- Overview
- Requirements
- Pre-installation
- Installation
- Post-installation
- Migration and upgrade
- Upgrading Automation Suite
- Migrating standalone products to Automation Suite
- Step 1: Restoring the standalone product database
- Step 2: Updating the schema of the restored product database
- Step 3: Moving the Identity organization data from standalone to Automation Suite
- Step 4: Backing up the platform database in Automation Suite
- Step 5: Merging organizations in Automation Suite
- Step 6: Updating the migrated product connection strings
- Step 7: Migrating standalone Orchestrator
- Step 8: Migrating standalone Insights
- Step 9: Migrating standalone Test Manager
- Step 10: Deleting the default tenant
- Performing a single tenant migration
- Migrating between Automation Suite clusters
- Migrating from Automation Suite on EKS/AKS to Automation Suite on OpenShift
- Monitoring and alerting
- Cluster administration
- Product-specific configuration
- Orchestrator advanced configuration
- Configuring Orchestrator parameters
- Configuring appSettings
- Configuring the maximum request size
- Overriding cluster-level storage configuration
- Configuring NLog
- Saving robot logs to Elasticsearch
- Configuring credential stores
- Configuring encryption key per tenant
- Cleaning up the Orchestrator database
- Skipping host library creation
- Troubleshooting
- The backup setup does not work due to a failure to connect to Azure Government
- Pods in the uipath namespace stuck when enabling custom node taints
- Unable to launch Automation Hub and Apps with proxy setup
- Robot cannot connect to an Automation Suite Orchestrator instance
- Log streaming does not work in proxy setups
- Velero backup fails with FailedValidation error
- Accessing FQDN returns RBAC: access denied error
Automation Suite on EKS/AKS installation guide
How to work with certificates
Description
This section explains how to use openssl commands to validate a chain of certificates (CA, intermediate, and server), and separate or combine certificates.
You can bring certificates as follows:
- Scenario 1: Three crt/pem files including CA, intermediate, and server certs and a private key.
- Scenario 2: Two crt/pem files including CA and server certs and a private key.
- Scenario 3: One pfx file containing all CA/intermediate and server certs and a private key.
The following table describes the used file names:
| File name | Description |
|---|---|
ca.crt | A CA certificate. |
intermediate.crt | An intermediate certificate. |
ca-bundle.crt | A certificate containing CA and intermediate certificates. |
server.crt | A server certificate. |
server.key | A private key used to generate the server.crt. |
server.pfx | A pfx certificate file containing CA, intermediate, server certificates, and the server private key. |
Scenario 1 and Scenario 2
When you bring three different cert files (CA, intermediate, and server), take the following steps for validation:
-
Combine the CA with the intermediate certs (applicable only for Scenario 1).
cp ca.crt ca-bundle.crt cat intermediate.crt >> ca-bundle.crtcp ca.crt ca-bundle.crt cat intermediate.crt >> ca-bundle.crt -
Check the server cert contains (specifically the
subject alternative namesandvalidityfields.openssl x509 -in server.crt -text -nooutopenssl x509 -in server.crt -text -noout -
Check if the server cert was signed by the CA server.
openssl verify -CAfile ca-bundle.crt server.crtopenssl verify -CAfile ca-bundle.crt server.crtOutput:
server.crt: OKserver.crt: OK -
Check if the server cert was generated by the server private key by comparing the md5 hashes. If the following commands' outputs match, then it validates that the server cert was generated using the private key.
-
openssl x509 -noout -modulus -in server.crt | openssl md5Server cert output:
(stdin)= c9b0c5c3fe11b0b09947415236c4a441 -
openssl rsa -noout -modulus -in server.key | openssl md5Server private key output:
stdin)= c9b0c5c3fe11b0b09947415236c4a441)
-
-
Generate the pfx file from the server cert and the private key. Once the following command is run, you are prompted to type a passcode twice. Thepasscode is always required to decrypt the pfx file.
openssl pkcs12 -inkey server.key -in server.crt -export -out server.pfxopenssl pkcs12 -inkey server.key -in server.crt -export -out server.pfxOutput:
Enter Export Password: Verifying - Enter Export Password:Enter Export Password: Verifying - Enter Export Password:
Scenario 3
When you bring one certificate in pfx format containing CA, intermediate, server, and private key, you can use the pfx file as an identity token signing certificate, but you must break the pfx file into multiple cert files. The following steps describe how to break the pfx file accordingly.
-
Export the CA certificate (including intermediate if provided in the pfx file):
openssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crtopenssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt -
Export the server certificate:
openssl pkcs12 -in server.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crtopenssl pkcs12 -in server.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crt -
Export the private key:
openssl pkcs12 -in server.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.keyopenssl pkcs12 -in server.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.key