orchestrator
latest
false
- 入门指南
- 最佳实践
- 租户
- 关于租户上下文
- 搜索租户中的资源
- 配置自动化功能
- Solutions (解决方案)
- 审核
- 集成凭证存储
- 管理凭据存储
- Orchestrator Credentials Proxy
- Orchestrator Credentials Proxy 调试
- Managing credential proxies
- 设置
- 注册表
- Cloud Robots
- Automation Suite 机器人
- 文件夹上下文
- 流程
- 作业
- Apps
- 触发器
- 日志
- 监控
- 索引
- 队列
- 资产
- 连接
- 业务规则
- 存储桶
- MCP 服务器
- Orchestrator 测试
- 资源目录服务
- 集成
- 故障排除
重要 :
新发布内容的本地化可能需要 1-2 周的时间才能完成。
Orchestrator 用户指南
上次更新日期 2026年4月23日
Orchestrator Credentials Proxy
您可以将自己的凭据存储添加到 Orchestrator,以便独立控制连接数据的安全性。
To do that, you can load your desired credential store plugins, in the form of.dll files, to the Orchestrator Credentials Proxy web service. The installation kit contains all plugins supported by UiPath, but you can also develop your own plugin.dll files to load. This service then makes your plugins available to Orchestrator via a proxy, which is created in Orchestrator based on the the public URL and the secret key generated by the proxy.
已知问题
这仅适用于将 Orchestrator Credentials Proxy 端口设置为与默认 443 不同的值的场景。
当您从 1.0.0 和 2.0.1 之间的任何版本升级,并且使用了自定义端口时,UiPathOrchestratorCredentialsProxy 入站规则中的本地端口将自动更改为 443,这是默认端口。这将阻止建立与代理的连接。
要解决此问题,您需要在升级时手动更改入站规则中的本地端口。
安装
The Orchestrator Credentials Proxy can be installed either through an.msi installer or through a Docker image provided by UiPath.
通过 .msi 安装程序
先决条件
硬件要求
这些是在具有 IIS 的 Windows Server 上运行代理的最低要求。实际资源需求将因个人使用情况而异。
| CPU 核心 | RAM |
|---|---|
| 2 | 4GB |
软件要求
安装代理需要以下 Windows Server 版本:
- 2012 R2
- 2016 年
- 2019 年
- 2022
- 2025
要使用代理,需要满足以下条件:
- ASP.NET Core versions 3.1 or later
- IIS 8.0 或更高版本
- 您的计算机上必须安装以下服务器角色:
- IIS 默认文档
- IIS Http 错误
- IIS 静态内容
- IIS 请求筛选
- IIS URL 授权
- IIS Windows 身份验证
- IIS ASPNET45
- IIS ISAPI 扩展程序
- IIS ISAPI 筛选器
- IIS WebSocket
- IIS 应用程序初始化
- IIS 管理控制台
备注:
- 对于 Windows Server 计算机,请使用服务器管理器安装角色。
- For Windows 10 or Windows 11 machines, install the roles using the Turn Windows features on or off utility under Control Panel > Programs.
安装步骤
请按照以下步骤执行安装:
- Download the UiPath Orchestrator Credential Proxy installer from the Customer Portal.
- 安装代理。
已连接的代理
- Public URL - the Orchestrator Credentials Proxy's URL that is publicly exposed
- SSL Certificate - the Subject or Thumbprint of the SSL certificate used to secure connections with the Orchestrator Credentials Proxy. This is the SSL certificate installed on the computer or web server hosting the proxy.
Note that it must be issued by a public certificate provider, and it needs to be valid for the Public URL.
- Port - the port corresponding to the Public URL
- Secret Key - (automatically generated) the key needed for configuring a custom proxy in the Orchestrator interface; make sure to copy it to your clipboard for future use.
这可以手动更改,也适用于密钥轮换。
已断开代理连接
This feature is only available if you are on the Enterprise - Advanced licensing plan for Flex Pricing Plan, or Enterprise or Application Test Enterprise for Unified Pricing Plan.
- SSL Certificate - the Subject or Thumbprint of the SSL certificate used to secure connections with the Orchestrator Credentials Proxy. This is the SSL certificate installed on the computer or web server hosting the proxy.
- Port - the port corresponding to the URL
- Secret Key - (automatically generated) the key needed for configuring a custom proxy in the Orchestrator interface; make sure to copy it to your clipboard for future use.
这可以手动更改,也适用于密钥轮换。
安装完成后,appsettings.Production.json 文件中的 AppSettings.CredentialsProxyType 参数设置为“已断开连接”。这就是代理在启动时检测类型的方式。
备注:
The Anonymous Authentication option must be set to Enabled in IIS for the proxy to work.
