Orchestrator Credentials Proxy
您可以将自己的凭据存储添加到 Orchestrator,以便独立控制连接数据的安全性。
为完成此操作,您可以以 .dll 文件的形式将所需的凭据存储插件加载到Orchestrator Credentials Proxy 网页服务。安装工具包包含 UiPath 支持的所有插件,但您也可以开发自己的插件 .dll 文件以用于加载。此服务然后通过代理将您的插件部署到 Orchestrator,该代理是根据公共 URL 和代理生成的密钥在 Orchestrator 中创建。
Orchestrator 凭据代理可以通过 .msi 安装程序或通过 UiPath 提供的 Docker 映像完成安装。
先决条件
要使用代理,需要满足以下条件:
- ASP.NET Core 版本 3.1 或 6.0.x
- IIS 8.0 或更高版本
-
必须安装以下 Windows 功能:
- IIS 默认文档
- IIS Http 错误
- IIS 静态内容
- IIS 请求筛选
- IIS URL 授权
- IIS Windows 身份验证
- IIS ASPNET45
- IIS ISAPI 扩展程序
- IIS ISAPI 筛选器
- IIS WebSocket
- IIS 应用程序初始化
- IIS 管理控制台
硬件和软件要求
硬件要求
以下是在具有 IIS 的 Windows Server 上运行代理的最低要求:
CPU 核心 |
RAM |
---|---|
2 |
4GB |
软件要求
安装代理需要以下 Windows Server 版本:
- 2012 R2
- 2016 年
- 2019 年
- 2022
安装步骤
请按照以下步骤执行安装:
初步信息
所有可编辑的 Orchestrator Credentials Proxy 设置都可在其 appsettings.json 文件中找到。以下参数在初始设置中非常重要:
-
Jwt:Keys
-(最初为空)此字符串数组用于设置代理的身份验证。该数组构成您将在代理创建过程中使用的密钥,并允许 Orchestrator 成功从代理检索数据。系统将忽略任何无效值。如果未找到有效值,则代理将不会启动。密钥必须采用 base64 格式,并且可以通过以下任一 PowerShell 脚本生成。
$bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(64) $jwtSigningKey = [Convert]::ToBase64String($bytes); Write-Host $jwtSigningKey
$bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(64) $jwtSigningKey = [Convert]::ToBase64String($bytes); Write-Host $jwtSigningKey
SeccureRandom
),并将这些字节转换为 Base64 字符串。
[Byte[]] $bytes = 1..64
$rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
$rng.GetBytes($bytes)
$jwtSigningKey = [Convert]::ToBase64String($bytes);
Write-Host $jwtSigningKey
[Byte[]] $bytes = 1..64
$rng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
$rng.GetBytes($bytes)
$jwtSigningKey = [Convert]::ToBase64String($bytes);
Write-Host $jwtSigningKey
appSettings:Plugins.SecureStores
-(最初设置为 Orchestrator 中可用的默认凭据存储)这是一个 CSV 字符串,用于指定应从磁盘(从path/plugins
)加载哪些 .dll 程序集,以便代理使用安全存储。将无效程序集添加到列表中不会中断启动,但在尝试部署程序集时会收到日志错误。appSettings:SigningCredentialSettings:FileLocation:SigningCredential:FilePath
和appSettings:SigningCredentialSettings:FileLocation:SigningCredential:Password
-(最初隐藏)用于加密Jwt:Keys
和SecureStoreConfigurations:Context
参数。这表示签名证书的文件路径。appSettings:SigningCredentialSettings:StoreLocation:Name
、appSettings:SigningCredentialSettings:StoreLocation:Location
、appSettings:SigningCredentialSettings:StoreLocation:NameType
-(最初隐藏)用于加密Jwt:Keys
和SecureStoreConfigurations:Context
参数。
加密 Jwt:Keys
参数
UiPath.ConfigProtector.exe
版本为 1.0.9 或更高版本。
设置并运行 Docker 映像
要使用 Docker 运行 Orchestrator Credentials Proxy,请按照以下步骤操作。
C:\Program Files\UiPath\CredentialsProxy\plugins
文件夹中使用的插件。
接下来的步骤仅适用于已断开连接代理,因为已连接的代理不需要专用配置。
appsettings.Production.json
配置文件中(位于以下位置)以本地方式提供与凭据保险库相关的信息:C:\Program Files\UiPath\OrchestratorCredentialsProxy\appsettings.Production.json
。
AppSettings
> SecureStoreConfigurations
”部分中编辑的字段:
-
Key
- 适用于配置的标识符密钥 -
Type
- .dll 文件中标识的凭据保险库类型,该 .dll 文件通过appsettings.json
中的Plugins.SecureStores
参数完成配置(请参阅下方的示例) -
Context
- 与安全存储实现相关的连接信息
编辑配置文件后,您需要从 IIS 重新启动服务。
appsettings.Production.json
配置文件中,以便启动已断开连接的代理。否则,该服务将不会启动。
根据您的凭据存储类型选择适当的示例,或使用此页面上的最后一个示例添加多个凭据存储。
AWS Secrets Manager/AWS Secrets Manager(只读)
