orchestrator
2023.10
false
- Getting Started
- Requirements
- Best Practices
- Installation
- Updating
- Identity Server
- Troubleshooting startup errors
Encrypting UiPath.Orchestrator.dll.config Sections
Orchestrator Installation Guide
Last updated Oct 3, 2024
Encrypting UiPath.Orchestrator.dll.config Sections
The
UiPath.Orchestrator.dll.config
file contains sensitive information one may want to secure. It is possible to encrypt sections in this file with the UiPath.Orchestrator.Cli.exe
tool with the protected-configuration
command.
Note: Once encrypted, the data cannot be changed by directly editing the
UiPath.Orchestrator.dll.config
file. It must be decrypted and then re-encrypted.
UiPath.Orchestrator.Cli.exe
is a CLI tool wrapped over aspnet_regiis.exe. The tool accepts all arguments passed to aspnet_regiis.exe
and adds missing .NET Core functionality. It can be found in Orchestrator's root installation directory.
Here's an overview of the main operations performed by the
UiPath.Orchestrator.Cli.exe
tool.
- Renames
web.config
toweb.config.copy
andUiPath.Orchestrator.dll.config
to web.config. - Prepares
web.config
foraspnet_regiis.exe
invocation. aspnet_regiis.exe
is invoked in another process with the arguments passed to the console app.- Prepares
web.config
afteraspnet_regiis.exe
has been invoked. - Renames
web.config
toUiPath.Orchestrator.dll.config
andweb.config.copy
toweb.config
.
Important: If at any point during the migration an exception is thrown or the process that invokes
aspnet_regiis.exe
returns an exit code different than 0, the attempt is aborted, and both files are restored to their initial value.
The
EncryptionKey
in the secureAppSettings
section of UiPath.Orchestrator.dll.config
is used to encrypt/decrypt passwords for credential assets and Robot credentials without the need for an additional tool.
It is automatically generated when you first install Orchestrator.
This section can also be encrypted using the
Using UiPath.Orchestrator.Cli.exe
tool with the protected-configuration
command, to ensure that nobody can use the key to decrypt the information you store in Orchestrator.
Parameter |
Description |
---|---|
|
Indicates the configuration section to be encrypted. |
|
Represents the virtual path's site specified as the value of the
-app argument. Change the value of this argument ("UiPath Orchestrator") if your instance’s name is different. If this is not
specified, the default website name is used.
|
|
Encrypt at this virtual path. It must begin with a forward slash. If the value is just '/', then it points to the root of the site. |
|
The library used to encrypt the
secureAppSettings . The only supported value is "RsaProtectedConfigurationProvider" .
|
For more information about the
Aspnet_regiis.exe
tool, read the official Microsoft documentation.
To encrypt the aforementioned section of the
UiPath.Orchestrator.dll.config
file, perform the following steps AFTER installing Orchestrator:
The
XmlEncAES256Url
algorithm is used for encrypting the RsaProtectedConfigurationProvider
section. To this end, useFIPS
is set to true
and the following section is added in UiPath.Orchestrator.dll.config
.
<code><add keyContainerName="NetFrameworkConfigurationKey" cspProviderName=""
useMachineContainer="true" useFIPS="true" useOAEP="false" description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="RsaProtectedConfigurationProvider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /></code>
<code><add keyContainerName="NetFrameworkConfigurationKey" cspProviderName=""
useMachineContainer="true" useFIPS="true" useOAEP="false" description="Uses RsaCryptoServiceProvider to encrypt and decrypt"
name="RsaProtectedConfigurationProvider" type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /></code>