加密 Jwt:Keys 参数
To add an extra layer of security, you can encrypt the Jwt:Keys and SecureStoreConfigurations:Context parameters in your appsettings.json file.
备注:
This requires UiPath.ConfigProtector.exe version 1.0.9 or higher.
通过 Docker 映像
初步信息
所有可编辑的 Orchestrator Credentials Proxy 设置都可在其 appsettings.json 文件中找到。以下参数在初始设置中非常重要:
Jwt:Keys-(最初为空)此字符串数组用于设置代理的身份验证。该数组构成您将在代理创建过程中使用的密钥,并允许 Orchestrator 成功从代理检索数据。系统将忽略任何无效值。如果未找到有效值,则代理将不会启动。
密钥必须采用 base64 格式,并且可以通过以下任一 PowerShell 脚本生成。
$bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(64)
$jwtSigningKey = [Convert]::ToBase64String($bytes);
Write-Host $jwtSigningKey
$bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(64)
$jwtSigningKey = [Convert]::ToBase64String($bytes);
Write-Host $jwtSigningKey
上述脚本会生成 64 个随机字节(使用 SeccureRandom),并将这些字节转换为 Base64 字符串。
[Byte[]] $bytes = 1..64
$rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
$rng.GetBytes($bytes)
$jwtSigningKey = [Convert]::ToBase64String($bytes);
Write-Host $jwtSigningKey
[Byte[]] $bytes = 1..64
$rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
$rng.GetBytes($bytes)
$jwtSigningKey = [Convert]::ToBase64String($bytes);
Write-Host $jwtSigningKey
appSettings:Plugins.SecureStores-(最初设置为 Orchestrator 中可用的默认凭据存储)这是一个 CSV 字符串,用于指定应从磁盘(从path/plugins)加载哪些 .dll 程序集,以便代理使用安全存储。将无效程序集添加到列表中不会中断启动,但在尝试部署程序集时会收到日志错误。appSettings:SigningCredentialSettings:FileLocation:SigningCredential:FilePath和appSettings:SigningCredentialSettings:FileLocation:SigningCredential:Password-(最初隐藏)用于加密Jwt:Keys和SecureStoreConfigurations:Context参数。这表示签名证书的文件路径。appSettings:SigningCredentialSettings:StoreLocation:Name、appSettings:SigningCredentialSettings:StoreLocation:Location、appSettings:SigningCredentialSettings:StoreLocation:NameType-(最初隐藏)用于加密Jwt:Keys和SecureStoreConfigurations:Context参数。
设置并运行 Docker 映像
要使用 Docker 运行 Orchestrator Credentials Proxy,请按照以下步骤操作。
- 下载 Docker 映像
You can download the image from http://registry.uipath.com/.
备注:
Make sure to include the required version of the Orchestrator Credentials Proxy in the URL. For example, to download the image for version 2.1.4, use:
http://registry.uipath.com/orchestrator-credentialsproxy:2.1.4
http://registry.uipath.com/orchestrator-credentialsproxy:2.1.4
此 URL 指向 Docker 映像,必须通过 Docker CLI 访问,而非网页浏览器。
请注意,1.0.0 版本仅支持“已连接代理”,而 2.0.0 及以上版本还支持“已断开连接代理”。
使用以下命令获取映像:
$bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(64);
$jwtSigningKey = [Convert]::ToBase64String($bytes);
docker run -e LICENSE_AGREEMENT=accept -e Jwt__Keys__0=$jwtSigningKey -p 8000:8080 registry.uipath.com/orchestrator-credentialsproxy:1.0.0
$bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(64);
$jwtSigningKey = [Convert]::ToBase64String($bytes);
docker run -e LICENSE_AGREEMENT=accept -e Jwt__Keys__0=$jwtSigningKey -p 8000:8080 registry.uipath.com/orchestrator-credentialsproxy:1.0.0
这是默认的 UiPath 映像,其中包含云帐户中已提供的凭据存储。您可以在选择的云环境中部署映像。
上述命令还会生成密钥。
- 创建您自己的自定义 Docker 映像
您可以根据 UiPath 提供并在步骤 1 中下载的映像,创建自己的 Docker 映像以及其他程序集。为完成此操作,请执行以下操作:
- 创建一个新的 Dockerfile(为了便于说明,我们将其命名为
CustomDockerfile)并向其中添加以下内容:FROM {docker-image-path} RUN rm -rf ./plugins COPY --chown=1001:0 {path of your custom assemblies} ./plugins ENTRYPOINT ["dotnet", "UiPath.OrchestratorCredentialsProxy.dll"]FROM {docker-image-path} RUN rm -rf ./plugins COPY --chown=1001:0 {path of your custom assemblies} ./plugins ENTRYPOINT ["dotnet", "UiPath.OrchestratorCredentialsProxy.dll"]- 将
{docker-image-path}替换为 UiPath 提供的初始 Docker 映像的路径。 - Replace
{path of your custom assemblies}with the path to your own credential store .dll files.Find out how Visual Studio uses this Dockerfile to build your images for faster debugging.