"SecureStoreConfigurations": [
{
"Key": "<MyAwsStore>",
"Type": "AWS Secrets Manager" / "AWS Secrets Manager (read only)",
"Context": {
"UseDefaultCredentials": "true",
"AccessKey": "<AccessKey>",
"SecretKey": "<SecretKey>",
"Region": "<SelectedRegion>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyAwsStore>",
"Type": "AWS Secrets Manager" / "AWS Secrets Manager (read only)",
"Context": {
"UseDefaultCredentials": "true",
"AccessKey": "<AccessKey>",
"SecretKey": "<SecretKey>",
"Region": "<SelectedRegion>"
}
},
]
Azure 密钥保险库(只读)
"SecureStoreConfigurations": [
{
"Key": "<MyAzureStore>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<KeyVaultUri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyAzureStore>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<KeyVaultUri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
]
不支持密钥保险库(读取/写入)。
BeyondTrust 密码保险箱 - 托管帐户
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustManagedAccountsSafe>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"DefaultManagedSystemName": "", // can be empty or a string
"SystemAccountDelimiter": "/", // default account delimiter is "/", but it can be changed
"ManagedAccountType": "<ManagedAccountType>" // expected value is one of "system", "domainlinked", "database", "cloud", "application"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustManagedAccountsSafe>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"DefaultManagedSystemName": "", // can be empty or a string
"SystemAccountDelimiter": "/", // default account delimiter is "/", but it can be changed
"ManagedAccountType": "<ManagedAccountType>" // expected value is one of "system", "domainlinked", "database", "cloud", "application"
}
},
]
BeyondTrust 密码保险箱 - 团队密码
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustTeamPasswordSafe>",
"Type": "BeyondTrust Password Safe - Team Passwords",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"FolderPathPrefix" : "/", // default delimiter is "/", but it can be changed
"FolderPasswordDelimiter" : "/" // default delimiter is "/", but it can be changed
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyBeyondTrustTeamPasswordSafe>",
"Type": "BeyondTrust Password Safe - Team Passwords",
"Context": {
"Hostname": "<HostName>",
"APIRegistrationKey": "<ApiRegistrationKey>",
"APIRunAsUsername": "<Username>",
"FolderPathPrefix" : "/", // default delimiter is "/", but it can be changed
"FolderPasswordDelimiter" : "/" // default delimiter is "/", but it can be changed
}
},
]
CyberArk - AIM
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArk>",
"Type": "CyberArk",
"Context": {
"ApplicationId": "<App_MyCyberArk>",
"Safe": "<Passwords>",
"Folder": "<MyFolder>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArk>",
"Type": "CyberArk",
"Context": {
"ApplicationId": "<App_MyCyberArk>",
"Safe": "<Passwords>",
"Folder": "<MyFolder>"
}
},
]
CyberArk - CCP
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArkCCPStore>",
"Type": "CyberArkCCP",
"Context": {
"ApplicationId": "<ApplicationId>",
