 3 中创建的身份名称。
ALTER ROLE db_datareader ADD MEMBER [SQLReadWrite]
ALTER ROLE db_datawriter ADD MEMBER [SQLReadWrite]
ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite]
GRANT EXECUTE ON SCHEMA::dbo TO [SQLReadWrite]

The db_ddladmin role is only needed during installation or migration. For security reasons, we recommend that you:

  • 安装或迁移后将其删除
ALTER ROLE db_ddladmin DROP MEMBER [SQLReadWrite]
  • 在升级前重新添加
ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite]
  1. 更新 Orchestrator 中的连接字符串:
<add name="Default" providerName="Microsoft.Data.SqlClient" connectionString="Data Source=aad-paas-sql.database.windows.net;Initial Catalog=UiPath;User ID=7e8df0ba-bc41-46d1-bd46-6101e45200a8;Authentication=Active Directory Managed Identity;" />

📘

备注:

  • 确保将 USER ID 设置为在步骤 1 中创建的客户端 ID 的值。
  • 确保使用 Authentication=Active Directory Managed Identity
  • 不需要密码或令牌。

 

High Availability Add-on

The High Availability add-on (HAA) for Orchestrator is an in-memory database that is used for caching and is shared among Orchestrator nodes, providing near instant synchronization.

🚧

重要

HAA 在集群环境中是必需的。

多节点 Orchestrator 部署使用 RESP(REdis 序列化协议)进行通信,因此可以使用依赖于此协议的任何解决方案进行配置,但 HAA 是这类解决方案中唯一受 UiPath 支持的解决方案。

The following information is stored in HAA:

  • session state - automatically set when installing Orchestrator on multiple nodes
  • user sessions from the browser
  • Robot heartbeat cache
  • associations between users and roles
  • associations between users and organization units
  • license information
  • 设置

Orchestrator 使用 HAA 作为其所有节点的共享缓存。以下示例描述了如何使用缓存在 Orchestrator 节点之间进行协调:

  • 示例:用户在 Orchestrator 节点上的上手动启动机器人作业。该特定节点可能不知道机器人连接到哪个 Orchestrator 节点。您从中启动作业的节点会将请求转发到 HAA,而 HAA 会同步信息。已与相关机器人建立连接的 Orchestrator 节点向其发送开始命令。未连接到我们的机器人的其他 Orchestrator 节点只会忽略该命令。

It is also possible to enable SSL encrypted connections between the Orchestrator nodes and the HAA service through the LoadBalancer.Redis.ConnectionString parameter in UiPath.Orchestrator.dll.config. For more information, see this page.

Network Load Balancer

A network load balancer enables you to distribute the load to multiple nodes, and thus enables an overall better performance of your Orchestrator instance. Additionally, if one of the nodes fails, the rest pick up the load, thus ensuring you have no downtime.

🚧

重要

如果要利用高可用性模型在集群中部署 Orchestrator,则必须使用网络负载均衡器。

We recommend using an F5 load balance with a predictive algorithm, as the load is distributed to nodes that perform better, and therefore, offers a better overall performance of Orchestrator. For more information on algorithms, please take a look here.

Elasticsearch Server

Elasticsearch is optional and is used to store messages logged by the Robots. Logs can be sent to ElasticSearch and/or to a local SQL database, thus enabling you to have non-repudiation logs. When using both ElasticSearch and SQL, they do not affect each other if one of them encounters a problem. These parameters can be changed from the UiPath.Orchestrator.dll.config file (C:\Program Files (x86)\UiPath\Orchestrator). For more information, see Logging Configuration.

If you choose to use ElasticSearch, please note that although it is a cross-platform product, which runs on Windows, Linux, or Unix, it requires Java. You can use either OpenJDK or Oracle JRE. A compatibility matrix is provided by Elasticsearch here.

📘

备注:

请注意,从 2019 年 4 月 16 日开始,Oracle 已更改其许可模式。有关更改的信息可在此处获得。

如果计算机在域中,则必须确保将它们添加到“Active Directory 用户和计算机”中的域服务器“计算机”部分中。由于安装过程中会使用计算机名称,因此需要执行此步骤。例如,会使用 http://computername.domain.namehttp://computername,而不是 http://localhost
如果无法做到这一点,则应在安装过程中使用计算机名称或 IP 地址。

Installing Elasticsearch

  1. Download Elasticsearch.
  2. Double-click the Elastic Search Windows installer. The Elastisearch wizard is displayed, at the Locations step.
943943
  1. Use the default directories for installation, data, configuration, and logs, or select custom locations for each.

📘

备注:

If you have another disk than the one where Elasticsearch is installed, you can configure Elasticsearch to store the data on the disc with more free space.

