Skip to main content

Introduction

UiPath Robots log in to systems to perform automated functions using username and passwords. Integrating the UiPath Robotic Process Automation (RPA) platform with the nShield Hardware Security Module (HSM) provides strong client authentication. When HSM-integrated Robots log in to domain systems, they are using certificate-based login.

Product configurations

We have successfully tested nShield HSM integration in the following configurations:

Product Version

UiPath Orchestrator (Local and Cloud)

20.10.7

UiPath Studio (Robot)

20.10.6

Operating system for the Robot machine

Windows 10

Windows Server 2016

Windows Server 2019

Operating system for the backbone Orchestrator

Windows Server 2016

Security World

12.71.0

nShield HSM

Connect XC

Connect+

PowerShell

4.0 or later

.NET Framework

4.7.2 or later

IIS

7.5 or later

Test scenarios

The following setup scenarios were tested using UiPath Orchestrator (Local and Cloud).

Scenario 1 Scenario 2 Scenario 3

Cipher suite

DLf3072s256mRijndael

DLf3072s256mAEScSP800131Ar1

Security World mode

FIPS 140-2 Level 3

Unrestricted

FIPS 140-2 Level 3

HSM firmware

3.4.2/vsn37 (FIPS)

12.50.11/vsn37 (FIPS)

HSM netimage

12.60.10/vsn31

12.70.3/vsn31

Security World software

12.71.0

Key protection mechanism

Softcard only

Robot credential

RSA or ECDSA

ECDSA only 1

1 ECDSA credential is required for the Robot to force Windows PKINIT to use something other than SHA-1.

Software prerequisites

The following nShield software versions were used during this integration:

Security World client nShield Connect Image Firmware

12.71.0

12.60.10/12.70.3

12.50.11/12.50.8/3.4.2

An nShield Security World Software installation is required prior to using UiPath RPA. Instructions on how to setup an nShield Connect, a Remote File System (RFS) for the nShield Connect, a client computer, and installation instructions for the nShield Security World are included in the nShield Connect Installation Guide and nShield Connect User Guide .

To access and use cryptographic keys from within a Security World, you will need to load or create a Security World on the nShield Connect and map the key management data folder ( kmdata ) from your container host machine into the running application containers.

Procedures

Deploy the backbone server

Configure the backbone server domain, groups, and users

  1. For prerequisites, see https://docs.uipath.com/installation-and-upgrade/docs/orchestrator-prerequisites-for-installation .

  2. Install and configure Microsoft Windows Server 2012 R2, 2016, or 2019.

  3. Install and configure the ADDS role.

  4. Create the domain group AutoEnrollGroup .

  5. Create the user accounts to be used by the Robots for authentication.

    1. Open Active Directory Users and Computers through the Windows Start menu or the Microsoft Management Console.

    2. Enable the advanced view so you can see the Published Certificates tab for user accounts.

    3. Right-click Users under your domain name and select New .

    4. Select User .

    5. Create users such as RobotVM3 for the Robot user on system VM3. This helps distinguish that this particular Robot user has its Softcard or key on VM3.

  6. Add group memberships to the Robot accounts so they can sign in to the Windows Server machines.

    1. In AD Users and Computers , select Users , and find the users that were created.

    2. Right-click each user and select Properties .

    3. Select the Member Of tab.

    4. Add the following groups:

      • Administrators

      • Enterprise Admins

      • Domain Admins

      • Domain Users

      • AutoEnrollGroup

  7. Enable Log On as a batch job rights for the Application Pool user.

    1. Select Windows > Run > mmc .

    2. Select File > Add/Remove Snap-in .

    3. Add Group Policy Object .

    4. Select Finish .

    5. Select OK .

    6. Navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a batch job .

    7. Select Add User or Group .

    8. Add the current user who is logged into the Orchestrator machine, that is, Administrators .

Configure ADCS

Install and configure Active Directory Certificate Services role

  1. Open Server Manager and Install ADCS.

  2. Configure as an enterprise root CA.

  3. Optionally, if you want the CA to use the HSM for its signing key:

    1. Select the nShield CNG provider to write the CA key.

    2. Select RSA2048/SHA256 .

    3. Select module protected key for simplicity.

Configure the ADCS certificate templates

  1. Open the Certification Authority Microsoft Management Console.

  2. Expand the CA node.

  3. Right-click Certificate Templates and select Manage to create a new certificate template for the Robot .

  4. Right-click Smartcard Logon , and select Duplicate Template .

  5. Configure the following tabs:

    Note
    		Do not select Apply or OK until the end. Otherwise the template will be saved with the incorrect name.
    Tab Configuration option Recommended setting or value

    Compatibility

    Show resulting changes

    Clear the selection box.