- 将
- 使用以下命令生成 Docker 映像,其中包括新创建的 Dockerfile 的名称:
docker build -f CustomDockerfile . -t customproxydocker build -f CustomDockerfile . -t customproxy - 运行 Docker 映像:
docker run --publish 8000:8080 -e LICENSE_AGREEMENT="accept" -e Jwt__Keys__0=$jwtSigningKey -e appSettings__Plugins.SecureStores="{your-list-of-assemblies}" customproxydocker run --publish 8000:8080 -e LICENSE_AGREEMENT="accept" -e Jwt__Keys__0=$jwtSigningKey -e appSettings__Plugins.SecureStores="{your-list-of-assemblies}" customproxy- 将
{your-list-of-assemblies}替换为要添加到 Orchestrator 的自定义凭据存储 .dll 文件。
- 将
要使用一个 Jwt:Keys 参数运行映像,请执行以下操作:
```
docker run --publish 8000:8080 -e LICENSE_AGREEMENT="accept" -e Jwt__Keys__0=$jwtSigningKey {docker-image-name}
```
```
docker run --publish 8000:8080 -e LICENSE_AGREEMENT="accept" -e Jwt__Keys__0=$jwtSigningKey {docker-image-name}
```
要使用多个 Jwt:Keys 参数运行映像,请执行以下操作:
```
docker run --publish 8000:8080 -e LICENSE_AGREEMENT="accept" -e Jwt__Keys__0==$jwtSigningKey" -e Jwt__Keys__1==$jwtSigningKey" -e Jwt__Keys__2==$jwtSigningKey ... {docker-image-name}
```
* Replace `{docker-image-name}` with the name you set for your custom Docker image.
```
docker run --publish 8000:8080 -e LICENSE_AGREEMENT="accept" -e Jwt__Keys__0==$jwtSigningKey" -e Jwt__Keys__1==$jwtSigningKey" -e Jwt__Keys__2==$jwtSigningKey ... {docker-image-name}
```
* Replace `{docker-image-name}` with the name you set for your custom Docker image.
要使用 appSettings:Plugins.SecureStores 参数的自定义值(即使用所需的凭据存储)运行映像,请将此参数的内容替换为您自己的凭据存储 .dll 文件:
```
docker run --publish 8000:8080 -e LICENSE_AGREEMENT="accept" -e Jwt__Keys__0=$jwtSigningKey -e appSettings__Plugins.SecureStores="UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll" {docker-image-name}
```
```
docker run --publish 8000:8080 -e LICENSE_AGREEMENT="accept" -e Jwt__Keys__0=$jwtSigningKey -e appSettings__Plugins.SecureStores="UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll" {docker-image-name}
```
4. (Optional) Test the new Docker image
要测试您的图像,请在 http://localhost:8000/swagger/index.html 中访问其 Swagger 界面,然后检查未验证的专属 /Health 端点是否正常运行。若请求成功,将返回包含 200 OK HTTP 状态代码的空响应。
配置
已连接和断开连接的代理
配置代理的第一步是将自定义 .dll 要在 C:\Program Files\UiPath\CredentialsProxy\plugins 文件夹中使用的插件。
某些凭据存储可能要求您在应用程序、主机或代理级别配置设置。这些设置等同于 Orchestrator 中的对应设置。您必须在代理的 appsettings.Production.json 文件中指定这些设置。
CyberArk
您必须在 appsettings.Production.json 文件的 Appsettings 参数下添加任何主机级别设置,例如 CLIPasswordSDKExePath、UsePowerShellCLI 和 AdditionalAllowedCharacters:
{
// ...
"AppSettings": {
"Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath": "D:\\PathName\\CLIPasswordSDK.exe",
// ...
}
// ...
}
{
// ...
"AppSettings": {
"Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath": "D:\\PathName\\CLIPasswordSDK.exe",
// ...
}
// ...
}
CyberArk CCP
如果您无法通过代理检索 CyberArkCCP,请在 appsettings.Production.json 文件中添加以下参数:
{
// ...
"AppSettings": {
"Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
// ...
}
// ...
}
{
// ...
"AppSettings": {
"Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
// ...
}
// ...
}
HashiCorp 保险库
要为 HashiCorp 保险库启用 Kerberos 身份验证协议并激活节点转发,请将以下参数添加到 appsettings.Production.json 文件中:
// ...
