- Overview
- Requirements
- Pre-installation
- Installation
- Post-installation
- Migration and upgrade
- Upgrading Automation Suite
- Migrating standalone products to Automation Suite
- Step 1: Restoring the standalone product database
- Step 2: Updating the schema of the restored product database
- Step 3: Moving the Identity organization data from standalone to Automation Suite
- Step 4: Backing up the platform database in Automation Suite
- Step 5: Merging organizations in Automation Suite
- Step 6: Updating the migrated product connection strings
- Step 7: Migrating standalone Orchestrator
- Step 8: Migrating standalone Insights
- Step 9: Migrating standalone Test Manager
- Step 10: Deleting the default tenant
- Performing a single tenant migration
- Migrating between Automation Suite clusters
- Migrating from Automation Suite on EKS/AKS to Automation Suite on OpenShift
- Monitoring and alerting
- Cluster administration
- Product-specific configuration
- Orchestrator advanced configuration
- Configuring Orchestrator parameters
- Configuring appSettings
- Configuring the maximum request size
- Overriding cluster-level storage configuration
- Configuring NLog
- Saving robot logs to Elasticsearch
- Configuring credential stores
- Configuring encryption key per tenant
- Cleaning up the Orchestrator database
- Skipping host library creation
- Troubleshooting
- The backup setup does not work due to a failure to connect to Azure Government
- Pods in the uipath namespace stuck when enabling custom node taints
- Unable to launch Automation Hub and Apps with proxy setup
- Robot cannot connect to an Automation Suite Orchestrator instance
- Log streaming does not work in proxy setups
- Velero backup fails with FailedValidation error
- Accessing FQDN returns RBAC: access denied error
Automation Suite on EKS/AKS installation guide
Certificates overview
This page describes all the certificates required by an Automation Suite installation as well as the principle of the certificate rotation process.
For details on the certificates you must provide when replacing the self-signed certificates, see Certificate requirements.
Understanding how trust certificates work
Inter-service communication between products inside Automation Suite is done via the FQDN of the cluster. Products cannot use internal URLs to communicate with each other. For example, Orchestrator can connect to Identity Server for user authentication via https://automationsuite.mycompany.com/identity.
While two different Automation Suite products must use the FQDN of the cluster, they can also contain multiple microservices. These microservices can use internal URLs to communicate with each other.
Understanding how communication works
The following diagram and flow explain how the client connects to a service and how the authentication is done via the Identity Service.
-
The client makes a connection with the service using URL, i.e., Orchestrator, Apps, Insights, etc. using the following URL:
https://automationsuite.mycompany.com/myorg/mytenant/service_. -
Istio intercepts the call, and based on the path of the
service_, forwards the call to the specific service. -
The service calls Identity Service to authenticate the incoming request from the client via
https://automationsuite.mycompany.com/myorg/mytenant/identity_. -
Istio intercepts the call, and based on the path
identity_, forwards the request to Identity Service. -
Identity Service returns the response with the result to Istio.
-
Istio returns the response to the service. Since the call is made using the HTTPS protocol, Istio returns the response with the TLS certificate so that the connection is secure. If the service trusts the server certificate returned by Istio, it approves the response. Otherwise, the service rejects the response.
-
The service prepares the response and sends it back to Istio.
-
Istio forwards the request back to the client. If the client machine trusts the certificate, then the entire request is successful. Otherwise the request fails.
Understanding how robots and Orchestrator communicate
This section describes a scenario where a robot tries to connect to Orchestrator in Automation Suite. The following diagram and flow explain how the robot connects to Orchestrator, and how authentication is done via Identity Server.
-
Robot makes a connection with Orchestrator using the following URL:
https://automationsuite.mycompany.com/myorg/mytenant/orchestrator_ -
Istio intercepts the call, and based on the
orchestrator_path, it forwards it to the Orchestrator service. -
The Orchestrator service calls Identity Server to authenticate the incoming request from the robot via
https://automationsuite.mycompany.com/myorg/mytenant/identity_. -
Istio intercepts the call, and based on the
identity_path, it forwards the request to Identity Server. -
Identity Server returns the response with the results to Istio.
