automation-suite

2024.10

true

Automation Suite on OpenShift Installation Guide

Last updated 2024年11月11日

管理证书

重要提示：

安装流程会代表您生成自签名证书。安装完成后，应立即将其替换为由受信任的证书颁发机构 (CA) 签名的证书。

You can use the uipathctl CLI tool to update certificates post-installation. For details, see uipathctl documentation.

生成证书签名请求 (CSR) 和私钥

要生成 CSR 和私钥，请运行以下命令：

# copy the machine openssl configuration locally
cp /etc/pki/tls/openssl.cnf ./openssl.tmp.cnf

# Replace the [AUTOMATION_SUITE_FQDN] value. For example, "automationsuite.corp.com"
AS_FQDN=[AUTOMATION_SUITE_FQDN]
cat >> ./openssl.tmp.cnf <<EOF
[SAN]
subjectAltName=DNS:$AS_FQDN,DNS:alm.$AS_FQDN,DNS:monitoring.$AS_FQDN,DNS:registry.$AS_FQDN,DNS:objectstore.$AS_FQDN,DNS:insights.$AS_FQDN
EOF

# create the certificate request
openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout server.key -subj "/C=xx/ST=xx/O=xx/OU=xx/CN=$AS_FQDN" -reqexts SAN -config openssl.tmp.cnf -out ${AS_FQDN}.csr# copy the machine openssl configuration locally
cp /etc/pki/tls/openssl.cnf ./openssl.tmp.cnf

# Replace the [AUTOMATION_SUITE_FQDN] value. For example, "automationsuite.corp.com"
AS_FQDN=[AUTOMATION_SUITE_FQDN]
cat >> ./openssl.tmp.cnf <<EOF
[SAN]
subjectAltName=DNS:$AS_FQDN,DNS:alm.$AS_FQDN,DNS:monitoring.$AS_FQDN,DNS:registry.$AS_FQDN,DNS:objectstore.$AS_FQDN,DNS:insights.$AS_FQDN
EOF

# create the certificate request
openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout server.key -subj "/C=xx/ST=xx/O=xx/OU=xx/CN=$AS_FQDN" -reqexts SAN -config openssl.tmp.cnf -out ${AS_FQDN}.csr

您的 IT 团队使用获取的值生成签名证书。生成的私钥保留在本地。

管理 TLS 证书

要查看有关更新 TLS 证书的更多信息，请运行以下命令：

uipathctl config update-tls-certificates --helpuipathctl config update-tls-certificates --help

输出:

************************************************************************************
Manage tls certificates

Usage:
  uipathctl config tls-certificates [flags]
  uipathctl config tls-certificates [command]

Available Commands:
  get         Get the current tls certificates
  update      Update tls certificates

Flags:
  -h, --help   help for tls-certificates

Global Flags:
      --context string      name of the kubeconfig context to use
      --kubeconfig string   kubectl configuration file (default: ~/.kube/config)
      --log-format string   log format. one of [text,json] (default "text")
      --log-level string    set log level. one of [trace,debug,info,error] (default "error")
  -q, --quiet               suppress all output except for errors and warnings
      --timeout duration    timeout of the command (default 1h0m0s)

************************************************************************************************************************************************************************
Manage tls certificates

Usage:
  uipathctl config tls-certificates [flags]
  uipathctl config tls-certificates [command]

Available Commands:
  get         Get the current tls certificates
  update      Update tls certificates

Flags:
  -h, --help   help for tls-certificates

Global Flags:
      --context string      name of the kubeconfig context to use
      --kubeconfig string   kubectl configuration file (default: ~/.kube/config)
      --log-format string   log format. one of [text,json] (default "text")
      --log-level string    set log level. one of [trace,debug,info,error] (default "error")
  -q, --quiet               suppress all output except for errors and warnings
      --timeout duration    timeout of the command (default 1h0m0s)

************************************************************************************

查找 TLS 证书

证书在 Istio 级别存储为密码。您可以在 <istio-system> 命名空间中的 istio-ingressgateway-certs 名称下找到证书。

请参阅以下列表中的证书文件：

服务器 TLS 证书存储为tls.crt
作为tls.key的服务器 TLS 私钥
CA 捆绑包存储为ca.crt

您可以使用以下命令验证密码：

oc -n <istio-system> get secrets istio-ingressgateway-certs -o yamloc -n <istio-system> get secrets istio-ingressgateway-certs -o yaml

Certificates are also stored in the <uipath> namespace. This is applicable to every UiPath® product that needs certificate information to trust incoming calls. For details, see Understanding the container architecture related to certificates.

