For Bot auto-login use case, Automation 360 retrieves credentials from ARCON.

Use case: Retrieve auto-login credentials

Note: This use case is supported for both Automation 360 Cloud deployments and Automation 360 On-Premises deployments.

Auto-login credentials are used to authenticate to an Automation 360 Bot Agent device and start an active Windows Server session. This requires an active Windows Server session to function. Auto-login occurs before automations are launched from a remote Bot Agent device.

To enable auto-login, each automation runtime user must be mapped to a target device. This requires mapping of the Control Room username with the secret names so that during runtime, the Bot Runner user can retrieve the device credentials from the key vault.

Note: If device auto-login is enabled, the device credentials for all unattended Bot Runner devices will be fetched from the external vault. Ensure that there is a mapping between all the Bot Runner usernames created in the Control Room and vault-specific secret names that contain device credentials. Otherwise, during Bot execution, the device credential fetch will encounter the Secret not found error.

To map the Control Room username with the secret names:

  1. Navigate to Administration > Settings > External key vault > Device auto login.
  2. Click Edit and select Manage custom secrets mapping.
  3. Download the .CSV template and add the entries in the format specified and save it locally. To map the Control Room usernames with the secret names, you must import this .CSV template file which contains the following entries into the Control Room. Except for the Hostname (optional) field, other fields are mandatory.
    • ARCON username: If the ARCON username is in domain\username format, specify the username in this field in the same format.
    • Server IP address: The unique numerical identifier assigned to a server within a network, allowing devices to locate and communicate with it.
    • Target type: The specific type of device or system that is the target of the auto-login request.
    • Open for hours (numeric): The time duration or configuration related to ARCON system, where the auto-login credential retrieval request is accessible or open for a set number of hours, expressed numerically.
    • (Optional) Hostname: The hostname of the target device.
  4. Click Import .CSV and browse to upload the .CSV template file.
  5. Click Import and save. The custom secrets mapping table is populated with the updated entries.

After mapping the Control Room usernames with secret names, you can enable the device auto-login settings to retrieve auto-login credentials from the external key vault, using the following procedure:

  1. Log in to the Automation 360 Control Room as the Administrator.
  2. From the Control Room, navigate to Administration > Settings > External key vault > Device auto login.
  3. Click Edit.
  4. Click Enabled to retrieve the auto-login credentials from that external key vault.
  5. Click Save changes.

Use case: Retrieve Agent automation credentials

Note: This use case is supported for both Automation 360 Cloud deployments and Automation 360 On-Premises deployments.

Automation credentials are variables that developers use in automation (bot) actions. These actions help define and get data from encrypted storage. The automation uses these credentials to log into applications. During runtime, the Automation 360 Bot Agent retrieves the automation credentials. This use case shows how an automation (bot) gets credentials (secrets stored in ARCON key vault) and uses them during runtime to log into the applications being automated.

To set up automation credentials retrieval and connect with the ARCON key vault, you first need to create a locker and then create credentials.

Note: If you want to store credentials in the Control Room credential vaults and external key vaults, do the following:
  • Create separate lockers in the Control Room to store credentials created in the Control Room credential vaults.
  • Create separate lockers in the Control Room to store credentials created in external key vaults.

The Control Room does not support storing credentials from the Control Room credential vaults and external key vaults in the same locker.

To create a locker to integrate with the ARCON key vault, perform these steps:

  1. From the Automation 360 Control Room, navigate to Manage > Credentials.

    A user with Manage my credentials and lockers permissions is authorized to create credentials.

  2. Select the Lockers tab and click Create Locker.
  3. Enter a name for the locker.

    This name is local to the Control Room and does not have any dependency on the ARCON key vault secret name.

  4. Click External Key Vault.
  5. Select External Key Vault with the label ARCON Key Vault.
  6. Click Next.
  7. Configure Owners, Managers, Participants, and Consumers for the locker.
  8. Click Create locker. See Create locker.

To create a credential to integrate with the ARCON key vault, perform these steps:

  1. From the Automation 360 Control Room, navigate to Manage > Credentials .

    A user with Manage my credentials and lockers permissions is authorized to create credentials.

  2. From the Credentials tab, select Create Credential.
  3. Enter the credential name in the Credential name field.

    This name is local to the Control Room and does not have any dependency on the ARCON key vault secret name.

