- Getting Started
- Requirements
- Best Practices
- Installation
- Updating
- Identity Server
- Troubleshooting startup errors
Prerequisites for Installation
- Windows Server Operating System - minimum required version: 2016. Check the Software Requirements for the other supported versions.
- Windows PowerShell - minimum required version: 5.1. To download Windows PowerShell version 5.1, visit this link and install Windows Management Framework 5.1. For additional help, see the Windows PowerShell 5.1 installation documentation.
- .NET Framework - minimum required version: 4.7.2 To find out which .NET version is installed on your computer, please see Finding the Installed .NET Version.
- IIS - minimum required version: 10. this is part of the Web Server (IIS) role and is automatically enabled by the provided
InstallRolesAndFeatures.ps1
script, which can be found in here. -
ASP.NET Core IIS Module - version 6.0.x (available here) or 8.0.x (available here). It is available as part of the Hosting Bundle. To download it, make sure you click the Hosting Bundle option.
Note: Only the Core module is required, and can be installed without any runtimes by using theOPT_NO_RUNTIME=1
parameter from the command line. - URL Rewrite - minimum required version
2.1
. Enables the website to redirect the calls to HTTPS (https://servername
), instead of HTTP (http://servername
). Please download and install URL Rewrite by accessing this link. - Server Roles and Features. We provide a PowerShell script that automatically adds the required roles and features to the application server(s). The list of roles and features is presented in Server Roles and Features. Please note that this chapter is for informational purposes only.
- Web-Deploy extension - minimum required version: 3.6, 64bit version. Please note that this is required only for PowerShell script installations, such as the Azure one. Enables you to deploy a website. Please download and install Web Deploy Extension 3.6 by accessing this link.
- Web.Config - The
<system.webServer>
element inweb.config
must not contain any locked sections. If such sections exist, you need to manually unlock them in IIS. -
The Application Pool user needs to have the following rights in the Local Computer Policy:
- Log on as a batch job.
-
Anonymous Authentication must be enabled.
Important: Make sure the user running the installation is a Domain User and has Active Directory Domain access configured in theWindowsAuth.Domain
setting.
HTTPS protocol is mandatory for all communication between Robots and Orchestrator on all the browsers on which the web application is accessed by users.
The following 3 types of web certificates can be used.
- A web certificate issued by a trusted Certification Authority, such as GoDaddy, VeriSign, etc. The web certificate has to be imported to Server Certificates in IIS. You need to know the name of the "Issued To" entity, which has to be provided when prompted by the Windows installer.
- You are a Certification Authority which can issue certificates trusted in the Windows domain. Please see Using a Certificate for the HTTPS Protocol.
- A self-signed certificate, which is not recommended for Production. The certificate is not trusted inside the domain. For that reason, you need to export its public key, and then import it on all Robot machines. See Using a Certificate for the HTTPS Protocol for further information.
-sslCertificate
is the same one that appears in the Issued To column in Server Certificates in IIS.
For security reasons, the certificate used by the Identity Server needs to:
- have a public key on at least 2048 bits,
- be signing-capable,
-
have a private key accessible by the AppPool user,
- be in its validity period (not expired).
appsettings.Production.json
, in the Signing Credential section.
If a self-signed certificate is used, this must also be placed in the Trusted Root Certification Authority certificate store (beside the usual Personal location).
The certificate is used for signing OpenID access tokens that are used for user identification via browser and for service-to-service communication between Orchestrator and Identity Server. Click here for more details about OpenID Connect.
- The SQL Server product can be either installed on the same machine as the Application Server (not recommended for the Production environment) or provided as a separate machine. The SQL Server machine can be shared with other applications. It does not need to be dedicated to Orchestrator. Click here for prerequisites, restrictions, and recommendations on how to deploy Always On availability groups and here for details about Physical Deployment Options.
-
If you plan to connect Orchestrator to the database using a SQL Server user enable the Windows and SQL Server Authentication mode. Otherwise, "Windows Authentication mode" is enough. If SQL Server is already installed, please select this option as shown in the pictures below:
Note: The SQL Server user must have access at the server level, database level access is not sufficient for a successful installation. - The collation sequence has to be the default one -
Latin1_General_CI_AS
. - SQL Server Management Studio is necessary to configure the login of the domain user that accesses the SQL Server. The application pool runs on the application server under the name of the domain user.