更新 TLS 证书

重要提示：

在更新服务器证书之前，您必须解密证书密钥。跳过解密步骤将导致错误。

要解密证书密钥，请运行以下命令：

# replace /path/to/encrypted/cert/key to absolute file path of key
# replace /path/to/decrypt/cert/key to store decrypt key
# Once prompted, please entry the passphrase or password to decrypt the key

openssl rsa -in /path/to/encrypted/cert/key -out /path/to/decrypt/cert/key# replace /path/to/encrypted/cert/key to absolute file path of key
# replace /path/to/decrypt/cert/key to store decrypt key
# Once prompted, please entry the passphrase or password to decrypt the key

openssl rsa -in /path/to/encrypted/cert/key -out /path/to/decrypt/cert/key

要更新证书，请运行以下uipathctl命令。您需要三个证书文件中每个文件的路径。所有证书文件均应采用pem格式。

证书颁发机构捆绑包 - 此捆绑包应仅包含用于对 TLS 服务器证书进行签名的链证书。--cacert 选项中提供的证书不应包含分支证书。链式证书上限为最多九个证书。
服务器证书 - 公共服务器证书
Note: The server.crt file must contain the entire chain, as shown in the following example:
```
-----server cert-----
-----root ca chain----------server cert-----
-----root ca chain-----
```
私钥 - 服务器证书的私钥

uipathctl config tls-certificates update --cert server.crt --cacert ca.crt --key server.keyuipathctl config tls-certificates update --cert server.crt --cacert ca.crt --key server.key

If you choose to manage the certificates yourself, you must use the --use-istio-cert flag with the certificates update command. This flag allows for the exisiting secrets to be copied to the <uipath> namespace. Be aware that, when using the --use-istio-cert flag, you must not use any other certificate flags, otherwise the command fails. If you use other namespace instead of <uipath>, you must specify it by passing it to the --namespace flag.

访问 TLS 证书

要打印证书文件，请运行以下命令：

uipathctl config tls-certificates getuipathctl config tls-certificates get

管理其他 CA 证书

重要提示：

If you want the cluster to trust external software, you may need to provide additional trusted CA certificates. Examples are the SQL Server CA Certificate, the SMTP Server CA Certificate, and the external S3 compatible objectstore CA certificate.

You must provide CA certificates for any external software that requires secure TLS communication during installation. However, if you have not enabled TLS communication, you can configure it after installation.

要查看有关其他 CA 证书的更多信息，请运行以下命令：

uipathctl config additional-ca-certificates --help uipathctl config additional-ca-certificates --help

输出:

***************************************************************************************

Manage additional ca certificates

Usage:
  uipathctl config additional-ca-certificates [flags]
  uipathctl config additional-ca-certificates [command]

Available Commands:
  get         Get the current additional ca certificates
  update      Update additional ca certificates

Flags:
  -h, --help   help for additional-ca-certificates

Global Flags:
      --context string      name of the kubeconfig context to use
      --kubeconfig string   kubectl configuration file (default: ~/.kube/config)
      --log-format string   log format. one of [text,json] (default "text")
      --log-level string    set log level. one of [trace,debug,info,error] (default "error")
  -q, --quiet               suppress all output except for errors and warnings
      --timeout duration    timeout of the command (default 1h0m0s)

******************************************************************************************************************************************************************************

Manage additional ca certificates

Usage:
  uipathctl config additional-ca-certificates [flags]
  uipathctl config additional-ca-certificates [command]

Available Commands:
  get         Get the current additional ca certificates
  update      Update additional ca certificates

Flags:
  -h, --help   help for additional-ca-certificates

Global Flags:
      --context string      name of the kubeconfig context to use
      --kubeconfig string   kubectl configuration file (default: ~/.kube/config)
      --log-format string   log format. one of [text,json] (default "text")
      --log-level string    set log level. one of [trace,debug,info,error] (default "error")
  -q, --quiet               suppress all output except for errors and warnings
      --timeout duration    timeout of the command (default 1h0m0s)

***************************************************************************************

以下部分描述了可以使用 uipathctl config additional-ca-certificates 命令执行的操作。

更新 CA 证书

此命令可帮助您更新或替换现有的已配置 CA 证书。

uipathctl config additional-ca-certificates update --cacert additional_ca.crtuipathctl config additional-ca-certificates update --cacert additional_ca.crt

备注：

上面的命令将新证书添加到现有证书列表中。如果要替换以前配置的所有证书，请确保在末尾附加 --replace。

CA 证书捆绑包文件应为有效的 .pem 格式，并且可以包含多个证书。

访问 CA 证书

要下载已配置的 CA 证书，请运行以下命令：

uipathctl config additional-ca-certificates get uipathctl config additional-ca-certificates get

管理身份令牌签名证书

Automation Suite offers two methods to manage the rotation of identity token-signing certificates: automatic and manual.