"AppSettings": {
"Plugins.SecureStores.HashiCorp Vault.KerberosEnabled": "true", // Optional, for Kerberos enablement
"Plugins.SecureStores.HashiCorp Vault.ForwardToActiveNode": "true", // Optional, for forwarding to active node
// ...
}
// ...
}
// ...
"AppSettings": {
"Plugins.SecureStores.HashiCorp Vault.KerberosEnabled": "true", // Optional, for Kerberos enablement
"Plugins.SecureStores.HashiCorp Vault.ForwardToActiveNode": "true", // Optional, for forwarding to active node
// ...
}
// ...
}
HashiCorp 保险库(只读)
要为 HashiCorp 保险库(只读)启用 Kerberos 身份验证协议并激活节点转发,请将以下参数添加到 appsettings.Production.json 文件中:
// ...
"AppSettings": {
"Plugins.SecureStores.HashiCorp Vault (read only).KerberosEnabled": "true", // Optional, for Kerberos enablement
"Plugins.SecureStores.HashiCorp Vault (read only).ForwardToActiveNode": "true", // Optional, for forwarding to active node
// ...
}
// ...
}
// ...
"AppSettings": {
"Plugins.SecureStores.HashiCorp Vault (read only).KerberosEnabled": "true", // Optional, for Kerberos enablement
"Plugins.SecureStores.HashiCorp Vault (read only).ForwardToActiveNode": "true", // Optional, for forwarding to active node
// ...
}
// ...
}
已断开仅代理连接
此代理类型完全独立于 Orchestrator,因此您必须在 appsettings.Production.json 配置文件中以本地方式提供与凭据保险库相关的信息。您可以在以下位置找到这些文件:C:\Program Files\UiPath\OrchestratorCredentialsProxy\appsettings.Production.json。
您必须编辑所述文件的 AppSettings - SecureStoreConfigurations 部分中的以下字段:
Key- 适用于配置的标识符密钥Type- .dll 文件中标识的凭据保险库类型,该 .dll 文件通过appsettings.json中的Plugins.SecureStores参数完成配置(请参阅下方的示例)Context- 与安全存储实现相关的连接信息重要提示:编辑配置文件后,您需要从 IIS 重新启动服务。
配置示例
您需要将以下示例添加到 appsettings.Production.json 配置文件中,以便启动已断开连接的代理。否则,服务将不会启动。
根据您的凭据存储类型选择适当的示例,或使用此页面上的最后一个示例添加多个凭据存储。
您必须编辑所述文件的 AppSettings - SecureStoreConfigurations 部分中的以下字段:
Key- 适用于配置的标识符密钥Type- .dll 文件中标识的凭据保险库类型,该 .dll 文件通过appsettings.json中的Plugins.SecureStores参数完成配置(请参阅下方的示例)Context- 与安全存储实现相关的连接信息重要提示:编辑配置文件后,您需要从 IIS 重新启动服务。
备注:
在对 appsettings.Production.json 文件进行任何更改之前,确保创建原始文件的备份。这使您能够在设置期间出现问题时轻松恢复初始配置或比较更改。
AWS Secrets Manager/AWS Secrets Manager(只读)
...
"SecureStoreConfigurations": [
{
"Key": "<MyAwsStore>",
"Type": "AWS Secrets Manager" / "AWS Secrets Manager (read only)",
"Context": {
"UseDefaultCredentials": "true",
"AccessKey": "<AccessKey>",
"SecretKey": "<SecretKey>",
"Region": "<SelectedRegion>"
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<MyAwsStore>",
"Type": "AWS Secrets Manager" / "AWS Secrets Manager (read only)",
"Context": {
"UseDefaultCredentials": "true",
"AccessKey": "<AccessKey>",
"SecretKey": "<SecretKey>",
"Region": "<SelectedRegion>"
}
},
]
...
Azure 密钥保险库(只读)
...
"SecureStoreConfigurations": [
{
"Key": "<MyAzureStore>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<KeyVaultUri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<MyAzureStore>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<KeyVaultUri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
]
...
重要提示:
不支持密钥保险库(读取/写入)。
BeyondTrust 密码保险箱 - 托管帐户
...
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustManagedAccountsSafe>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"DefaultManagedSystemName": "", // can be empty or a string
"SystemAccountDelimiter": "/", // default account delimiter is "/", but it can be changed
"ManagedAccountType": "<ManagedAccountType>" // expected value is one of "system", "domainlinked", "database", "cloud", "application"
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustManagedAccountsSafe>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"DefaultManagedSystemName": "", // can be empty or a string
"SystemAccountDelimiter": "/", // default account delimiter is "/", but it can be changed
"ManagedAccountType": "<ManagedAccountType>" // expected value is one of "system", "domainlinked", "database", "cloud", "application"
}
},
]
...
