- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read Only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Audit
- Managing credential stores
- Integrating credential stores
- The Orchestrator Credentials Proxy
- Managing credential proxies
- Settings
The Orchestrator Credentials Proxy
You can add your own credential stores to Orchestrator, so as to independently control the security of your connection data.
To do that, you can load your desired credential store plugins, in the form of .dll files, to the Orchestrator Credentials Proxy web service. The installation kit contains all plugins supported by UiPath, but you can also develop your own plugin .dll files to load. This service then makes your plugins available to Orchestrator via a proxy, which is created in Orchestrator based on the the public URL and the secret key generated by the proxy.
Installation
The Orchestrator Credentials Proxy can be installed either through an .msi installer or through a Docker image provided by UiPath.
Through the .msi installer
Prerequisites
The following are required to be able to use the proxy:
- ASP.NET Core versions 3.1 or 6
- IIS version 8.0 or higher
-
The following Windows features must be installed:
- IIS-DefaultDocument
- IIS-HttpErrors
- IIS-StaticContent
- IIS-RequestFiltering
- IIS-URLAuthorization
- IIS-WindowsAuthentication
- IIS-ASPNET45
- IIS-ISAPIExtensions
- IIS-ISAPIFilter
- IIS-WebSockets
- IIS-ApplicationInit
- IIS-ManagementConsole
Hardware and software requirements
Hardware requirements
These are the minimum requirements for running the proxy on a Windows Server with IIS:
CPU Cores |
RAM |
---|---|
2 |
4 GB |
Software requirements
The following Windows Server versions are required for installing the proxy:
- 2012 R2
- 2016
- 2019
- 2022
Installation steps
Follow these steps to perform the installation:
Through the Docker image
Preliminary information
All Orchestrator Credentials Proxy settings that can be edited are available in its appsettings.json file. The following parameters are important in the initial setup:
-
Jwt:Keys
- (initially empty) this array of strings is used to set up the authentication of the proxy. This constitutes the secret key that you will use during the proxy creation process, and that allows Orchestrator to successfully retrieve data from the proxy. Any invalid values are ignored. If no valid values are found, the proxy will not start.The secret keys must be in base64 and can be generated by using one of the PowerShell scripts below.
$bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(64) $jwtSigningKey = [Convert]::ToBase64String($bytes); Write-Host $jwtSigningKey
$bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(64) $jwtSigningKey = [Convert]::ToBase64String($bytes); Write-Host $jwtSigningKey
The script above generates 64 random bytes (using SeccureRandom
) and converts them to a base64 string.
[Byte[]] $bytes = 1..64
$rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
$rng.GetBytes($bytes)
$jwtSigningKey = [Convert]::ToBase64String($bytes);
Write-Host $jwtSigningKey
[Byte[]] $bytes = 1..64
$rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
$rng.GetBytes($bytes)
$jwtSigningKey = [Convert]::ToBase64String($bytes);
Write-Host $jwtSigningKey
appSettings:Plugins.SecureStores
- (initially set to the default credential stores available in Orchestrator) this is a CSV string used to specify what .dll assemblies should be loaded from the disk (frompath/plugins
) in order to enable secure stores to be used by the proxy. Adding invalid assemblies to the list will not break the startup, but you will receive log errors when you try to deploy it.appSettings:SigningCredentialSettings:FileLocation:SigningCredential:FilePath
andappSettings:SigningCredentialSettings:FileLocation:SigningCredential:Password
- (initially hidden) to be used for encrypting theJwt:Keys
parameter. This represents the file path to your signing certificate.appSettings:SigningCredentialSettings:StoreLocation:Name
,appSettings:SigningCredentialSettings:StoreLocation:Location
,appSettings:SigningCredentialSettings:StoreLocation:NameType
- (initially hidden) to be used for encrypting theJwt:Keys
parameter.
Encrypting the Jwt:Keys
parameter
To add an extra layer of security, you can encrypt the Jwt:Keys
parameter in your appsettings.json
file.
UiPath.ConfigProtector.exe
version 1.0.9 or higher.
Setting up and running the Docker image
To run the Orchestrator Credentials Proxy using Docker, follow the steps below.
Configuration
The first step in configuring your proxy is to add any custom .dll plugins that you want to use in the C:\Program Files\UiPath\CredentialsProxy\plugins
folder.
The next steps only apply to the disconnected proxy, since the connected proxy does not require dedicted configuration.
Disconnected proxy
This proxy type is completely separated from Orchestrator, so you must provide the information related to the credential vaults
locally, in the appsettings.Production.json
configuration file, found at the following location: C:\Program Files\UiPath\OrchestratorCredentialsProxy\appsettings.Production.json
.