    Certification Authority

    Windows Server 2012 or higher (required for CNG)

    Certificate recipient

    Windows 8 / Windows Server 2012 or higher (required for CNG)

    General

    Template Display Name

    UiPath Robot nShield KSP

    Validity period

    Select appropriate value

    Renewal period

    Select appropriate value

    Publish certificate in Active Directory

    Select this option

    Do not automatically reenroll if a duplicate certificate exists in Active Directory

    Select this option

    Request handling

    If an ECC key is to be used instead of RSA, the Signature and smartcard logon choice forces an ECDH key which will not work with the nShield.

    To force ADCS into issuing an ECDSA certificate for SCL: After previously selecting Signature and smartcard logon, change to Signature .

    By doing it this way, ADCS will add the appropriate certificate extensions/attributes to the template for Signature and smartcard logon (but wants ECDH key), and when you afterwards switch to Signature , it retains those extensions/attributes but allows ECDSA keys.

    Signature and smartcard logon (Select YES at the pop-up)

    Do the following when the subject is enrolled and when the private key associated with this certificate is used

    Prompt the user during enrollment

    Cryptography

    Provider Category

    Key Storage Provider (which is CNG)

    Algorithm name

    RSA or ECDSA_P384

    Minimum key size

    2048 (for RSA)

    384 (for ECDSA_P384)

    Choose which cryptographic providers can be used for requests

    Requests must use one of the following providers

    Providers

    nCipher Security World Key Storage Provider

    Request Hash

    SHA256 (for RSA)

    SHA-384 (for ECDSA_P384)

    Security

    Select Add , enter AutoEnrollGroup , and select Check Names .

    Then select OK .

    Select AutoEnrollGroup from the list and enable permissions read enroll autoenroll .

    Subject name

    Build from this Active Directory Information

    Select this option

    Subject name format

    Fully distinguished name

    Include this information in alternate subject name

    Ensure only UPN is selected

  6. Select OK .

    The new certificate template name should be shown in the list.

  7. In the Certification Authority Microsoft Management Console, right-click Certificate Templates and select New > Certificate Template to issue .

  8. Ctrl+click to select both Web Server and UiPath Robot nShield KSP , and select OK .

    Make sure that the Domain Controller Authentication template is also issued.

  9. Both templates should have been added to the Certificate Templates list and can now be issued.

Install the Internet Information Services (IIS) role

  1. Request Web Server certificate from ADCS using RSA2048/SHA256.

  2. Open IIS.

  3. Select Server Certificates .

  4. Select Create Domain Certificate .

  5. Fill in information accordingly, and then select Next .

  6. Specify the Certificate Authority that was created earlier.

  7. Enter Friendly Name.

  8. Select Finish .

Install Microsoft SQL Server

  1. Select Custom Installation .

  2. Select New SQL Server stand-alone installation or add features to an existing installation .

  3. Select the product license.

  4. Accept the terms.

  5. Select Use Microsoft Update to check for updates (recommended) , and then select Next .

  6. Select the following features:

    Microsoft SQL Server features

  7. Select Next .

  8. Select Next .

  9. Select Add Current User and select Next .

  10. Continue selecting Next until Install .

  11. Close the installer.

Install UiPath Orchestrator

Select one of the three following installation options:

Set up a cloud Orchestrator

  1. Go to https://cloud.uipath.com .

  2. Create an account and sign in.

  3. Select Create new .

  4. Select the Orchestrator link under Services .

  5. Use a UI Path License to allocate one Unattended Runtime slot for each Robot you intend to use.

  6. Create a machine:

    1. Go to TENANT and then select MACHINES .

    2. Create a Machine from the right side.

    3. Add the name of the machine.

      Add one unattended runtime.

      This is a type of license that allows the Robot to run triggered from Orchestrator.

    4. Select Provision .

    5. Make sure to copy the key for this VM. You will need the key when you are connecting the Robot.

  7. Create a Robot: Select Default > Robots > Add > Standard Robot , then set its properties:

    Machine Name

    Select the machine name that you created

    Display Name

    Give the Robot a display name

    Type

    Select Unattended

    Credential type

    Select nShield KSP

    Domain\Username and Password

    <domain\username and Softcard passphrase>

    Note

    The <domain\username> will be for the Robot machine account.