- If you are considering installing Insights, make sure that your database supports both columnstore indexes and JSON functions.
Before installing Orchestrator, it is necessary to configure the SQL Server instance that you want to use.
Requirements:
- the name of the SQL Server machine;
- the name of the instance, if it’s not the default instance;
- the value of the TCP port, if it’s not the default port - 1433;
- the SQL Server port is open in the firewall of the SQL Server machine;
- the TCP Protocol in SQL Server Configuration Manager has to be enabled;
- the SQL Server service needs to listen on a fixed port, not on a dynamically allocated one;
-
public access to the SQL master database is required for the service account running Orchestrator. This is necessary both for installation and for future upgrades.
Important:To increase performance, avoid deadlocks, and prevent dirty reads in SQL, make sure that theREAD_COMMITTED_SNAPSHOT
option is set toON
.Use this query to check ifREAD_COMMITTED_SNAPSHOT
is enabled or disabled:SELECT is_read_committed_snapshot_on FROM sys.databases WHERE name= 'UiPath'
SELECT is_read_committed_snapshot_on FROM sys.databases WHERE name= 'UiPath'If it is enabled, the returned value will be1
.If it is disabled, the returned value will be0
. Use this query to enable it:ALTER DATABASE UiPath SET READ_COMMITTED_SNAPSHOT ON
ALTER DATABASE UiPath SET READ_COMMITTED_SNAPSHOT ON
-
If you use different databases for Test Automation and/or Update Server,
READ_COMMITTED_SNAPSHOT
must be enabled on those as well.Select one of the following options through which Orchestrator can connect to the SQL Server database.
For this option, a new login is required for the SQL Server as a service account. The service account should be a domain user whose password never expires.
To create a new login in SQL Server Management Studio:
- In the Object Explorer panel, navigate to Security > Logins.
- Right-click the Logins folder and select New Login. The Login - New window is displayed.
- Select the Windows Authentication option.
The window is updated accordingly.
- In the Login name field, type the user domain you want to use as a service account.
- From the Default Language list, select
English.
Important: Ensure that the Default Language is set to English. If it isn't, the website cannot start, and the Event Viewer on the computer on which Orchestrator is installed displays the following error message: “The conversion of a varchar data type to a datetime data type resulted in an out of range value”.
- Click OK. Your configurations are
saved.
If the service account has already been created and added to the Security > Logins section of the SQL Server, please check whether the Default Language of that SQL account is set to English. If it isn't, please make the necessary adjustments.
sa
account.
To create a new SQL user in SQL Server Management Studio:
a. In the Object Explorer panel, navigate to Security > Logins.
b. Right-click the Logins folder and select New Login. The Login - New window is displayed.
c. Select the SQL Server authentication option. The window is updated accordingly.
d. Fill in the Login Name,Password, and Confirm Password fields appropriately.
e. Ensure that the Enforce password expiration and User must change password at next login options are not selected.
If the SQL Server account has already been created and added to the Security > Logins section of the SQL Server, please check whether the Default Language is set to English. If it isn't, please make the necessary adjustments.
dbcreator
Server Role BEFORE installing Orchestrator, as the database is created during this installation process.
dbcreator
Server Role in the service account, create the empty database in SQL Server.
The Windows installer connects to SQL Server to verify the existence of the database.
db_owner
user mapping role, as in the following screenshot.
db_owner
user mapping role with the UiPath login, grant the following:
db_datareader
db_datawriter
db_ddladmin
1-
EXECUTE
permission ondbo
schema
db_ddladmin
role is only needed during installation or migration. For security reasons, we recommend that you remove it after installation
or migration (using ALTER ROLE db_ddladmin DROP MEMBER [SQLReadWrite]
), and add it back before upgrade (using ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite]
).
[block:image] { "images": [ { "image": [] } ] } [/block]
EXECUTE
permission has to be granted by using the GRANT EXECUTE
SQL command, as follows.
-
if Windows Integrated Authentication is used:
USE UiPath GO GRANT EXECUTE ON SCHEMA::dbo TO [domain\user] GO
USE UiPath GO GRANT EXECUTE ON SCHEMA::dbo TO [domain\user] GO -
if SQL Server Authentication is used:
USE UiPath GO GRANT EXECUTE ON SCHEMA::dbo TO [sql_user] GO
USE UiPath GO GRANT EXECUTE ON SCHEMA::dbo TO [sql_user] GO
To use Azure AD authentication with SQL Server, you must install Orchestrator in an Azure App Service or an Azure VM.