BeyondTrust 密码保险箱 - 团队密码
...
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustTeamPasswordSafe>",
"Type": "BeyondTrust Password Safe - Team Passwords",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"FolderPathPrefix" : "/", // default delimiter is "/", but it can be changed
"FolderPasswordDelimiter" : "/" // default delimiter is "/", but it can be changed
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustTeamPasswordSafe>",
"Type": "BeyondTrust Password Safe - Team Passwords",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"FolderPathPrefix" : "/", // default delimiter is "/", but it can be changed
"FolderPasswordDelimiter" : "/" // default delimiter is "/", but it can be changed
}
},
]
...
CyberArk - AIM
...
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArk>",
"Type": "CyberArk",
"Context": {
"ApplicationId": "<App_MyCyberArk>",
"Safe": "<Passwords>",
"Folder": "<MyFolder>"
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArk>",
"Type": "CyberArk",
"Context": {
"ApplicationId": "<App_MyCyberArk>",
"Safe": "<Passwords>",
"Folder": "<MyFolder>"
}
},
]
...
任何主机级别设置(例如 CLIPasswordSDKExePath、UsePowerShellCLI、或 AdditionalAllowedCharacters)都需要放置在 Appsettings 参数下,类似于 Orchestrator 的设置方式。
{
// ...
"AppSettings": {
"Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath": "D:\\<MyPath>\\CLIPasswordSDK.exe",
"Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.CyberArkConjur.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
"CredentialsProxyType": "Disconnected"
// ...
}
// ...
{
// ...
"AppSettings": {
"Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath": "D:\\<MyPath>\\CLIPasswordSDK.exe",
"Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.CyberArkConjur.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
"CredentialsProxyType": "Disconnected"
// ...
}
// ...
CyberArk - CCP
...
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArkCCPStore>",
"Type": "CyberArkCCP",
"Context": {
"ApplicationId": "<ApplicationId>",
"Safe": "<CyberArkSafe>",
"Folder": "<CyberArkFolder>",
"WebServiceUrl": "<CentralCredentialProviderUrl>",
"WebServiceName": "<WebServiceName>",
"SerializedClientCertificate": "<ClientCertificate>", // must be the ".pfx" file's content as base64 string
"ClientCertificatePassword": "<ClientCertificatePassword>",
"SerializedRootCA": "<someServerRootCA>" // must be the ".crt" or ".cer" file's content as base64 string
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArkCCPStore>",
"Type": "CyberArkCCP",
"Context": {
"ApplicationId": "<ApplicationId>",
"Safe": "<CyberArkSafe>",
"Folder": "<CyberArkFolder>",
"WebServiceUrl": "<CentralCredentialProviderUrl>",
"WebServiceName": "<WebServiceName>",
"SerializedClientCertificate": "<ClientCertificate>", // must be the ".pfx" file's content as base64 string
"ClientCertificatePassword": "<ClientCertificatePassword>",
"SerializedRootCA": "<someServerRootCA>" // must be the ".crt" or ".cer" file's content as base64 string
}
},
]
...
根据 IIS 配置,您可能需要配置其他 KeyStorageFlags,如下所示:
"AppSettings": {
...
"Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
...
}
"AppSettings": {
...
"Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
...
}
您可以将 PFX、CRT 或 CER 文件转换为base64字符串,如下所示:
$fileContentBytes = get-content 'C:\path\to\the.pfx' -Encoding Byte
[System.Convert]::ToBase64String($fileContentBytes) | Out-File 'C:\path\to\the.txt'
$fileContentBytes = get-content 'C:\path\to\the.pfx' -Encoding Byte
[System.Convert]::ToBase64String($fileContentBytes) | Out-File 'C:\path\to\the.txt'
CyberArk™ Conjur Cloud(只读)
...
"SecureStoreConfigurations": [
{
"Key": "MyCyberArkConjur",
"Type": "CyberArk Conjur Cloud (read only)",
"Context": {
"ServiceUrl": "https://{myCyberArkConjurUrl}/",
"LoginName": "{myLoginName}",
"ApiKey": "{myApiKey}",
"VariableIdPrefix": "{myPrefix}"
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "MyCyberArkConjur",
"Type": "CyberArk Conjur Cloud (read only)",
"Context": {
"ServiceUrl": "https://{myCyberArkConjurUrl}/",
"LoginName": "{myLoginName}",
"ApiKey": "{myApiKey}",
"VariableIdPrefix": "{myPrefix}"
}
},
]
...
CyberArk® Conjur(只读)
...