    To check the Robot username at the command prompt on the Robot machine: 

    whoami

  8. From the Settings tab select Login to console > YES .

  9. Create an environment and add the Robot to it.

    1. Navigate to DEFAULT > Environment .

    2. Select Create an environment .

    3. Enter a name, and select the Robot that you created.

  10. Upload a package:

    Select TENANT > PACKAGE UPLOAD .

  11. Create a process and assign it to your environment:

    Select DEFAULT > AUTOMATIONS > + .

    Create the process from the package that you have uploaded.

The Orchestrator has been created and configured.

Set up a local Orchestrator through UiPath Platform

  1. Read https://docs.uipath.com/installation-and-upgrade/docs/orchestrator-about-installation .

  2. Ensure that your environment meets these requirements: https://docs.uipath.com/installation-and-upgrade/docs/orchestrator-prerequisites-for-installation

  3. Run UI Path Platform .

  4. Accept the Agreement.

  5. Select Install Single Node , and then select Next .

  6. Enter Computer Account Username and Password .

  7. Select Next until the Host and Tenant passwords menu is displayed.

  8. Enter the Host and Tenant passwords. These will be used to log in to Orchestrator later.

  9. Select Enable Windows Authentication .

  10. Next to Active Directory Domain , enter the domain name, and then select Next .

  11. Make a note of the URL. This will be used to access the Orchestrator interface through a web browser.

  12. Select Install .

Set up a local Orchestrator with the installer

  1. Right-click the UiPathOrchestrator.msi file, and select Install .

  2. Select Next at the welcome screen.

  3. Accept the terms and select Install .

  4. On the Product Features menu, select Next .

  5. The Orchestrator IIS Settings should be auto-filled.

  6. If there is an error about SSL certificate, edit the box and paste in the thumbprint of the certificate requested in IIS.

  7. Select Next .

  8. On the Orchestrator Application Pool Settings page, make sure Custom Account is selected.

  9. Enter the username and password of the Orchestrator Computer Account, and then select Next .

  10. On the Orchestrator Database Settings page, select Leave as is .

  11. Select Next .

  12. On the Identify Server Settings page, make a note of the Orchestrator public URL.

  13. Paste in the Signing Certificate Thumbprint.

  14. Select Next .

  15. On the Orchestrator Elasticsearch Log Settings page, select Next .

  16. On the Orchestrator Authentication Settings page, enter passwords for the Host and Default Tenant .

  17. Select Enable Windows Authentication .

  18. Enter the Domain Name .

  19. Select Next .

  20. Select Install .

  21. Select Finish .

Deploy a Robot service

  1. Install the operating system on the machine that will host the Robot service.

    Windows 10, Windows Server 2019, and Windows Server 2016 were tested as the host operating systems for the Robot service.

  2. Join the server to the domain.

  3. Install the nShield Security World client.

    1. Configure the existing Security World.

    2. Run the CNG wizard or the cnginstall command.

    3. Create an HSM Softcard.

      For example, at the command prompt run the following command: 

      ppmk --new RobotVM1

  4. Install and configure the custom CNG provider.

    The SmartCardLogin functionality is protected by a registry setting. Configure the following SmartCardMode registry settings to the recommended values in the table. This will enable the SmartCardLogin support on any machine where the revised CNG provider is installed:

    Parameter Value

    HKEY_LOCAL_MACHINE\SOFTWARE\nCipher\CryptoNG\SmartCardMode

    1 a

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\nCipher\CryptoNG\SmartCardMode

    1 b

    HKEY_LOCAL_MACHINE\SOFTWARE\nCipher\CryptoNG\UseModuleKeys

    0 c

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\nCipher\CryptoNG\UseModuleKeys

    0 c

    a It will be necessary to set this DWORD value for the 64-bit CNG provider.

    b It will be necessary to set this DWORD value for the 32-bit CNG provider.

    c This value is set to 0 so distinct protection tokens can be used for each user associated with a SmartCardLogin certificate.

  5. Sign in to the Robot machine with the Robot user account that was created in Configure the backbone server domain, groups, and users .

  6. Request the user certificate UiPath Robot nShield KSP using the HSM Softcard.

    1. Select Control Panel > Manage User Certificates .

    2. Right-click the Personal node, and select All Tasks > Request New Certificate .

    3. At the Before You Begin screen, select Next .

    4. At the Select Certificate Enrollment Policy screen, keep the default Active Directory Enrollment Policy selected, and then select Next .

    5. At the Request Certificates screen, select UiPath Robot nShield KSP certificate template and Select Enroll

      1. At the pop-up screen nCipher Key Storage Provider - Create Key screen select Next .

      2. At the Select a method to protect new key screen, select Softcard protection (unavailable in HSM Pool mode), and select Next .