These are the fields that need to be edited in said file, in the AppSettings
> SecureStoreConfigurations
section:
-
Key
- the identifier key for the configuration -
Type
- the credential vault type, as identified in the .dll files configured via thePlugins.SecureStores
parameter found inappsettings.json
(see the samples below) -
Context
- the connectivity information related to the secure store implementation
Once you edit the configuration file, you need to restart the service from IIS.
Configuration samples
These are samples that you need to add to the appsettings.Production.json
configuration file in order to start the disconnected proxy. If you do not, the service will not start.
Choose the appropriate sample based on your credential store type, or add multiple credential stores by using the very last sample on this page.
AWS Secrets Manager/AWS Secrets Manager (read only)
"SecureStoreConfigurations": [
{
"Key": "<MyAwsStore>",
"Type": "AWS Secrets Manager" / "AWS Secrets Manager (read only)",
"Context": {
"UseDefaultCredentials": "true",
"AccessKey": "<AccessKey>",
"SecretKey": "<SecretKey>",
"Region": "<SelectedRegion>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyAwsStore>",
"Type": "AWS Secrets Manager" / "AWS Secrets Manager (read only)",
"Context": {
"UseDefaultCredentials": "true",
"AccessKey": "<AccessKey>",
"SecretKey": "<SecretKey>",
"Region": "<SelectedRegion>"
}
},
]
Azure Key Vault (read only)
"SecureStoreConfigurations": [
{
"Key": "<MyAzureStore>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<KeyVaultUri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyAzureStore>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<KeyVaultUri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
]
Azure Key Vault (read/write) is not supported.
BeyondTrust Password Safe - Managed Accounts
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustManagedAccountsSafe>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"DefaultManagedSystemName": "", // can be empty or a string
"SystemAccountDelimiter": "/", // default account delimiter is "/", but it can be changed
"ManagedAccountType": "<ManagedAccountType>" // expected value is one of "system", "domainlinked", "database", "cloud", "application"
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustManagedAccountsSafe>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"DefaultManagedSystemName": "", // can be empty or a string
"SystemAccountDelimiter": "/", // default account delimiter is "/", but it can be changed
"ManagedAccountType": "<ManagedAccountType>" // expected value is one of "system", "domainlinked", "database", "cloud", "application"
},
]
BeyondTrust Password Safe - Team Passwords
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustTeamPasswordSafe>",
"Type": "BeyondTrust Password Safe - Team Passwords",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"FolderPathPrefix" : "/", // default delimiter is "/", but it can be changed
"FolderPasswordDelimiter" : "/" // default delimiter is "/", but it can be changed
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustTeamPasswordSafe>",
"Type": "BeyondTrust Password Safe - Team Passwords",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"FolderPathPrefix" : "/", // default delimiter is "/", but it can be changed
"FolderPasswordDelimiter" : "/" // default delimiter is "/", but it can be changed
},
]
CyberArk - AIM
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArk>",
"Type": "CyberArk",
"Context": {
"ApplicationId": "<App_MyCyberArk>",
"Safe": "<Passwords>",
"Folder": "<MyFolder>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArk>",
"Type": "CyberArk",
"Context": {
"ApplicationId": "<App_MyCyberArk>",
"Safe": "<Passwords>",
"Folder": "<MyFolder>"
}
},
]
CyberArk - CCP
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArkCCPStore>",
"Type": "CyberArkCCP",
"Context": {
"ApplicationId": "<ApplicationId>",
"Safe": "<CyberArkSafe>",
"Folder": "<CyberArkFolder>",
"WebServiceUrl": "<CentralCredentialProviderUrl>",
"WebServiceName": "<WebServiceName>",
"SerializedClientCertificate": "<ClientCertificate>", // must be ".pfx" as base64
"ClientCertificatePassword": "<ClientCertificatePassword>",
"SerializedRootCA": "<someServerRootCA>" // must be ".crt" or ".cer" as base64
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArkCCPStore>",
"Type": "CyberArkCCP",
"Context": {
"ApplicationId": "<ApplicationId>",
"Safe": "<CyberArkSafe>",
"Folder": "<CyberArkFolder>",
"WebServiceUrl": "<CentralCredentialProviderUrl>",
"WebServiceName": "<WebServiceName>",
"SerializedClientCertificate": "<ClientCertificate>", // must be ".pfx" as base64
"ClientCertificatePassword": "<ClientCertificatePassword>",
"SerializedRootCA": "<someServerRootCA>" // must be ".crt" or ".cer" as base64
}
},
]
Based on your IIS configuration, you might need to configure additional KeyStorageFlags
as follows:
"AppSettings": {
...
"Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
...
}
"AppSettings": {
...
"Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
...