"SecureStoreConfigurations": [
{
"Key": "MyCyberArkConjur",
"Type": "CyberArk Conjur (read only)",
"Context": {
"ApplianceUrl": "https://{company}.secretsmgr.cyberark.cloud/api",
"Account": "{myAccount}",
"AuthenticationType": "{Jwt|ApiKey}",
"JWT": {
"JwtServiceId": "{myJwtServiceId}",
"IdentityProviderUrl": "{myIdentityProviderUrl}",
"ClientId": "{myClientId}",
"ClientSecret": "{myClientSecret}",
"Scope": "{myScope}"
},
"ApiKey": {
"LoginName": "{myLoginName}",
"Key": "{myApiKey}"
},
"HostId": "{myHostId}",
"VariableIdPrefix": "{myPrefix}"
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "MyCyberArkConjur",
"Type": "CyberArk Conjur (read only)",
"Context": {
"ApplianceUrl": "https://{company}.secretsmgr.cyberark.cloud/api",
"Account": "{myAccount}",
"AuthenticationType": "{Jwt|ApiKey}",
"JWT": {
"JwtServiceId": "{myJwtServiceId}",
"IdentityProviderUrl": "{myIdentityProviderUrl}",
"ClientId": "{myClientId}",
"ClientSecret": "{myClientSecret}",
"Scope": "{myScope}"
},
"ApiKey": {
"LoginName": "{myLoginName}",
"Key": "{myApiKey}"
},
"HostId": "{myHostId}",
"VariableIdPrefix": "{myPrefix}"
}
},
]
...
HashiCorp 保险库 /HashiCorp 保险库(只读)
...
"SecureStoreConfigurations": [
{
"Key": "<MyHashiCorp>",
"Type": "HashiCorp Vault" / "HashiCorp Vault (read only)",
"Context": {
"VaultUri": "<VaultUri>",
"AuthenticationType": "<AppRole>",
"RoleId": "<RoleId>",
"SecretId": "<SecretId>",
"Username": "<Username>",
"Password": "<Password>",
"Token": "<Token>",
"SecretsEngine": "<KeyValueV2>",
"SecretsEngineMountPath": "<Secret>",
"DataPath": "<applications/orchestrator>",
"Namespace": "<orchestrator>"
"LdapUseDynamicCredentials" : "true"
"KerberosSPN": "HTTP/vault-spn"
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<MyHashiCorp>",
"Type": "HashiCorp Vault" / "HashiCorp Vault (read only)",
"Context": {
"VaultUri": "<VaultUri>",
"AuthenticationType": "<AppRole>",
"RoleId": "<RoleId>",
"SecretId": "<SecretId>",
"Username": "<Username>",
"Password": "<Password>",
"Token": "<Token>",
"SecretsEngine": "<KeyValueV2>",
"SecretsEngineMountPath": "<Secret>",
"DataPath": "<applications/orchestrator>",
"Namespace": "<orchestrator>"
"LdapUseDynamicCredentials" : "true"
"KerberosSPN": "HTTP/vault-spn"
}
},
]
...
任何主机级设置(例如 Plugins.SecureStores.HashiCorp Vault.KerberosEnabled、Plugins.SecureStores.HashiCorp Vault (read only).KerberosEnabled、Plugins.SecureStores.HashiCorp Vault (read only).ForwardToActiveNode 或 Plugins.SecureStores.HashiCorp Vault.ForwardToActiveNode)都需要置于 Appsettings 参数下,与 Orchestrator 的设置类似。
{
// ...
"AppSettings": {
// Optional, for Kerberos Enablement
"Plugins.SecureStores.HashiCorp Vault.KerberosEnabled": "true",
"Plugins.SecureStores.HashiCorp Vault (read only).KerberosEnabled": "true"
// Optional, for Forwarding to Active node
"Plugins.SecureStores.HashiCorp Vault.ForwardToActiveNode": "true",
"Plugins.SecureStores.HashiCorp Vault (read only).ForwardToActiveNode": "true"
// ...
}
// ...
}
{
// ...
"AppSettings": {
// Optional, for Kerberos Enablement
"Plugins.SecureStores.HashiCorp Vault.KerberosEnabled": "true",
"Plugins.SecureStores.HashiCorp Vault (read only).KerberosEnabled": "true"
// Optional, for Forwarding to Active node
"Plugins.SecureStores.HashiCorp Vault.ForwardToActiveNode": "true",
"Plugins.SecureStores.HashiCorp Vault (read only).ForwardToActiveNode": "true"
// ...
}
// ...
}
Thycotic Secret Server
...