"Safe": "<CyberArkSafe>",
"Folder": "<CyberArkFolder>",
"WebServiceUrl": "<CentralCredentialProviderUrl>",
"WebServiceName": "<WebServiceName>",
"SerializedClientCertificate": "<ClientCertificate>", // must be ".pfx" as base64
"ClientCertificatePassword": "<ClientCertificatePassword>",
"SerializedRootCA": "<someServerRootCA>" // must be ".crt" or ".cer" as base64
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyCyberArkCCPStore>",
"Type": "CyberArkCCP",
"Context": {
"ApplicationId": "<ApplicationId>",
"Safe": "<CyberArkSafe>",
"Folder": "<CyberArkFolder>",
"WebServiceUrl": "<CentralCredentialProviderUrl>",
"WebServiceName": "<WebServiceName>",
"SerializedClientCertificate": "<ClientCertificate>", // must be ".pfx" as base64
"ClientCertificatePassword": "<ClientCertificatePassword>",
"SerializedRootCA": "<someServerRootCA>" // must be ".crt" or ".cer" as base64
}
},
]
KeyStorageFlags
,如下所示:
"AppSettings": {
...
"Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
...
}
"AppSettings": {
...
"Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
...
}
HashiCorp 保险库 /HashiCorp 保险库(只读)
"SecureStoreConfigurations": [
{
"Key": "<MyHashiCorp>",
"Type": "HashiCorp Vault" / "HashiCorp Vault (read only)",
"Context": {
"VaultUri": "<VaultUri>",
"AuthenticationType": "<AppRole>",
"RoleId": "<RoleId>",
"SecretId": "<SecretId>",
"Username": "<Username>",
"Password": "<Password>",
"Token": "<Token>",
"SecretsEngine": "<KeyValueV2>",
"SecretsEngineMountPath": "<Secret>",
"DataPath": "<applications/orchestrator>",
"Namespace": "<orchestrator>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyHashiCorp>",
"Type": "HashiCorp Vault" / "HashiCorp Vault (read only)",
"Context": {
"VaultUri": "<VaultUri>",
"AuthenticationType": "<AppRole>",
"RoleId": "<RoleId>",
"SecretId": "<SecretId>",
"Username": "<Username>",
"Password": "<Password>",
"Token": "<Token>",
"SecretsEngine": "<KeyValueV2>",
"SecretsEngineMountPath": "<Secret>",
"DataPath": "<applications/orchestrator>",
"Namespace": "<orchestrator>"
}
},
]
Thycotic Secret Server
"SecureStoreConfigurations": [
{
"Key": "<MyThicoticServer>",
"Type": "Thycotic Secret Server",
"Context": {
"SecretServerUrl": "<ServerUrl>",
"RuleName": "<Rule>",
"RuleKey": "<Key>",
"UsernameField": "<Username>",
"PasswordField": "<Password>"
}
},
]
"SecureStoreConfigurations": [
{
"Key": "<MyThicoticServer>",
"Type": "Thycotic Secret Server",
"Context": {
"SecretServerUrl": "<ServerUrl>",
"RuleName": "<Rule>",
"RuleKey": "<Key>",
"UsernameField": "<Username>",
"PasswordField": "<Password>"
}
},
]
多个凭据存储
如果使用多个凭据存储,则可以将它们逐个添加,如下所示:
{
...
"AppSettings": {
...
"SecureStoreConfigurations": [
{
"Key": "<SecureStoreKey1>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<Uri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
{
"Key": "<SecureStoreKey2>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<Host>",
"APIRegistrationKey": "<ApiKey>",
"APIRunAsUsername": "<ApiUsername>",
"DefaultManagedSystemName": "",
"SystemAccountDelimiter": "/",
"ManagedAccountType": "system"
}
}
]
...