要查看有关身份令牌签名证书的更多信息，请运行以下命令：

uipathctl config token-signing-certificates --help uipathctl config token-signing-certificates --help

输出:

************************************************************************************

Manage token signing certificates

Usage:
  uipathctl config token-signing-certificates [flags]
  uipathctl config token-signing-certificates [command]

Available Commands:
  get         Get the current token signing certificate
  rotate      Rotate token signing certificates
  update      Update future token signing certificate

Flags:
  -h, --help   help for token-signing-certificates

Global Flags:
      --context string      name of the kubeconfig context to use
      --kubeconfig string   kubectl configuration file (default: ~/.kube/config)
      --log-format string   log format. one of [text,json] (default "text")
      --log-level string    set log level. one of [trace,debug,info,error] (default "error")
  -q, --quiet               suppress all output except for errors and warnings
      --timeout duration    timeout of the command (default 1h0m0s)

************************************************************************************************************************************************************************

Manage token signing certificates

Usage:
  uipathctl config token-signing-certificates [flags]
  uipathctl config token-signing-certificates [command]

Available Commands:
  get         Get the current token signing certificate
  rotate      Rotate token signing certificates
  update      Update future token signing certificate

Flags:
  -h, --help   help for token-signing-certificates

Global Flags:
      --context string      name of the kubeconfig context to use
      --kubeconfig string   kubectl configuration file (default: ~/.kube/config)
      --log-format string   log format. one of [text,json] (default "text")
      --log-level string    set log level. one of [trace,debug,info,error] (default "error")
  -q, --quiet               suppress all output except for errors and warnings
      --timeout duration    timeout of the command (default 1h0m0s)

************************************************************************************

重要提示：

You can use a maximum key length of 4096 bits for signing certificates. We highly recommend you to use a key length of at least 512 bits (64 bytes) as a best practice.

The following section provide details on the operations you can perform using the uipathctl config token-signing-certificates command.

Automatic certificate rotation

Automatic certificate rotation means Automation Suite manages the lifecycle of signing keys. This includes rotating keys every 90 days, announcing new keys 14 days prior to rotation, retaining old keys for 14 days post-rotation, and then deleting them when the 14-day period ends.

If you're upgrading from an older version to 2024.10, automatic certificate rotation is disabled by default. To enable automatic key management, use the following command:

uipathctl config token-signing-certificates automatic-key-management enableuipathctl config token-signing-certificates automatic-key-management enable

重要提示：

Enabling automatic certificate rotation may result in a downtime of up to one hour.

Automatic certificate rotation is enabled by default for clean Automation Suite installations. To disable automatic key management, use the following command:

uipathctl config token-signing-certificates automatic-key-management disableuipathctl config token-signing-certificates automatic-key-management disable

If the automatic management feature is disabled, signing certificates need to be updated and rotated manually. For details on manual key management, see the documentation on manually updating and rotating the certificate.

Manually updating the certificate

要上传新证书以对令牌进行签名，请运行以下命令：

备注：

以下命令不会替换现有令牌签名证书。

确保您提供的证书采用.pem格式。

The server.crt file must contain the entire chain, as shown in the following example:

-----server cert-----
-----root ca chain----------server cert-----
-----root ca chain-----

uipathctl config token-signing-certificates update --cert server.crt --key server.keyuipathctl config token-signing-certificates update --cert server.crt --key server.key

Manually rotating the certificate

要轮换旧证书或将其替换为新证书，请运行以下命令：

uipathctl config token-signing-certificates rotateuipathctl config token-signing-certificates rotate

访问证书

要下载当前的令牌签名证书，请运行以下命令：

uipathctl config token-signing-certificates getuipathctl config token-signing-certificates get

备注：

证书更新和轮换之间应有大约 24 到 48 小时的提前期。

我们需要这个提前期来继续支持由旧证书签名的缓存令牌的身份验证。

在缓存令牌过期之前过早轮换证书可能会导致停机。在这种情况下，您可能必须重新启动所有机器人。

在此页面上

生成证书签名请求 (CSR) 和私钥
管理 TLS 证书
查找 TLS 证书
更新 TLS 证书
访问 TLS 证书
管理其他 CA 证书
更新 CA 证书
访问 CA 证书
管理身份令牌签名证书
Automatic certificate rotation
Manually updating the certificate
Manually rotating the certificate
访问证书

此页面有帮助吗？

前一个访问 Automation Suite

下一个在 ArgoCD 中管理集群

获取您需要的帮助

了解 RPA - 自动化课程

UiPath Community 论坛