"SecureStoreConfigurations": [
{
"Key": "<MyThicoticServer>",
"Type": "Thycotic Secret Server",
"Context": {
"SecretServerUrl": "<ServerUrl>",
"RuleName": "<Rule>",
"RuleKey": "<Key>",
"UsernameField": "<Username>",
"PasswordField": "<Password>"
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<MyThicoticServer>",
"Type": "Thycotic Secret Server",
"Context": {
"SecretServerUrl": "<ServerUrl>",
"RuleName": "<Rule>",
"RuleKey": "<Key>",
"UsernameField": "<Username>",
"PasswordField": "<Password>"
}
},
]
...
Google Secret Manager
...
"SecureStoreConfigurations": [
{
"Key": "<GoogleSecretManager>",
"Type": "Google Secret Manager",
"Context": {
"ProjectId": "<ProjectId>",
"ServiceAccountKeyJson": "<ServiceAccountKeyJson>",
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<GoogleSecretManager>",
"Type": "Google Secret Manager",
"Context": {
"ProjectId": "<ProjectId>",
"ServiceAccountKeyJson": "<ServiceAccountKeyJson>",
}
},
]
...
Google Secret Manager(只读)
...
"SecureStoreConfigurations": [
{
"Key": "<GoogleSecretManager>",
"Type": "Google Secret Manager (read only)",
"Context": {
"ProjectId": "<ProjectId>",
"ServiceAccountKeyJson": "<ServiceAccountKeyJson>",
}
},
]
...
...
"SecureStoreConfigurations": [
{
"Key": "<GoogleSecretManager>",
"Type": "Google Secret Manager (read only)",
"Context": {
"ProjectId": "<ProjectId>",
"ServiceAccountKeyJson": "<ServiceAccountKeyJson>",
}
},
]
...
多个凭据存储
如果使用多个凭据存储,则可以在一个凭据存储下添加另一个凭据存储,如下所示:
{
...
"AppSettings": {
...
"SecureStoreConfigurations": [
{
"Key": "<SecureStoreKey1>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<Uri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
{
"Key": "<SecureStoreKey2>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<Host>",
"APIRegistrationKey": "<ApiKey>",
"APIRunAsUsername": "<ApiUsername>",
"DefaultManagedSystemName": "",
"SystemAccountDelimiter": "/",
"ManagedAccountType": "system"
}
}
]
...
}
}
{
...
"AppSettings": {
...
"SecureStoreConfigurations": [
{
"Key": "<SecureStoreKey1>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<Uri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
{
"Key": "<SecureStoreKey2>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<Host>",
"APIRegistrationKey": "<ApiKey>",
"APIRunAsUsername": "<ApiUsername>",
"DefaultManagedSystemName": "",
"SystemAccountDelimiter": "/",
"ManagedAccountType": "system"
}
}
]
...
}
}
验证
重要提示:
这仅适用于已断开连接的 Credentials Proxy。
如果代理检测到的类型为 Disconnected,则它会在启动时验证配置。
以下是代理执行的一些验证步骤:
- The proxy ensures that that
appsettings.Production.jsoncontains the expected configurations, as detailed in the Configuration section above. - 代理可确保
SecureStoreConfigurations不包含任何重复的Key参数,即appsettings.Production.json文件中配置的凭据存储是唯一的。 SecureStoreConfigurations参数是一个配置数组。您可以根据需要添加任意数量的凭据存储,即使类型相同。例如,您可以配置多个 Azure 密钥保险库(只读)实例,前提是Key字段唯一。- 代理会检查所有
Type值是否有效。 - 根据每个安全存储的实现,代理会检查是否可以成功访问保险库。
日志记录
如果代理的应用程序池具有该路径的写入权限,则 Orchestrator Credentials Proxy 日志会存储在本地的 C:\Program Files\UiPath\OrchestratorCredentialsProxy 文件夹中。系统会在 IIS 中配置这些内容。
如果您不想授予该文件夹写入权限,则可以通过 appsettings.Production.json 中的 NLog.targets.logfile.fileName 参数提供您选择的相对或绝对路径。
在 Windows 计算机上,代理还将日志存储在 Windows 事件查看器中。
安全注意事项
- Orchestrator 仅允许针对代理使用安全 (HTTPS) URL。HTTPS 证书必须有效,并由广泛认可的证书颁发机构签名。不支持自签名证书或由内部授权机构签名的证书。