-
Istio returns the response to Orchestrator. Since the call is made using the HTTPS protocol, Istio returns the response with the TLS certificate, so that connection is secure. If Orchestrator trusts the server certificate returned by Istio, it also approves the response. Otherwise, Orchestrator rejects the response.
-
Orchestrator prepares the response and sends it back to Istio.
-
Istio forwards the request back to robot. If the robot machine trusts the certificate, then the entire request is successful. Otherwise, the request fails.
Understanding the container architecture related to certificates
Container level
In this example, the container has its own operating system (RHEL OS), and Service can represent an Orchestrator running on top of RHEL OS.
Every OS has its own certificate store. In the case of RHEL OS, the Certificate Trust Store is located in /etc/pki/ca-trust/ca/.
This path is where RHEL OS stores all certificates. Every container will have its own Certificate Trust Store. As part of the Automation Suite configuration, we inject the entire chain certificate that contains the root certificate, all the intermediate certificates, as well as the leaf certificate, and we store them in this path. Since services trust the root and intermediate certificates, they automatically trust any other certificates created by the root and intermediate certificates.
Pod level
There are hundreds of containers running within Automation Suite. Manually adding certificates for each of these containers for all the services would be a demanding task. However, Automation Suite includes a shared volume and an Init container cert-trustor to help with this task. Init is a specialized container that runs before app containers in a Pod, and its lifecycle ends as soon as it completes its job.
In the following example, the Orchestrator service is running in one pod. As a reminder, a pod can contain more than one container. In this pod, we inject one more Init container called Cert-trustor. This container will contain the root certificate, the intermediate certificates, and the leaf certificate.
The shared volume is attached to both Cert-trustor container and Orchestrator service container. It has the same path as the RHEL OS Certificate Trust Store: /etc/pki/ca-trust/ca/source/anchors.
Before Orchestrator can run, the Cert-trustor performs a job that will add the certificates in the shared volume in the /etc/pki/ca-trust/ca/source/anchors location and terminates.
Certificates will be available for Orchestrator service through the shared volume.
Inventory of all certificates in Automation Suite
Certificates generated during installation
As part of the Automation Suite installation, the following certificates are generated:
- Self-signed certificate generated at the time of installation. We recommend that you replace the self-signed certificate with a domain certificate post-installation. See Managing certificates.
Note:
The certificate can be generated at the time of installation only if you grant the Automation Suite installer admin privileges during the installation. If you cannot grant the installer admin privileges, then you must create and manage the certificate yourself.
- Identity Server certificate for signing JWT tokens used in authentication. If the certificate for signing the JWT token is not provided, Automation Suite uses the currently configured TLS certificate (self-signed or customer-provided). If you want to have your own certificate for signing identity tokens, see Managing certificates.
Additional certificates
- If enabled, SAML2 Authentication protocol can use a service certificate.
- If you configure Active Directory using a username and password, LDAPS (LDAP Over SSL) is optional. If you opt for LDAPS, you must provide a certificate. This certificate will be added into Automation Suite's Trusted Root Certification Authorities. For details, see Microsoft documentation.
Understanding how the certificate update/rotation works
The certificates are stored in two places:
istio-ingressgateway-certsin<istio-system><uipath>namespace
To update the certificate within <istio-system> and <uipath> namespaces, you must run the uipathctl config update-tls-certificates command.
Pods can only access secrets that are in their namespace. For instance, the pods running in the <uipath> namespace cannot access the secrets stored in the <istio-system> namespace. Hence, certificates are copied in both namespaces.
For the <uipath> namespace, we mount the certificates to the pods that need certificates and restart the pods so they can use the new certificates.
The update happens using the rolling deployment method. If microservices have two pods for high availability purpose, the update will delete one of the pods, and a new version of the pod will come up. Once the new one is started successfully, the old one will removed. There will be a brief downtime period while the old pod is not yet terminated.
- Understanding how trust certificates work
- Understanding how communication works
- Understanding how robots and Orchestrator communicate
- Understanding the container architecture related to certificates
- Container level
- Pod level
- Inventory of all certificates in Automation Suite
- Certificates generated during installation
- Additional certificates
- Understanding how the certificate update/rotation works