Configure application Transport Layer Security

Use the Transport Layer Security (TLS) configuration wizard page from the Automation 360 installer to generate a self-signed certificate or import a security certificate to set up a highly secure Control Room instance.

Automation Anywhere leverages TLS 1.2 and TLS 1.3 encryptions for HTTPS and TCP communications between our components. The TLS certificates are installed on the Automation Anywhere Control Room and IQ Bot servers. The certificates are installed in .PFX format and leveraged for communications.

Note: If your load balancer uses HTTP to forward traffic to the Control Room, do not use the Enable Force HTTP traffic to HTTPS option. We recommend that you use HTTPS to forward the load balancer traffic for enhanced security instead.

Procedure

In the TLS Configuration page, configure the following:
- Generate a Self-Signed Certificate
  Enabling the Self-Signed Certificate option allows the installer to generate a unique private key and a self-signed certificate for the Control Room.
- Import a Certificate
  To import a custom certificate, clear the Self Signed Certificate check box. This setting allows you to import a certificate using the Certificate Path field.
  
  Note: The certificate file must be a PKCS12 format.
  Provide the following information:
  - Certificate Path: Click Browse to import the certificate.
  - Private Key Password: Enter the password for the private key.
    Password limitation: Do not use the at sign (@) in passwords. Using the special character @ in the password causes the certificate file import to fail.
  - Intermediate certificates .zip File: Click Browse to import the certificate.
    The intermediate certificate file must be a single .zip file that includes the P12 or PKCS12 certificate file format and PEM certificate file format.
    Note:
    - Importing intermediate certificates is supported only on Windows.
    - All the certificates in the zip file must be in the top-level folder and must not contain any subfolders.
    - Password-protected intermediate certificates are not supported.
  - Webserver Port: Enter the web server port – either HTTP or HTTPS. If the port is already assigned, an error message is displayed.
    Important: The port validation message is also displayed when you add 8080 for the web server and if that port is already in use for a Control Room license service. Use a different unassigned port in these cases.
  - Enable Force HTTP traffic to HTTPS: This option redirects all HTTP port requests to HTTPS. To access to the Control Room through HTTPS using the generated self-signed certificate, ensure the port numbers are different for HTTP and HTTPS.
    To generate a custom certificate for HTTPS, ensure your custom certificate meets the following:
    - Create a .pfx certificate with a pass code from a CA trusted authority.
    - Combine Root, Intermediate, and Machine level certificates into a single certificate.
    - Use the format [WS Machine Host Name].[DomainName].com for the private key.
    - Include the host name as a fully qualified domain name (FQDN) in the certificate.
      You provide the host name during Control Room installation.
    - In multi-node HA clusters, issue certificates to the load balancer DNS name.
    - Add individual URLs, which require access to all nodes, to the Subject Alternative Name field in the certificate.
    For more information, see Automation Anywhere support site: Automation 360 On-Premises prerequisites (A-People login required).
    
    The following sample illustration shows options for importing a custom certificate:
Click Next to configure service credentials.
Configure service credentials