}
}
{
...
"AppSettings": {
...
"SecureStoreConfigurations": [
{
"Key": "<SecureStoreKey1>",
"Type": "AzureKeyVault (read only)",
"Context": {
"KeyVaultUri": "<Uri>",
"DirectoryId": "<DirectoryId>",
"ClientId": "<ClientId>",
"ClientSecret": "<ClientSecret>"
}
},
{
"Key": "<SecureStoreKey2>",
"Type": "BeyondTrust Password Safe - Managed Accounts",
"Context": {
"Hostname": "<Host>",
"APIRegistrationKey": "<ApiKey>",
"APIRunAsUsername": "<ApiUsername>",
"DefaultManagedSystemName": "",
"SystemAccountDelimiter": "/",
"ManagedAccountType": "system"
}
}
]
...
}
}
这仅适用于已断开连接的 Credentials Proxy。
Disconnected
,则它会在启动时验证配置。
以下是要执行的一些验证步骤:
-
它可确保
appsettings.Production.json
包含预期配置,如上面的“配置”部分中所述。 -
它可确保
SecureStoreConfigurations
不包含任何重复的Key
参数,即appsettings.Production.json
文件中配置的凭据存储是唯一的。
SecureStoreConfigurations
参数是一个配置数组,这意味着您可以根据需要添加任意数量的凭据存储,即使类型相同。例如,您可以配置多个 Azure 密钥保险库(只读)实例,前提是Key
字段唯一。
-
它会检查所有
Type
值是否有效。 -
它会根据每个安全存储的实施情况,检查是否可以成功访问保险库。
C:\Program Files\UiPath\OrchestratorCredentialsProxy
文件夹中。系统会在 IIS 中配置这些内容。
appsettings.Production.json
中的 NLog.targets.logfile.fileName
参数提供您选择的相对或绝对路径。
在 Windows 计算机上,代理还将日志存储在 Windows 事件查看器中。
- Orchestrator 仅允许针对代理使用安全 (HTTPS) URL。HTTPS 证书必须有效,并由广泛认可的证书颁发机构签名。不支持自签名证书或由内部授权机构签名的证书。
- Orchestrator 通过 Orchestrator Credentials Proxy 生成的客户端密码进行验证。客户端密码存储在安装 Orchestrator Credentials Proxy 计算机的配置文件中,并由 Orchestrator 加密并存储在数据库中。
- 在 Orchestrator 中编辑凭据存储代理并更改其 URL 时,您还需要输入客户端密码。
-
Orchestrator Credentials Proxy 2.0.0 及更高版本操作记录在 Windows 事件查看器中。
- 必须在 Windows 计算机上签二进制。
- 必须对 Docker 映像进行签名。
您可以将代理与负载均衡器结合使用,前提是确保在所有节点上维持相同的配置。
- 代理安装程序版本。例如,如果您使用 1.0.0 版本,则所有负载均衡器节点也需要使用 1.0.0 版本。
- 应用程序配置文件中的设置。在大多数情况下,为
appsettings.json
和appsettings.Production.json
。请注意,appsettings.Production.json
对于每次安装都是唯一的,因此您必须手动将其添加到每个节点以确保一致性。 - 已将凭据存储插件添加到
path/plugins
。我们支持的所有插件都已在此文件夹中,因此您主要需要注意添加的任何自定义插件。
- 如果您想对我们提供的用于安装代理的 Docker 映像的配置进行任何更改,我们强烈建议您改为创建自定义 Docker 映像。然后,您应该使用此自定义映像在所有节点上部署代理。
- 某些环境变量(例如覆盖
appsettings.json
配置值的变量或影响 .NET 环境的变量)可能会在运行时产生影响。 - 您可以使用
https://cloud.uipath.com/{organizationName}/{tenantName}/orchestrator_/api/v1/Health
专用的未经身份验证的端点来检查 Orchestrator Credentials Proxy 是否仍在运行。