Orchestrator running in Azure App Service
-
Create a new user managed identity in the resource group, and copy the client ID for future use.
-
Add the identity to the user assigned identities list for the Orchestrator App Service:
-
Enable the Azure Active Directory admin for the SQL server where the Orchestrator database is hosted.
-
Create the SQL login for the identity created at Step 1 for the Orchestrator database and master database. Log into the database with the admin account set at Step 3 and run the following command
CREATE USER [SQLReadWrite] FROM EXTERNAL PROVIDER
CREATE USER [SQLReadWrite] FROM EXTERNAL PROVIDER -
Add user roles on the Orchestrator database (this operation is not required on the master database as well):
- If the
db_owner
role is not restricted, then add the role:ALTER ROLE db_owner ADD MEMBER [SQLReadWrite]
-
If the
db_owner
role is not available, then add the following roles, whereSQLReadWrite
is the identity name created at step 3:ALTER ROLE db_datareader ADD MEMBER [SQLReadWrite] ALTER ROLE db_datawriter ADD MEMBER [SQLReadWrite] ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite] GRANT EXECUTE ON SCHEMA::dbo TO [SQLReadWrite]
ALTER ROLE db_datareader ADD MEMBER [SQLReadWrite] ALTER ROLE db_datawriter ADD MEMBER [SQLReadWrite] ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite] GRANT EXECUTE ON SCHEMA::dbo TO [SQLReadWrite]Thedb_ddladmin
role is only needed during installation or migration. For security reasons, we recommend that you: -
Remove it after installation or migration
ALTER ROLE db_ddladmin DROP MEMBER [SQLReadWrite]
ALTER ROLE db_ddladmin DROP MEMBER [SQLReadWrite] -
Add it back before upgrade
ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite]
ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite]
- If the
-
Update the connection string in Orchestrator by running:
<add name="Default" providerName="Microsoft.Data.SqlClient" connectionString="Data Source=aad-paas-sql.database.windows.net;Initial Catalog=UiPath;User ID=7e8df0ba-bc41-46d1-bd46-6101e45200a8;Authentication=Active Directory Managed Identity;" />
<add name="Default" providerName="Microsoft.Data.SqlClient" connectionString="Data Source=aad-paas-sql.database.windows.net;Initial Catalog=UiPath;User ID=7e8df0ba-bc41-46d1-bd46-6101e45200a8;Authentication=Active Directory Managed Identity;" />Note:- Set
USER ID
to the value of the client ID created at Step 1. - Make sure you use
Authentication=Active Directory Managed Identity
. - No password or token is required.
- Set
Orchestrator running in Azure VM
-
Create a new user managed identity in the resource group and copy the client ID for future use.
-
Add the identity to the user assigned identities list for the VM running Orchestrator.
-
Enable the Azure Active Directory admin for the SQL server where the Orchestrators database is hosted.
-
Create the SQL login for the identity created at Step 1 for the Orchestrator database and master database. Log into the database with the admin account set at Step 3, and run the following command:
CREATE USER [SQLReadWrite] FROM EXTERNAL PROVIDER
CREATE USER [SQLReadWrite] FROM EXTERNAL PROVIDER -
Add user roles on the Orchestrator database (this operation is not required on the master database as well):
- If the
db_owner
role is not restricted, then add the role:ALTER ROLE db_owner ADD MEMBER [SQLReadWrite]
-
If the
db_owner
role not available, then add the following roles, where 1SQLReadWrite1 is the identity name created at step 3.ALTER ROLE db_datareader ADD MEMBER [SQLReadWrite] ALTER ROLE db_datawriter ADD MEMBER [SQLReadWrite] ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite] GRANT EXECUTE ON SCHEMA::dbo TO [SQLReadWrite]
ALTER ROLE db_datareader ADD MEMBER [SQLReadWrite] ALTER ROLE db_datawriter ADD MEMBER [SQLReadWrite] ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite] GRANT EXECUTE ON SCHEMA::dbo TO [SQLReadWrite]Thedb_ddladmin
role is only needed during installation or migration. For security reasons, we recommend that you: -
Remove it after installation or migration
ALTER ROLE db_ddladmin DROP MEMBER [SQLReadWrite]
ALTER ROLE db_ddladmin DROP MEMBER [SQLReadWrite] -
Add it back before upgrade
ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite]
ALTER ROLE db_ddladmin ADD MEMBER [SQLReadWrite]
- If the
-
Update the connection string in Orchestrator:
<add name="Default" providerName="Microsoft.Data.SqlClient" connectionString="Data Source=aad-paas-sql.database.windows.net;Initial Catalog=UiPath;User ID=7e8df0ba-bc41-46d1-bd46-6101e45200a8;Authentication=Active Directory Managed Identity;" />
<add name="Default" providerName="Microsoft.Data.SqlClient" connectionString="Data Source=aad-paas-sql.database.windows.net;Initial Catalog=UiPath;User ID=7e8df0ba-bc41-46d1-bd46-6101e45200a8;Authentication=Active Directory Managed Identity;" />Note:- Make sure to set
USER ID
to the value of the client ID created at Step 1. - Make sure you use
Authentication=Active Directory Managed Identity
. - No password or token is required.
