When installing and performing the initial configuration of Decipher, many customers do not do the necessary tasks to harden the security of the environment. This guide goes over the salient points required to make your Decipher installation as secure as possible.
Users and Password protection
Admin Password
Firstly, your admin password is probably set to the default “admin” password.
The password can be changed only in the Decipher website. To do this:
- Log in using the admin account.
- Use the change password option to reset the password
- IMPORTANT NOTE: It’s likely your Blue Prism Process that use the Decipher Object are still using admin\admin credentials. When you change the password on the website you must immediately change it in your Blue Prism Process, otherwise it will start to fail.
GeneralUser
The default account used (actually recommended in the installation) by the Automated Client is the GeneralUser account. This has a default password of “user” (again, recommended by the installation). If left as “GeneralUser \ user” it can be security risk.
To change the account password, like the admin password (above) this has to be done on the Decipher Website.
Before the password is changed, stop the Decipher Automated Client Service on the machine that the Automated Client component is installed upon.
It will then need changing in several places as part of the Automated Client configuration.
Navigate to the Automated Client install directory (Usually C:\Program Files (x86)\Blue Prism\Decipher Automated Clients)
The files that need changing are:
- SsiImageProcessingClient.exe.config
- SsiClassificationClient.exe.config
- SsiCaptureClient.exe.config
- SsiExportClient.exe.config
- SsiProcessingClient.exe.config
- SsiOcrClient.exe.config
For each file:
- Make a backup of each file. Just in case.
- Edit the UserName value to update the password as per the screenshot below.
- Close and Save the file
Next the files need encrypting
Open a command-line as Administrator.
Navigate to the Automated Client install directory.
Run each of the commands below once.
- SSiClassificationClient.exe -enc
- SsiImageProcessingClient.exe -enc
- SsiClassificationClient.exe -enc
- SsiCaptureClient.exe -enc
- SsiExportClient.exe -enc
- SsiProcessingClient.exe -enc
- SsiOcrClient.exe -enc
Then check each file, to ensure the password is now an encrypted string.
NOTE: If encryption was already applied during installation, or otherwise, and you need to change the password simply make the value of the UserName field plain text, for example:
<add key=”Password” value=”MyN3wP455w0rd!”
Then re-encrypt the file as per the instructions above.
Once all files have been changed and re-encrypted, restart the Automated Client and test that batches can still be processed.
If there are no problems, delete the backups of the config file taken earlier.
SsiServer.exe configuration encryption
It is also an option to encrypt the Decipher Server Configuration at install.
If you chose not to do this at install, or since install, and you are using SQL Authentication, your Database passwords will be held in the plain text as per the screenshot below.
To encrypt this file:
- Firstly make a backup of the SsiServer.exe.config file, located in the Decipher Server installation folder, usually C:\Program Files (x86)\Blue Prism\Decipher Server
- Open a command line as Administrator and navigate to the Decipher Server installation folder
- Run the following command:
ssiserver.exe -enc
- The contents of the file will now look like the screenshot below.
- If the configuration needs changing for any reason, then the whole connectionString value, within the “” needs changing to how it was previously, then the file re-encrypting as per the instructions above. It is therefore recommend to keep the backup of the file with dummy\placeholder credentials, so you know what syntax to use.
RabbitMQ
When RabbitMQ is installed, there is a default “guest” account with “guest” password. The same account is commonly used by Decipher, as it is the default option in the installation.
As the “guest” account on every RabbitMQ installation, if it is used by Decipher, it can be a security risk.
If you wish to change the RMQ account used by Decipher, firstly you will need to create a new account in RabbitMQ. To do this:
- Browsing to the RabbitMQ management portal, usually http://localhost:15672/
- Go to the Admin tab at the top
- Click “Add a user”
- Add a new Username
- Add a new password for the Username (Tip: Avoid using special characters as this can confuse some of the Decipher configuration files)
- Set the “Tags” to Administrator
- Click “Add User”
- The new user will have been created but will be showing it no access to RabbitMQ (the yellow box in the table). To add rights simply click on the User, then click the “Set Permission” button to give it access to the “/” vhost.
RabbitMQ with Licence Manager
To change the RabbitMQ credentials used by the Decipher Licensing Service either:
- Run the MSI again, or
- Use the “Modify” option from Add/Remove programs
Either will allow to get to the installation options.
Simply click through the install options until the page presented with RabbitMQ connection configuration appears. Then insert the newly created account credentials.
RabbitMQ with Decipher Server
Unfortunately, there is no easy way of changing the RabbitMQ credentials. It requires the Decipher server application to be uninstalled and reinstalled. If you attempt this ensure the configuration is the same before and after by keeping a copy of the SsiServer.exe.config file.
RabbitMQ with Decipher Web Client (Versions < V2.3)
As of Version 2.3 the Decipher Web Client no longer uses RabbitMQ.