  1. Click Next. The Service step is displayed.
941941
  1. Ensure that the following options are selected:
    • Install as a service
    • Start the service after this installation is complete
    • Start the service when Windows starts (Automatic)
  2. Click Next. The Configuration step is displayed.
  3. Configure the following options as desired:
    • Cluster name - change the value to something that reflects the purpose of this Elasticsearch installation. This is important if you have several servers with Elasticsearch in your intranet, to avoid autodiscovery.
    • Node name - a friendly name for your node.
    • Roles - the default options are recommended.
    • Memory - the default options are recommended.
    • Network host - the computer’s hostname/IP address (you can obtain the machine name in a command prompt by running the command hostname).
    • HTTP Port - the default port for Elasticsearch is 9200
    • Discovery - 为群集中的第一个节点启用“This is the first master in a new cluster”复选框。
942942

🚧

重要

If Orchestrator is installed on a different machine, please remember to open port 9200 in the Firewall of the machine where Elasticsearch is installed.

  1. Click Next. The Plugins step is displayed.
  2. (Optionally) Select additional plugins for Elasticsearch, such as X-Pack for security.
936936
  1. Click Install. ElasticSearch is installed.
671671

Reducing the Number of Index Sharding

By default, newly created Elasticsearch indexes have five shards. However, for an increased performance, it is recommended to reduce this number to two. For more information, please see the official documentation of Elasticsearch.

To make this change, all you have to do is make a PUT request to your Elasticsearch instance URL in the elasticUrl/_template/uipath_logs format, with the following body:

{
    "template": "*",
    "order": 1,
    "settings": {
        "number_of_shards": 2
    }
}

To test your ElasticSearch connection, use any browser to open the following URL: http://computername:9200/. Computername stands for the name of the computer on which Elasticsearch is installed. The browser should either ask you to download a .json file or open and display the file as in the picture below.

431431

Kibana

Kibana is used in combination with Elasticsearch and helps you create custom views based on the logs you send to Elasticsearch, in our case, the ones sent by Robots.

Install Kibana

📘

备注:

Kibana does not need Java to run. If Kibana is installed on a different machine from Elasticsearch, you don’t need to install Java for Kibana to work.

  1. Download Kibana.
  2. Unzip the Kibana package.

📘

备注:

Unzip to C:\ or D:\ . You do not need to create a new folder named kibana-x.y.z-windows, because the files in the archive are already placed in a folder with that name.

  1. Edit the Kibana configuration file (C:\kibana-x.y.z-windows-x86\config\kibana.yml), as follows:

📘

备注:

At first, open the file with Wordpad and save it to convert the LF (Line Feed) characters into CRLF (Carriage Return Line Feed) characters. Afterwards, open the file with Notepad.

3.1. 取消注释包含 server.port 的行。默认值为 5601。它不需要更改,除非您希望 Kibana 在不同的端口上运行。
3.2. 取消包含 server.host 的行中的注释。将值更改为计算机名称。
3.3. 取消包含 elasticsearch.url 行中的注释。使用安装 Elasticsearch 的计算机的名称将值更改为 Elasticsearch URL。例如 http://computername:9200
注意:对于 Kibana 6.6.0 或更高版本,此行已替换为 elasticsearch.hosts
下面的屏幕截图显示了 Kibana 配置文件的示例,其中 Kibana 和 Elasticsearch 的计算机名称都是 JLTSQL:

967967

3.4. Save the file.

  1. 下载 setup-kibana-service.zip 存档
  2. Copy the nssm.exe and setup_kibana.bat files from the setup-kibana-service.zip archive to C:\kibana-x.y.z-windows-x86\bin.
  3. Open the setup_kibana.bat file to check whether Kibana is installed in accordance with the location set in the KIBANA_HOME variable in the BAT file. If you extracted Kibana to a diferent location, make the necessary changes.
  4. Open Command Prompt as an Administrator and change the folder to C:\kibana-x.y.z-windows-x86\bin.
  5. Run setup_kibana.bat to install Kibana.
  6. Test whether Kibana responds by typing http://computername:5601 in any web browser. computername represents the name of the computer on which you installed Kibana.

🚧

重要

Open port 5601 in the Firewall of the machine on which Kibana is installed.

  1. 使用 Kibana 在 Elasticsearch 数据库中添加测试消息:
    10.1. 在 Kibana 中,导航到“开发工具”选项卡。
    10.2. 以下面显示的格式提交 POST 请求。如果未返回任何错误,则将创建名为 default-yyyy.mm 的 Elasticsearch 索引,并会添加消息。
POST default-2018.08\logEvent
{
	"message": "Hello Elasticsearch!",
	"@timestamp": "2018-07-03T08:56:56.1219306Z"
}

🚧

重要

每次添加新租户时,应在 Kibana 中创建相应的索引模式,以租户的名称开头。yyyy 表示添加消息的年份。mm 表示添加消息的月份。阅读创建索引模式以连接到 Elasticsearch,了解如何在 Kibana 中创建索引模式。

Time Synchronization

Keep in mind that regardless of the type of installation you choose, for the scheduling features to work properly you must ensure that:

  • in clustered mode the clocks on all machines have to be synchronized within less than one second;
  • the clocks for the database and Orchestrator machines also have to be synchronized;
  • if the SQL database enters a faulted state it is recommended to restart the Orchestrator web server from IIS. If you are in an NLB environment, please restart all web servers.

约一个月前更新


安装前所需的必备程序


建议的编辑仅限用于 API 参考页面

您只能建议对 Markdown 正文内容进行编辑,而不能建议对 API 规范进行编辑。