cancel
Showing results for 
Search instead for 
Did you mean: 

Expose Blue prism Process as a secured (https) webservice instead of http

Anonymous
Not applicable
Hi, When a BP process is exposed it generally is exposed over Http. In our process there is a requirement to expose it as Https service. Can anybody help with how can this be achieved. Is there any workaround if couldn't be done by direct approach.?
8 REPLIES 8

ashish.easow
Staff
Staff
your runtime resource would need to be encrypted using a certificate for the webservice to be called. but when you do that your app server would also need to understand the encrypted operational communication. Search for Securing Network Connectivity in portal documents.

Hello Ashish,

What are things that we need to do on the App Server to make it understand the certificate on the run time resource. I have read the Securing Network Connectivity but still not clear as I am new to certificates. Can you please elaborate? Thank you!

------------------------------
Prathyusha Melapindi
------------------------------

You can always just set up nginx proxy in front of it. That would also let you easily setup all the protocols/cypers you want to use and proper access control.
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/

------------------------------
Andrey Kudinov
Project Manager
MobileTelesystems PJSC
Europe/Moscow
------------------------------

ewilson
Staff
Staff
In a nutshell, you have to configure your runtime resources to use the specific SSL certificate. You do this by including the /sslcert command line flag, along with the thumbprint of the certificate, when starting the runtime. You can find more info about this in the Online Help.

You also have to configure the application server to use that certificate. You do that via the app server configuration utility.

Cheers,

------------------------------
Eric Wilson
Director, Partner Integrations for Digital Exchange
Blue Prism
------------------------------

JerinJose
Level 10
Hi Deebiga,

i could suggest an alternate method if you want to continue with message encryption or .net remoting connection type which does not require client side certificate to be installed on the runtime and establish trust to the application server.
use a load balancer and configure the backend pool to the runtime resource where the webservice is exposed. load balancer will be listering on port 443 (https endpoint) but the health probe of load balancer wil be configured for port 80 to the back-end pool certificate needs to be installed only at the load balancer that way you could have certificates with meaning full subject names to identify your target process. here we are using certificate offloading at loadbalancer instead of end to end ssl which require valid certificate on server and client side. i hope this helps

------------------------------
Jerin Jose
RPA Product SME
EY
Asia/Kolkata
------------------------------

Hi Team,
I am exposing Blueprism Webservice (https://lvs-rpard-004:8181/ws/GetUserPhoneNumber?wsdl) as SOAP but getting below error
"This page can't be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://lvs-rpard-004:8181 again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator."

even i tried to created certificate on DevMachine - lvs-rpard-004 and uploaded that as a file option when exposing that Webeservice but still issue is cming.
Request you to provide Solution for this .

------------------------------
Pallavi Metkar
Consultant
capgemini
Indian/Antananarivo
------------------------------

Hi Eric,

What other things we need to check along with Thumbprint of certificate because we faced same challenge in past?

-Regards,
Malak

------------------------------
Malak Dudhia
------------------------------

@MalakDudhia1,

Take a look at the Install Blue Prism Enterprise Edition guide. Search on SSL and you'll find several sections that discuss things to consider when deploying certificates within your BP environment. As @AndreyKudinov and @JerinJose have suggested, the easiest way to enable secure communication against exposed BP web services is to place them behind a load balancer/firewall and​ let that handle the transport encryption. Then your BP deployment is just regular HTTP.

If you choose to move forward with enabling SSL encryption on the runtime resources here are some things you need to check:
  • Runtime Resources must be configured using /sslcert flag along with the thumbprint of the specific SSL cert which must be deployed locally on the runtime resource. The certificate should be deployed to the machine certificate store, not a specific users store.
  • You may also need to use the /wslocationprefix flag with the runtime resource in order to override the displayed addressable location of published web services and the associated resources such as WSDLs hosted on this device. For further details see the online help.
  • The application server must be configured to use the same SSL certificate as the runtime resources. You do this in the configuration tool (i.e. BPServer.exe) found in the Blue Prism installation folder.
  • In the server configuration you need to select a Connection Mode that supports transport encryption (ex. WCF: SOAP with Transport Encryption). Once you've selected the Connection Mode, you need to select the specific certificate on the Certificate tab.
  • Another thing to check is that the Host Name or IP Address of the application server in the Binding section matches the hostname that's associated with the SSL cert. This is typically the FQDN.
I think those are the big points. There is a step in the installation guide that discusses associating the SSL cert with a specific TCP port and app ID of the application server. So check that too.

Cheers,
​​

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------