- Make sure to set
The High Availability add-on (HAA) for Orchestrator is an in-memory database that is used for caching and is shared among Orchestrator nodes, providing near instant synchronization.
HAA is mandatory in a cluster environment.
Multi-node Orchestrator deployments use the RESP (REdis Serialization Protocol) for communication, and thus can be configured using any solution relying on this protocol, however HAA is the only such solution supported by UiPath.
The following information is stored in HAA:
- session state - automatically set when installing Orchestrator on multiple nodes
- user sessions from the browser
- Robot heartbeat cache
- associations between users and roles
- associations between users and organization units
- license information
- settings
Orchestrator uses HAA as a shared cache for all its nodes. The following example describes how the cache is used to coordinate across Orchestrator nodes:
- Example: A user manually starts a Robot job on an Orchestrator node. That particular node may not know to which Orchestrator node the Robot is connected to. The node from which you started the job forwards the request to HAA, which, in turn, syncs the information. The Orchestrator node with an established connection to the Robot in question sends the start command to it. The other Orchestrator nodes that are not connected to our Robot just ignore the command.
LoadBalancer.Redis.ConnectionString
parameter in UiPath.Orchestrator.dll.config
. For more information, see this page.
A network load balancer enables you to distribute the load to multiple nodes, and thus enables an overall better performance of your Orchestrator instance. Additionally, if one of the nodes fails, the rest pick up the load, thus ensuring you have no downtime.
We recommend using an F5 load balance with a predictive algorithm, as the load is distributed to nodes that perform better, and therefore, offers a better overall performance of Orchestrator. For more information on algorithms, please take a look here.
UiPath.Orchestrator.dll.config
file (C:\Program Files (x86)\UiPath\Orchestrator
). For more information, see Logging Configuration.
If you choose to use ElasticSearch, please note that although it is a cross-platform product, which runs on Windows, Linux, or Unix, it requires Java. You can use either OpenJDK or Oracle JRE. A compatibility matrix is provided by Elasticsearch here.
http://computername.domain.name
or http://computername
is used instead of http://localhost
.
If this is not possible, then the computer name or the IP address should be used during the installation process.
- Download Elasticsearch.
-
Double-click the Elastic Search Windows installer. The Elastisearch wizard is displayed, at the Locations step.
-
Use the default directories for installation, data, configuration, and logs, or select custom locations for each.
Note: If you have another disk than the one where Elasticsearch is installed, you can configure Elasticsearch to store the data on the disc with more free space. -
Click Next. The Service step is displayed.
-
Ensure that the following options are selected:
- Install as a service
- Start the service after this installation is complete
- Start the service when Windows starts (Automatic)
- Click Next. The Configuration step is displayed.
-
Configure the following options as desired:
- Cluster name - change the value to something that reflects the purpose of this Elasticsearch installation. This is important if you have several servers with Elasticsearch in your intranet, to avoid autodiscovery.
- Node name - a friendly name for your node.
- Roles - the default options are recommended.
- Memory - the default options are recommended.
- Network host - the computer’s hostname/IP address (you can obtain the machine name in a command prompt by running the command hostname).
