topic RE: your runtime resource would… in Product Forum

Expose Blue prism Process as a secured (https) webservice instead of http

Anonymous — Wed, 25 Jul 2018 14:19:00 GMT

Hi, When a BP process is exposed it generally is exposed over Http. In our process there is a requirement to expose it as Https service. Can anybody help with how can this be achieved. Is there any workaround if couldn't be done by direct approach.?

your runtime resource would…

ashish.easow — Wed, 08 Aug 2018 11:29:00 GMT

your runtime resource would need to be encrypted using a certificate for the webservice to be called. but when you do that your app server would also need to understand the encrypted operational communication. Search for Securing Network Connectivity in portal documents.

RE: your runtime resource would…

PrathyushaMelap — Wed, 26 Aug 2020 16:15:00 GMT

Hello Ashish,

What are things that we need to do on the App Server to make it understand the certificate on the run time resource. I have read the Securing Network Connectivity but still not clear as I am new to certificates. Can you please elaborate? Thank you!

------------------------------
Prathyusha Melapindi
------------------------------

RE: your runtime resource would…

AndreyKudinov — Wed, 02 Sep 2020 08:40:00 GMT

You can always just set up nginx proxy in front of it. That would also let you easily setup all the protocols/cypers you want to use and proper access control.
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/

------------------------------
Andrey Kudinov
Project Manager
MobileTelesystems PJSC
Europe/Moscow
------------------------------

RE: Expose Blue prism Process as a secured (https) webservice instead of http

ewilson — Fri, 04 Sep 2020 12:34:00 GMT

In a nutshell, you have to configure your runtime resources to use the specific SSL certificate. You do this by including the /sslcert command line flag, along with the thumbprint of the certificate, when starting the runtime. You can find more info about this in the Online Help.

You also have to configure the application server to use that certificate. You do that via the app server configuration utility.

Cheers,

------------------------------
Eric Wilson
Director, Partner Integrations for Digital Exchange
Blue Prism
------------------------------

RE: Expose Blue prism Process as a secured (https) webservice instead of http

JerinJose — Mon, 07 Sep 2020 06:29:00 GMT

Hi Deebiga,

i could suggest an alternate method if you want to continue with message encryption or .net remoting connection type which does not require client side certificate to be installed on the runtime and establish trust to the application server.
use a load balancer and configure the backend pool to the runtime resource where the webservice is exposed. load balancer will be listering on port 443 (https endpoint) but the health probe of load balancer wil be configured for port 80 to the back-end pool certificate needs to be installed only at the load balancer that way you could have certificates with meaning full subject names to identify your target process. here we are using certificate offloading at loadbalancer instead of end to end ssl which require valid certificate on server and client side. i hope this helps

------------------------------
Jerin Jose
RPA Product SME
EY
Asia/Kolkata
------------------------------

RE: Expose Blue prism Process as a secured (https) webservice instead of http

pal_blueprism — Wed, 14 Apr 2021 18:43:00 GMT

Hi Team,
I am exposing Blueprism Webservice (https://lvs-rpard-004:8181/ws/GetUserPhoneNumber?wsdl) as SOAP but getting below error
"This page can't be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://lvs-rpard-004:8181 again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator."

even i tried to created certificate on DevMachine - lvs-rpard-004 and uploaded that as a file option when exposing that Webeservice but still issue is cming.
Request you to provide Solution for this .

------------------------------
Pallavi Metkar
Consultant
capgemini
Indian/Antananarivo
------------------------------

RE: Expose Blue prism Process as a secured (https) webservice instead of http

MalakDudhia1 — Fri, 22 Oct 2021 22:17:00 GMT

Hi Eric,

What other things we need to check along with Thumbprint of certificate because we faced same challenge in past?

-Regards,
Malak

------------------------------
Malak Dudhia
------------------------------

RE: Expose Blue prism Process as a secured (https) webservice instead of http

ewilson — Sat, 23 Oct 2021 15:54:00 GMT

@MalakDudhia1,

Take a look at the Install Blue Prism Enterprise Edition guide. Search on SSL and you'll find several sections that discuss things to consider when deploying certificates within your BP environment. As @AndreyKudinov and @JerinJose have suggested, the easiest way to enable secure communication against exposed BP web services is to place them behind a load balancer/firewall and let that handle the transport encryption. Then your BP deployment is just regular HTTP.

If you choose to move forward with enabling SSL encryption on the runtime resources here are some things you need to check:

Runtime Resources must be configured using /sslcert flag along with the thumbprint of the specific SSL cert which must be deployed locally on the runtime resource. The certificate should be deployed to the machine certificate store, not a specific users store.
You may also need to use the /wslocationprefix flag with the runtime resource in order to override the displayed addressable location of published web services and the associated resources such as WSDLs hosted on this device. For further details see the online help.
The application server must be configured to use the same SSL certificate as the runtime resources. You do this in the configuration tool (i.e. BPServer.exe) found in the Blue Prism installation folder.
In the server configuration you need to select a Connection Mode that supports transport encryption (ex. WCF: SOAP with Transport Encryption). Once you've selected the Connection Mode, you need to select the specific certificate on the Certificate tab.
Another thing to check is that the Host Name or IP Address of the application server in the Binding section matches the hostname that's associated with the SSL cert. This is typically the FQDN.

I think those are the big points. There is a step in the installation guide that discusses associating the SSL cert with a specific TCP port and app ID of the application server. So check that too.

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------