Lea y revise la documentación de Automation Anywhere

Automation 360

Cerrar contenidos


Abrir contenidos

Using external key vaults

  • Actualizado: 2022/05/03
    • Automation 360 v.x
    • Explorar
    • Espacio de trabajo de RPA

Using external key vaults

Use the external key vault technology by integrating the Automation 360 platform with third-party key vaults such as AWS Secrets Manager, Azure Key Vault, and CyberArk.

Third-party key vault integration

Automation 360 uses credentials to support business services, such as database connections, Active Directory Integration, and Simple Mail Transport Protocol (SMTP) operations. These services can be configured to retrieve the necessary authentication from the integrated external key vault. Only encrypted credentials can be passed from the Control Room to the Database server and are stored in the external vault.

Additionally, auto-login credentials and credentials used by RPA (bots) can be configured for retrieval from the integrated key vault.

Before proceeding, ensure that you have the following information:
  • Any necessary database and user credentials.
  • Any necessary credential requirements for the external key vault, such as secret keys and application IDs. Consulte los requisitos específicos de su almacén de claves externo en la página Configuración de la integración del almacén de claves externo.

Retrieving Bootstrap/System Credentials

Bootstrap credentials are those credentials used by the Control Room to access supporting services such as database, service account, Active Directory, and SMTP. Database, service account, and Active Directory credentials that are used by the Control Room are configured for retrieval either during initial installation or post installation via the key vault utility. SMTP credentials are configured through the UI under Administration > Settings > Email Settings. Configure bootstrap credential retrieval during installation or post-installation by specifying the Safe Name and Object Name for the credential. When needed during the boot-up sequence, or during normal operation (refreshing a service authentication) the Control Room will use the key vault connection to retrieve the credential and perform the required authentication (e.g. to SQL Database, or to Active Directory for authenticating users).

Retrieving Auto-login Credentials

Auto-login credentials are those credentials used to authenticate to the Bot agent Device for the purpose of starting an active Windows Session (required for RPA to work). Auto-login is performed when launching automations on a remote Bot agent Device. Either manually or as a scheduled job, a Control Room administrator can launch an automation on a Bot agent Device by specifying the name of the automation, the device, and a user context. For example, run the automation named ProcureToPayGeoEast on the device named WinVDI1138 as user roboticworker2112@automation.acme.com. Prior to starting the automation, the platform will check if there is currently an active Windows session on device WinVDI1138 and if that session belongs to robiticworkeer2112. If not, the system will instruct the Bot agent Device to perform a Windows Login on device WinVDI1138 as roboticworker2112 using the Auto-login credential for roboticworker2112. The automation (bot) ProcureToPayGeoEast then starts to run on WinVDI1138 as roboticworker2112.

Auto-login credential retrieval from the external key vault is configured by an administrator in the Control Room under Administration > Settings > Devices. If an external key vault connection is configured, there will be an option to configure Retrieve Auto-login credentials from external key vault. If this option in not present, the external key vault connection is not configured. If CyberArk is the configured external key vault, there will be an option to specify a Safe Name from where to retrieve the Auto-login Credentials. If the option to specify the Safe Name is not present, this means that CyberArk is not the configured external key Vault. The specified Safe Name is referred to as the Auto-login Credential Safe.

All Auto-login credentials will be retrieved from this Safe Name. All Auto-login credentials are assumed to be present within the Auto-login Credential Safe. If the system needs to perform Auto-login and there is no credential present in the Auto-login Credential Safe that matches the user for which the system is performing Auto-login, the Auto-login will fail. This means that for unattended automations, all robotic or digital worker user ids must have an Auto-login credential configured within the Auto-login Credential Safe.

Within the Auto-login Credential Safe, the Control Room will retrieve Auto-login credentials based on the Object naming convention within the safe. The Control Room will look for an object where the object name matches the Control Room user name for which it is performing Auto-login.

The naming convention for objects in the Auto-login Credential Safe that the Control Room expects is described in the table below:
Control Room user name Nombre del objeto
ACME\akshay autologin_ACME--akshay
bhavani@rpa.acme.com autologin_bhavani@rpa-2e-acme-2e-com
For Auto-login credentials it is expected that the object name in the vault contains "autologin_" as a prefix. Certain key vaults have restrictions on the usage of certain characters, such as "\" and "@", in the secret name (object name) and restrictions on how special characters are interpreted within API calls. Auto-login credential names map to the login ID for the credential being retrieved, so if the user ID has special characters "\" or "@", the secret name (object name) must be encoded using the following substitutions:
  • "\" to "-"
  • "-" to "-2d-"
  • "_" to "-5f-"
  • "@" to "-2e-"
With the exception of the backslash being mapped to double dashes, the dash character, underscore and the "@" symbol are mapped using their ASCII code bracketed in dashes.

Retrieving Automation Credentials

Automation Credentials are simply a variable type used by bot developers within automation actions to define and retrieve data from encrypted storage. Automation Credentials are typically used by the automation to authenticate to applications but can be used for any purpose. Automation credentials are retrieved by the automation (bot) during runtime.

Automation Credentials retrieved from external key vaults are mapped within the Automation Anywhere Credential Vault using the External Key Vault button when configuring Lockers and Credentials. To configure Automation Credentials in CyberArk Password Vault, the Automation Anywhere Locker is mapped to a Safe Name and the c