- Getting Started
- Network requirements
- Single-node requirements and installation
- Multi-node requirements and installation
- Post-installation
- Accessing AI Center
- Provision an AI Center tenant
- Updating Orchestrator and Identity Server certificates
- Resizing PVC
- Adding a new node to the cluster
- ML packages offline installation
- Configuring the cluster
- Configuring the FQDN post-installation
- Backing up and restoring the cluster
- Using the monitoring stack
- Setting up a Kerberos authentication
- Provisioning a GPU
- Using the configuration file
- Node scheduling
- Migration and upgrade
- Basic Troubleshooting Guide
Configuring the certificates
For more information on configuring the certificates, check the Configuring the certificates page from the Automation Suite guide.
AI Center requires the following certificate at the time of installation:
- Server certificate — required for TLS communication between the client and the cluster;
The server certificate must meet the following requirements:
- File format should be
.pem
, i.e., Base64 encoded DER certificate; - Private key length should be at least 2048;
- Extended Key Usage: TLS Web Server Authentication; required for accessing Automation Suite on iOS devices;
- Should have Subject Alternative Name for all the DNS entries required for installing Automation Suite. If the FQDN for the
cluster is
automationsuite.mycompany.com
, the certificate SAN should have the following DNS:automationsuite.mycompany.com
*.automationsuite.mycompany.com
Note:Alternatively if the*
wildcard is too generic, make sure you have SAN entries for the following DNS:automationsuite.mycompany.com
alm.automationsuite.mycompany.com
monitoring.automationsuite.mycompany.com
registry.automationsuite.mycompany.com
objectstore.automationsuite.mycompany.com
insights.automationsuite.mycompany.com
AI Center requires three files at the time of installation, as follows:
- Server / TLS certificate file — the server’s public certificate file.
- Server / TLS key file — private key file for the server certificate.
- Certificate Authority Bundle — this is the Public Certificate of CA which is used to sign or issue the server certificate.
We generate certificates on your behalf at installation time, so no configuration is needed.
They have a 90-day lifecycle, so you need to update them within that time. However, we strongly recommend that you update those certificates as soon as installation completes.
If the trusted certificate is not provided, then few additional steps are required for self-signed certificate to access Automation Suite.
The installation bundle provides a cluster management tool that enables you to update certificates post installation.
In order to access, make sure you navigate to the location where the installer bundle is located:
cd ~/UiPathAutomationSuite/
cd ~/UiPathAutomationSuite/
configureUiPathAS.sh
script to update the certificate as shown in the following section.
Updating the TLS certificate
.pem
format.
- Certificate Authority Bundle — This bundle should contain the certificate which is used to sign the tls server certificate.
- Server Certificate — Public server certificate
- Private key — Private key for server certificate
You also need the cluster FQDN as an input.
sudo ./configureUiPathAS.sh tls-cert update --ca-cert-file /path/to/cacert --tls-cert-file /path/to/tlscert --tls-key-file /path/to/tlskey --fqdn <cluster_fqdn>
sudo ./configureUiPathAS.sh tls-cert update --ca-cert-file /path/to/cacert --tls-cert-file /path/to/tlscert --tls-key-file /path/to/tlskey --fqdn <cluster_fqdn>
/directory/path/to/store/certificate
.
Accessing the TLS certificate
To print out the certificate files, run the following command, specifying the directory where certificates are stored.
sudo ./configureUiPathAS.sh tls-cert get --outpath /directory/path/to/store/certificate
sudo ./configureUiPathAS.sh tls-cert get --outpath /directory/path/to/store/certificate
If you are using self-signed certificate, take the following steps to access the cluster:
You need to add CA (Certificate Authority) Bundle certificate to the trust store for the following:
- Client machine
- Machine on which robot is will run
- Machine on which you will access Automation Suite from the browser.
- First server machine (requirement for airgapped)
- Machine on which airgapped bundle will be downloaded and extracted.
Use the following command to add the certificate to the trust store of the RHEL machine.
sudo cp --remove-destination rootCA.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
sudo cp --remove-destination rootCA.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust