On-Premises post-installation using AWS Secrets Manager

You use the command-line interactive key vault utility during a scheduled system downtime and you must stop all running Control Room services. You should coordinate any key vault configuration changes that might impact connectivity parameters (such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN) during downtimes with the AWS administrative team.

Prerequisites

Note: If you use the key vault utility to disable AWS Secrets Manager integration, you must first unmap any mapped credentials that are in use.

Using the post-installation method, you can perform these actions:

Modify or configure the external key vault connection parameters.
(If not configured during initial installation) Modify or configure the service account credential (Active Directory master password).
(If not configured during initial installation) Modify or configure the database (bootstrap) credential identifier (retrieved when authenticating the database).
Note: Retrieving bootstrap credentials from an external key vault might cause the Control Room to fail if the external key vault is not accessible during boot-up, or if the external key vault is not accessible when the Control Room refreshes database connections and authenticates users with Active Directory.
Recover the Control Room for these reasons:
- By modifying the external key vault connection parameters, the service account, and database credential safe and object identifiers.
- If AWS Secrets Manager connection parameters changes caused the Control Room to experience connectivity issues.
- When credential identifiers for bootstrap passwords change.
  You can address any initial configuration settings that were not set correctly and recover the system.

You can configure and edit SMTP and AD credential identifiers to retrieve information from the external key vault from the Automation 360 Control Room by navigating to Administration > Settings > Active Directory.

Procedure

Run the key vault utility for the AWS Secrets Manager: To run the key vault utility and update key vault connection settings:
1. As the Control Room administrator, access the Automation Anywhere Control Room installation directory that was created during the initial Automation 360 installation.
  For example: C:\Program Files\Automation Anywhere\Enterprise
2. Download the latest version of the key vault utility. To download the jar file used to update the directory, open a browser and access the A-People site: A-People Downloads page (Login required).
  
  Note: If DB authentication is configured to use external key vault, the utility returns the following exception: Database currently configured to retrieve credentials from key vault. Update database authentication to WINDOWS/SQL to proceed further and exit.
  
  The utility requests the user to confirm the action: Disable/update of key vault might impact functionalities using key vault (for example, Active Directory configuration, Email Settings configuration). Make sure to update these settings (if any). Are you sure you want to continue?
3. Enter Y to continue.
4. Enter the following:
  > jdk11\bin\java -jar certmgr.jar -appDir . -importTrustCert <Full path of the certificate>
5. Add these jvm arguments to the command to run the key vault utility:
  1. -Djavax.net.ssl.trustStore="C:\Program Files\Automation Anywhere\Enterprise\pki\trust\store.ks"
  2. -Djavax.net.ssl.trustStorePassword=changeit --module-path lib -jar crutils.jar -configPath "C:\Program Files\Automation Anywhere\Enterprise\config" -action [UPDATE_KEY_VAULT_CONFIGURATION or UPDATE_DB_AUTHENTICATION_CONFIGURATION]
  You can update either of these configuration actions:
  - Enter UPDATE_KEY_VAULT_CONFIGURATION to edit the AWS Secrets Manager configuration.
  - Enter UPDATE_DB_AUTHENTICATION_CONFIGURATION to change to database authentication using external key vault.
Based on which configuration action you used, choose the appropriate action:
- Update key vault configuration for AWS: If you entered UPDATE_KEY_VAULT_CONFIGURATION as the configuration action:
  1. After the utility loads the current key vault configuration and properties, and this prompt is displayed: Enter key vault [AWS/CYBERARK/AZURE/NONE] :, enter AWS
  2. At the Please enter Vault URL: prompt, enter (for example): https://services.uscentral.skytap.com:19516
  The key vault utility runs. If the configuration was successful (the utility was able to connect to the external key vault using the configured parameters), these messages are displayed on the console:
```
Connection configurations valid
  Key Vault configurations successfully updated
```
- Update database authentication for AWS: If you entered UPDATE_DB_AUTHENTICATION_CONFIGURATION as the configuration action:
  1. After the utility loads the current database configuration information, this prompt is displayed:
```
Database authentication configurations loaded
Currently configured database authentication [SQL]

Change database authentication. Available options:
WINDOWS: Connect to database using windows authentication
SQL: Connect to database using SQL server authentication, manually enter username and password
KEY_VAULT: Connect to database using SQL server authentication, retrieve username and password from external key Vault 

Enter database authentication [WINDOWS/SQL/KEY_VAULT]:
```
    Enter KEY_VAULT
  2. At the Please enter Secret name: prompt, enter (for example): testDB
  The key vault utility runs. If the database configuration was successful (the utility was able to connect to AWS, retrieve the designated credential and then use the credential to connect to the database), these messages display on the console:
```
Database Credentials are valid
Database authentication configurations successfully updated
```