      3. Select the previously created Softcard and select Finish .

      4. At the password pop-up screen, enter the Softcard passphrase and select Finish .

    6. At the Certificate Installation Results screen (it should show successful enrollment), select Finish .

  7. Install UiPath Studio (Robot) .

    1. Double click on the MSI installer to begin installation.

    2. At the Please read the UiPath Studio License Agreement screen, check I accept the terms in the License Agreement and select Install .

      Select Advanced if you want to configure any specific packages).

    3. At the Completed the UiPath Studio Setup Wizard screen, select Finish .

Configure UiPath for Robots

Configure UiPath for nShield HSMs

Configure the Robot to use only the 64-bit nShield CNG provider with the Microsoft CorFlags tool: https://docs.microsoft.com/en-us/dotnet/framework/tools/corflags-exe-corflags-conversion-tool .

Note
Visual Studio 2019 is required to run the Visual Studio Command Line, which is needed to run the corflags.exe command.

  1. Stop the UiRobotSvc service.

  2. From the Administrator command prompt, run the corflags.exe command: 

    CorFlags.exe "C:\Program Files (x86)\UiPath\Studio\UiPath.Service.Host.exe" /32BITPREF-

  3. Restart the UiRobotSvc service.

Configure UiPath for Robots if a local Orchestrator was used

Note
Skip this section if the Robot was set up through a cloud Orchestrator.

If a local Orchestrator was used, the Robot must be set up to get the machine key.

  1. Sign in to the machine with Orchestrator.

  2. Enter the Orchestrator URL into a browser.

  3. Make sure the login is set to tenant host .

  4. Enter admin as the username and use the password set for the host when the local Orchestrator was installed.

  5. Select License and enter your license in whichever way works best: online or offline.

  6. When the license has been activated, select Tenants and select the 3 vertical dots on the right side of the Default Tenant .

  7. Select Allocate Licenses .

  8. Allocate one Unattended Runtime slot for each Robot you intend to use.

  9. Log out of the tenant host and login to tenant default. Use admin as the username and use the password set for tenant when the local Orchestrator was installed.

  10. Select Machines under Management .

  11. Select Add (+) .

  12. Select Standard Machine .

  13. Enter the machine name.

    Note
    		The name must match exactly the name of the workstation on which the Robot is installed. To check it, run hostname on the Robot machine.

  14. Under License - Unattended Runtimes , enter 1 .

  15. Select Provision , then select Copy to copy the machine key.

  16. Go to Default > Robots > Add > Standard Robot .

  17. Create a Robot: Select Default > Robots > Add > Standard Robot , then set its properties:

    Machine Name

    Select the machine name that you created

    Display Name

    Give the Robot a display name

    Type

    Select Unattended

    Credential type

    Select nShield Key Storage Provider

    Domain\Username and Password

    <domain\username and Softcard passphrase>

    Note

    In the local version of Orchestrator, the Default folder cannot be used to create a Robot. Create a folder and use it instead of the Default folder in this and later steps when you are creating and deploying the Robot.

    If the nShield Key Storage Provider option does not exist, make sure the Features.SmartCardAuthentication.Enabled parameter is set to True in C:\Program Files(x86)\UiPath\Orchestrator\UiPath.Orchestrator.dll.config .

    The <domain\username> will be for the Robot machine account.

    To check the Robot username at the command prompt on the Robot machine: 

    whoami

  18. From the Settings tab select Login to console > YES .

  19. Create an environment and add the Robot to it.

    1. Navigate to DEFAULT > Environment .

    2. Select Create an environment .

    3. Enter a name, and select the Robot that you created.

  20. Upload a package:

    Select TENANT > PACKAGE UPLOAD .

  21. Create a process and assign it to your environment:

    Select DEFAULT > AUTOMATIONS > + .

    Create the process from the package that you have uploaded.

The Orchestrator has been created and configured.

Connect the Robot to the Orchestrator

  1. On the machine on which the Robot is located, start the UiPathAssistant from the Windows Start menu.

  2. Select User button > Preferences > Orchestrator Settings , and add the Orchestrator URL and the machine key that you created.

  3. Select Connect .

The Robot should now be connected and the processes should now be viewable.

Test the UiPath Studio Robot

  1. Run the process that you have added in Orchestrator.

  2. To start a process from Orchestrator: On the Orchestrator page, select DEFAULT > JOBS > START JOB .

  3. Select the process name, the Robot name, and then select Start .

RESOURCES
RELATED PRODUCTS