- HTTP Port - the default port for Elasticsearch is 9200
-
Discovery - enable the This is the first master in a new cluster checkbox for the first node in the cluster.
Important: If Orchestrator is installed on a different machine, please remember to open port 9200 in the Firewall of the machine where Elasticsearch is installed.
- Click Next. The Plugins step is displayed.
-
(Optionally) Select additional plugins for Elasticsearch, such as X-Pack for security.
-
Click Install. ElasticSearch is installed.
Reducing the Number of Index Sharding
By default, newly created Elasticsearch indexes have five shards. However, for an increased performance, it is recommended to reduce this number to two. For more information, please see the official documentation of Elasticsearch.
elasticUrl/_template/uipath_logs
format, with the following body:
{
"template": "*",
"order": 1,
"settings": {
"number_of_shards": 2
}
}
{
"template": "*",
"order": 1,
"settings": {
"number_of_shards": 2
}
}
http://computername:9200/
. Computername
stands for the name of the computer on which Elasticsearch is installed. The browser should either ask you to download a
.json
file or open and display the file as in the picture below.
Kibana is used in combination with Elasticsearch and helps you create custom views based on the logs you send to Elasticsearch, in our case, the ones sent by Robots.
- Download Kibana.
- Unzip the Kibana package.
Note: Unzip to C:\ or D:\ . You do not need to create a new folder named
kibana-x.y.z-windows
, because the files in the archive are already placed in a folder with that name. - Edit the Kibana configuration file
(
C:\kibana-x.y.z-windows-x86\config\kibana.yml
), as follows:Note: At first, open the file with Wordpad and save it to convert the LF (Line Feed) characters into CRLF (Carriage Return Line Feed) characters. Afterwards, open the file with Notepad.- Uncomment the line that contains
server.port
. The default value is 5601. It does not need to be changed unless you want Kibana to run on a different port. - Uncomment the line that contains
server.host
. Change the value to the name of the computer. - Uncomment the line that contains
elasticsearch.url
. Change the value to the Elasticsearch URL, using the name of the computer on which Elasticsearch is installed. For example,http://computername:9200
.Note: For Kibana 6.6.0 or later this line has been replaced byelasticsearch.hosts
.The screenshot below displays an example of a Kibana configuration file in which the computer names of both Kibana and Elasticsearch are JLTSQL:
- Save the file.
- Uncomment the line that contains
- Download the setup-kibana-service.zip archive.
- Copy the
nssm.exe
andsetup_kibana.bat
files from thesetup-kibana-service.zip
archive toC:\kibana-x.y.z-windows-x86\bin
. - Open the
setup_kibana.bat
file to check whether Kibana is installed in accordance with the location set in theKIBANA_HOME
variable in the BAT file. If you extracted Kibana to a diferent location, make the necessary changes. - Open Command Prompt as an
Administrator and change the folder to
C:\kibana-x.y.z-windows-x86\bin
. - Run
setup_kibana.bat
to install Kibana. - Test whether Kibana responds by
typing
http://computername:5601
in any web browser.computername
represents the name of the computer on which you installed Kibana.Important: Open port 5601 in the Firewall of the machine on which Kibana is installed. - Add a test message in the Elasticsearch database using Kibana:
- In Kibana, navigate to the Dev Tools tab.
- Submit a POST request in the format displayed below. If no error is
returned, the Elasticsearch index named
default-yyyy.mm
is created and the message is added.
yyyy
stands for the year in which the message was added. mm
stands for the month in which the message was added. Read Creating an Index Pattern to Connect to Elasticsearch to learn how to create an index pattern in Kibana.
Keep in mind that regardless of the type of installation you choose, for the scheduling features to work properly you must ensure that:
- in clustered mode the clocks on all machines have to be synchronized within less than one second;
- the clocks for the database and Orchestrator machines also have to be synchronized;
- if the SQL database enters a faulted state it is recommended to restart the Orchestrator web server from IIS. If you are in an NLB environment, please restart all web servers.
- Orchestrator Server
- Web Certificates (SSL Certificate)
- SQL Server
- SQL Server Configuration
- Windows Integrated Authentication
- SQL Server Username and Password
- Azure AD Authentication
- High Availability Add-on
- Network Load Balancer
- Elasticsearch Server
- Installing Elasticsearch
- Kibana
- Install Kibana
- Time Synchronization