  4. Click External key vault below the name field.
  5. From the list of available lockers, select the appropriate locker that was set to ARCON key vault.
  6. In the ARCON Username field, enter the username as defined in the secret.
  7. Enter the Server IP address, Target type, Open for hours, and Hostname (Optional).
  8. Click Validate and retrieve attributes. When the system successfully retrieves the secret, it will display two attributes: Username and Password.
  9. From the list of attributes, select the attributes to map to the credential.
  10. Click Create credential to save the credential.

    In your automation, use Credential Actions to get and use the secrets while the program is running. For example, a bot can decrypt a password-protected PDF by using a password that is fetched from ARCON key vault in real-time.

Use case: Retrieve database credentials for ARCON key vault

Note: This use case applies only to Automation 360 On-Premises deployments.
To get a database credential from the ARCON key vault and configure database authentication, do the following:
Note: Configure ARCON key vault as an external key vault in Automation 360 using the crutils utility to enable database credential retrieval.
  1. First, stop these services to avoid any issues:
    • Automation Anywhere Control Room Messaging service
    • Automation Anywhere Control Room service
  2. Open the command prompt as an Administrator. Go to the Automation 360 installation location. Run the crutils utility with this command:

    jdk11\bin\java -Djavax.net.ssl.trustStore="C:\Program Files\Automation Anywhere\Automation360\pki\trust\store.ks" -Djavax.net.ssl.trustStorePassword=changeit --module-path lib -jar crutils.jar -action UPDATE_DB_AUTHENTICATION_CONFIGURATION -configPath "C:\Program Files\Automation Anywhere\Automation360\config”

    1. After the utility loads the current database configuration, you will see this prompt:
      Database authentication configurations loaded
 Currently configured database authentication [SQL]
Change database authentication. Available options:
 WINDOWS: Connect to database using windows authentication
 SQL: Connect to database using SQL server authentication, manually enter username and password
 KEY_VAULT: Connect to database using SQL server authentication, retrieve username and password from external key Vault
Enter database authentication [WINDOWS/SQL/KEY_VAULT]:
 Enter KEY_VAULT
    2. Please enter Server IP: Enter the IP of the database server.
    3. Please enter Target type: Enter the service type name as per ARCON’s supported list.
    4. Please enter ARCON username: Enter the username to connect to database server.
    5. Please enter Open for hours: Enter the duration for the validity of password request session.
    6. Please enter Hostname (optional): Enter the hostname of the database server.
    7. The key vault utility will run. If the database configuration is successful (meaning it connects to the ARCON key vault, retrieves the designated credential, and uses it to connect to the database), you will see these messages on the console:
      Database Credentials are valid
Database authentication configurations successfully updated
  3. Finally, restart these services:
    • Automation Anywhere Control Room Messaging service
    • Automation Anywhere Control Room service

Use case: Retrieve Control Room system credentials for ARCON key vault

Note: This use case applies only to Automation 360 On-Premises deployments.
  1. Set up Active Directory credentials:

    After you complete the initial installation of Automation 360 and configure ARCON key vault as the external key vault, you can set up the authentication type for Automation 360 Control Room users in the initial setup as shown below (this occurs directly after the initial installation completes).

    1. From the Authentication type for Control Room users dialog box, click Active Directory.
    2. You can optionally configure the Active Directory integration credential (this is the credential that the Control Room uses to authenticate users with Active Directory) to be retrieved from ARCON key vault. Select External Key vault with label ARCON key vault.
    3. Enter the Server IP, Target type, ARCON username, Open for hours, and Hostname(optional).
    4. Click Discover connections or Manually add connections to fetch Active Directory credential from external vault. Once connection is successful, Next button is enabled.
    5. Click Next and configure Owners, Managers, Participants, and Consumers for the locker.
    The Control Room will attempt to retrieve the credential from the ARCON key vault and then authenticate to the Domain Controller. If this fails, cause might be one of the following:
    • There is no secret with that name in the ARCON key vault
    • There is a secret with that name, but it does not contain a username and password that is authorized for authentication with Active Directory

    You can now log in to the Control Room as admin and add users and roles.

    To change the Active Directory settings,
    1. Log in to the Automation 360 Control Room as the Administrator.
    2. Navigate to: Administration > Settings > Active Directory.
    3. Click External key vault and select ARCON key vault.
    4. Enter the Server IP, Target type, ARCON username, Open for hours, and Hostname(optional) to get the Active Directory credentials.
  2. Set up SMTP credentials:
    1. To set up email, log in to the Automation 360 Control Room as the Administrator.
    2. Navigate to: Administration > Settings > Email.
    3. Click External key vault and select ARCON key vault as the external key vault.
    4. Enter the Server IP, Target type, ARCON username, Open for hours, and Hostname(optional) to get the Active Directory credentials.