}
HashiCorp Vault / HashiCorp Vault (read only)
"SecureStoreConfigurations": [
{
"Key": "<MyHashiCorp>",
"Type": "HashiCorp Vault" / "HashiCorp Vault (read only)",
"Context": {
"VaultUri": "<VaultUri>",
"AuthenticationType": "<AppRole>",
"RoleId": "<RoleId>",
"SecretId": "<SecretId>",
"Username": "<Username>",
"Password": "<Password>",
"Token": "<Token>",
"SecretsEngine": "<KeyValueV2>",
"SecretsEnginePath": "<Secret>",
"DataPath": "<applications/orchestrator>",
"Namespace": "<orchestrator>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyHashiCorp>",
"Type": "HashiCorp Vault" / "HashiCorp Vault (read only)",
"Context": {
"VaultUri": "<VaultUri>",
"AuthenticationType": "<AppRole>",
"RoleId": "<RoleId>",
"SecretId": "<SecretId>",
"Username": "<Username>",
"Password": "<Password>",
"Token": "<Token>",
"SecretsEngine": "<KeyValueV2>",
"SecretsEnginePath": "<Secret>",
"DataPath": "<applications/orchestrator>",
"Namespace": "<orchestrator>"
}
},
]
Thycotic Secret Server
"SecureStoreConfigurations": [
{
"Key": "<MyThicoticServer>",
"Type": "Thycotic Secret Server",
"Context": {
"SecretServerUrl": "<ServerUrl>",
"RuleName": "<Rule>",
"RuleKey": "<Key>",
"UsernameField": "<Username>",
"PasswordField": "<Password>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyThicoticServer>",
"Type": "Thycotic Secret Server",
"Context": {
"SecretServerUrl": "<ServerUrl>",
"RuleName": "<Rule>",
"RuleKey": "<Key>",
"UsernameField": "<Username>",
"PasswordField": "<Password>"
}
},
]
Multiple credential stores
If you use multiple credential stores, you can add them one under the other, as follows:
{
...
"AppSettings": {
...
"SecureStoreConfigurations": [
{
"Key": "<SecureStoreKey1>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<Uri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
{
"Key": "<SecureStoreKey2>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<Host>",
"APIRegistrationKey": "<ApiKey>",
"APIRunAsUsername": "<ApiUsername>",
"DefaultManagedSystemName": "",
"SystemAccountDelimiter": "/",
"ManagedAccountType": "system"
}
}
]
...
}
}
{
...
"AppSettings": {
...
"SecureStoreConfigurations": [
{
"Key": "<SecureStoreKey1>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<Uri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
{
"Key": "<SecureStoreKey2>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<Host>",
"APIRegistrationKey": "<ApiKey>",
"APIRunAsUsername": "<ApiUsername>",
"DefaultManagedSystemName": "",
"SystemAccountDelimiter": "/",
"ManagedAccountType": "system"
}
}
]
...
}
}
Validation
This only applies to the disconnected credentials proxy.
The proxy validates the configuration on startup if the type it detects is Disconnected
.
These are some of the validation steps that are performed:
-
It ensures that that
appsettings.Production.json
contains the expected configurations, as detailed in the Configuration section above. -
It ensures that
SecureStoreConfigurations
does not contain any duplicateKey
parameters, i.e. that the credential stores configured in theappsettings.Production.json
file are unique.
- The
SecureStoreConfigurations
parameter is an array of configurations, which means that you can add as many credential stores as you want, even of the same type. For example, you can have multiple Azure Key Vault (read only) instances configured, as long as theKey
field is unique.
-
It checks that all
Type
values are valid. -
Based on the implementation of each secure store, it checks that the vault can be reached successfully.
Logging
Orchestrator Credentials Proxy logs are stored locally, in the C:\Program Files\UiPath\OrchestratorCredentialsProxy
folder, if the proxy's application pool has write permissions for that path. These are configured in IIS.
If you do not want to give write permissions to that folder, you can provide a relative or absolute path of your choice via
the NLog.targets.logfile.fileName
parameter in appsettings.Production.json
.
On Windows machines, the proxy also stores logs in the Windows Event Viewer.
Security considerations
- Orchestrator only allows secure (HTTPS) URLs for the proxy. The HTTPS certificate must be valid and signed by a widely recognized certificate authority. Certificates that are self-signed or signed by an internal authority are not supported.
- Orchestrator is validated through a client secret generated by the Orchestrator Credentials Proxy. The client secret is stored in a configuration file on the machine where the Orchestrator Credentials Proxy is installed, and is encrypted and stored in the database by Orchestrator.
- When editing a credential store proxy in Orchestrator and changing its URL, you are also required to enter the client secret.
-
Orchestrator Credentials Proxy 2.0.0+ actions are logged in the Windows Event Viewer.
- Binaries must be signed on the Windows machine.
- The Docker image must be signed.