In versions prior to V2.3 the RabbitMQ credentials used by the Web Client are held in three separate files.
Each needs configuring individually.
The default location of each file is:
- C:\Program Files (x86)\Blue Prism\Decipher Web SDK Service\Ssi.SdkService.exe.config
- C:\Program Files (x86)\Blue Prism\Decipher Web SDK Service\SdkWrapper\Ssi.SdkWrapper.exe.config
- C:\Program Files (x86)\Blue Prism\Decipher Web\web.config
For each file:
- Make a backup of each file. Just in case.
- Each file has the RabbitMQ configuration in the same syntax. Simply change the credentials to suit as per the example below.
- Save and Close the file
Note: If the web.config has encrypted values simply copy the lines from another file, the format is consistent across all three files.
Once the files have been edited, the files need encrypting.
Firstly, stop the Decipher Web SDK Service.
Encrypting the Web SDK Service
- Open a command prompt as Administrator.
- Navigate to Web SDK install location, usually C:\Program Files (x86)\Blue Prism\Decipher Web SDK Service
- Run the following command:
Ssi.SdkService.exe
- Immediately stop the server by server from running by doing a CTRL+C command
- The file Ssi.SdkService.exe.config file will now have the RabbitMQ credentials encrypted
Encrypting the Web SDK Wrapper Service
- Open a command prompt as Administrator.
- Navigate to Web SDK install location, usually C:\Program Files (x86)\Blue Prism\Decipher Web SDK Service\SdkWrapper
- Run the following command:
Ssi.SdkWrapper.exe -enc
- Immediately stop the server by server from running by doing a CTRL+C command
- The Ssi.SdkWrapper.exe.config file will now have the RabbitMQ credentials encrypted
Encrypting the Web.config
- Open a PowerShell command as Administrator.
- Run the following command (In this example the path to the web.config is the default path)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pef "appSettings" "C:\Program Files (x86)\Blue Prism\Decipher Web"
- The Web.config will now be fully encrypted
- To Unencrypt the file, use the command:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pdf "appSettings" "C:\Program Files (x86)\Blue Prism\Decipher Web"
Finally, restart the Decipher Web SDK Service.
RabbitMQ with Decipher Plugin (Versions < V2.3)
As of Version 2.3 the Decipher Plugin no longer uses RabbitMQ.
In versions prior to V2.3 the RabbitMQ credentials used by the Plugin can only be changed by using the DecipherServerConfigurator.exe, which is downloadable from https://portal.blueprism.com
- Run the DecipherServerConfigurator.exe
- Click Open to open the SsiServer.exe.config file configuration (changing the path to the relevant place if not in the default location)
- Change the RabbitMQ credentials
- Apply
- Restart the Decipher Server service
Deleting the guest RabbitMQ account
Once all the above steps have been completed it should be possible to delete the guest account if required.
To check if the guest account is still being used by Decipher:
- Ensure Decipher is in use to ensure all components are currently running
- Browse to the RabbitMQ management portal, usually http://localhost:15672/
- Go to the Connections tab
- Each connection can be seen to be running under a certain user name
- The example below shows were each component has been set to under a separate RabbitMQ account. It can be see none of the components are running under “guest”
Provided your Connections look like the above it is safe to assume the guest account can be deleted if required.
This can be done from the “Admin” tab in the RabbitMQ management portal.
Simply click on the guest account, scroll to the bottom and click delete.
IMPORTANT NOTE: Before you delete the guest account ensure you have at least one account that has the “Administrator” tag, otherwise you will lock yourself out of the management portal.
Logical Access Model
Be sure to take advantage of the Logical Access Model in Decipher.
Not all users should use the admin account.
Take the time to create users with the relevant minimum permissions for their role.
The “Copy settings from” is a useful tool to quickly create users.
Securing the Decipher website with HTTPs
By default, the Decipher website is bound to port 80 (HTTP). This can be bound to a certificate very easily.
First request a certificate from your Certificate Authority (recommended) or create a Self-Signed certificate (not recommended!)
The certificate should have a Private Key.
The Subject – Your server’s name
The Subject Alternative Name – Something relevant, for example decipher-prod@mycomany.com
On your Decipher Server:
- Import the certificate you have with the Web\RMQ server into the Personal store
- If using a Self-Signed certificate also copy the certificate to the Trusted Root Certification Authority
- Go to IIS Manager
- Right-click on the Decipher website -> Edit Binding
- Click Add
- Change the Type to https
- In the “Host name” put either:
- The name of your server (which should be the Subject Name in your certificate)
- Or
- The Subject Alternative Name for your website (for example decipher-prod@mycomany.com). Ensure "Require Server Name Indication" is ticked if doing so.
- Choose your SSL Certificate form the drop down below.
- Click OK
- Then delete the http binding, by selecting the port 80 line and clicking “Remove”
- Restart the Decipher website
Note: When browsing to the Decipher website, remember to change your URL from http:// to https://