- Orchestrator 通过 Orchestrator Credentials Proxy 生成的客户端密码进行验证。客户端密码存储在安装 Orchestrator Credentials Proxy 计算机的配置文件中,并由 Orchestrator 加密并存储在数据库中。
- 在 Orchestrator 中编辑凭据存储代理并更改其 URL 时,您必须输入客户端密码。
- Orchestrator Credentials Proxy 2.0.0 及更高版本操作记录在 Windows 事件查看器中。
- 必须在 Windows 计算机上签二进制。
- 必须对 Docker 映像进行签名。
将 Orchestrator Credentials Proxy 与负载均衡器一起使用
如果将代理与负载均衡器结合使用,请确保在所有节点上维持相同的配置。
必须在节点之间保持元素相同
- 代理安装程序版本。例如,如果您使用 1.0.0 版本,则所有负载均衡器节点也需要使用 1.0.0 版本。
- 应用程序配置文件中的设置。在大多数情况下,为
appsettings.json和appsettings.Production.json。请注意,appsettings.Production.json对于每次安装都是唯一的,因此您必须手动将其添加到每个节点以确保一致性。 - 已将凭据存储插件添加到
path/plugins。我们支持的所有插件都已在此文件夹中,因此您只需注意添加的任何自定义插件。
需要考虑的重要事项
- 如果您想对 Docker 映像配置进行任何更改,为了安装代理,我们强烈建议您改为创建自定义 Docker 映像。然后,您应该使用此自定义映像在所有节点上部署代理。
- 某些环境变量可能会在运行时产生影响。例如,覆盖
appsettings.json配置值的环境变量或影响 .NET 环境的环境变量。 - 您可以使用
https://{YourOrchestratorCredentialsProxyURL}/api/v1/Health专用的未经身份验证的端点来检查 Orchestrator Credentials Proxy 是否仍在运行。
更新 Orchestrator Credentials Proxy 证书
对于单节点安装,请按如下方式更新 SSL 证书:
- Import the new certificate into the Personal folder, under Certificates, in the local machine's certificate console (certlm.msc).
- In the IIS Management Console, expand Sites, and select UiPath Orchestrator Credential Proxy.
- From the right-side panel, select Bindings....
- From the Bindings... view, select the default
httpsrecord, then use the Select... button to choose a certificate. - In the Select Certificate pop-up window, select the newly added certificate.
- Select OK until you complete the setup.
备注:
对于多节点安装,请确保更新所有计算机上的证书。
要使用负载均衡器更新安装的证书,请使用上述相同步骤。由于 Orchestrator 凭据代理是无状态的,因此在更新证书时从负载均衡器中删除节点。
密钥轮换
在停机期间进行密钥轮换
备注:
This operation requires stopping and restarting the running Orchestrator Credentials Proxy. This can have an impact on any live requests done by Orchestrator.
- 根据 Orchestrator Credentials Proxy 标准生成新的密钥。
- 停止 Orchestrator Credentials Proxy。
- 编辑
appsettings.Production.json文件,然后使用新密钥覆盖现有密钥。 - 启动 Orchestrator Credentials Proxy。
- 在 Orchestrator 中,转到您的 Orchestrator Credentials Proxy,然后编辑包含新密钥的
Secret字段。
在不停机的情况下进行密钥轮换
备注:
This operation requires an Orchestrator Credentials Proxy with a load balancer and a minimum of two Orchestrator Credentials Proxy instances. For more information, check the Installation section.
- 根据 Orchestrator Credentials Proxy 标准生成新的密钥。
- 将生成的新密钥添加到您的 Credentials Proxy 实例。对于每个实例,按照此程序进行操作:
- 从负载均衡器中移除 Orchestrator Credentials Proxy 实例。
- 停止该 Orchestrator Credentials Proxy 实例。
- 打开
appsettings.Production.json文件。该文件应包含与以下代码类似的代码:{ "Jwt": { "Keys": [ "{{OldKey}}" ],{ "Jwt": { "Keys": [ "{{OldKey}}" ], - 添加生成的新密钥,同时保留现有密钥。
Keys参数支持多个值(以逗号分隔):{ "Jwt": { "Keys": [ "{{OldKey}}", "{{NewKey}}" ],{ "Jwt": { "Keys": [ "{{OldKey}}", "{{NewKey}}" ], - 启动 Orchestrator Credentials Proxy。
- 将 Orchestrator Credentials Proxy 实例重新导入负载均衡器。
- 在 Orchestrator 中,转到您的 Orchestrator Credentials Proxy,然后编辑包含新密钥的
Secret字段。 - 稍后从 Credentials Proxy 实例中移除旧密钥。对于每个实例,按照此程序进行操作:
- 从负载均衡器中移除 Orchestrator Credentials Proxy 实例。
- 停止该 Orchestrator Credentials Proxy 实例。
- 打开
appsettings.Production.json文件。如前几个步骤所述,文件应包含两个密钥:{ "Jwt": { "Keys": [ "{{OldKey}}", "{{NewKey}}" ],{ "Jwt": { "Keys": [ "{{OldKey}}", "{{NewKey}}" ], - 从文件中移除旧密钥:{ "Jwt": { "Keys": [ "{{NewKey}}" ],
- 启动 Orchestrator Credentials Proxy。
- 将 Orchestrator Credentials Proxy 实例重新导入负载均衡器。