Blue Prism 6.10.5: August 2022

Click this icon

on the toolbar to view and download a PDF version of the release notes.

The table below summarizes the components that relate directly to this Blue Prism Enterprise release.

Database	468	This release requires the Blue Prism database to be this version.
Login Agent	6.10.5	There have been no functional updates to the Blue Prism Login Agent. The version of Login Agent that is provided with this release of Blue Prism has the same functionality as the version provided with Blue Prism 6.7.
Browser extensions (for Chrome, Firefox, and Edge):	6.10.5	For the latest compatibility information, see the browser compatibility matrix in the Blue Prism online help.
Authentication Gateway	1.0	Authentication Gateway version 1.0 must be installed to use Authentication Gateway with Blue Prism 6.10.5. Download the installer from the Blue Prism Portal – select Product > Blue Prism Enterprise > Extras.
Data Gateways engine	1.3/1.4	The Data Gateways engine version 1.3 or 1.4 (recommended) must be installed to use Data Gateways with Blue Prism 6.10.5. Download the installer from the Blue Prism Portal – select Product > Blue Prism Enterprise > Extras.

Applying this patch release

To upgrade to this version, this patch release must be applied to all the following components throughout your Blue Prism environment for it to be operational:

Interactive clients	Runtime resources	Application servers
Yes	Yes	Yes

Please review the upgrade notices for more details and before upgrading to this release.

Known issues

A list of any prominent issues with this release is maintained in the knowledge base – click here for more information.

Secure development policy

(Undefined variable: General.NoPipeCompanyName)’s secure development process is a market-leading, embedded security culture, focused on delivering security excellence through four key principles:

Education – Providing up-to-date knowledge, information, and training to the development team.
Evaluation – Regular reviews of our products using industry standard frameworks and security tools.
Elimination – Remove potential threats through the evaluation of standards, compliance, and performance.
Evolution – Continued improvement of our security program, ensuring alignment with our product technologies and by reacting effectively to new and emerging threats.

(Undefined variable: General.NoPipeCompanyName) secure development is based on OWASP ASVS, ISO 27034 and GDPR Article 25 standards and practices. For more information, see (Undefined variable: General.NoPipeCompanyName)'s comprehensive secure development process.

Enhancements

Description of change	Reference
The following enhancements have been made to the browser extensions functionality: Due to changes in Google's extensions platform and the move to Manifest V3, new MV3 compatible browser extensions for Chrome and Edge have been created and are included in this release. The Advanced Install screen in the Blue Prism installation wizard has been updated to allow users to select between installing the Manifest V2 browser extensions for Chrome, Edge, and Firefox (which use the existing 6.10.4 browser extensions) or the new Manifest V3 browser extensions for Chrome and Edge. If users do not select the Advanced install option on the Install location screen, the Blue Prism 6.10.4 (Manifest V2) browser extensions will be installed by default for all browsers. This is to allow users to still take advantage of the other capabilities provided with Blue Prism 6.10.5 whilst allowing more time to upgrade to Manifest V3. New command line options have been added to allow users to deploy Blue Prism silently with the new Manifest V3 browser extensions for Chrome and Edge. The existing command line options will deploy Blue Prism with Manifest V2 browser extensions. If no command line options are entered for Manifest V3, the Manifest V2 browser extensions will be installed by default. The previously available functionality to insert or invoke JavaScript on web pages via the Chrome or Edge browser extension is no longer available. This is a limitation enforced by Manifest V3 for security reasons. Where existing processes or objects are making use of the insert or invoke JavaScript functionality, we recommend that the design be amended following an upgrade to version 6.10.5 to replace this functionality using standard in‑built features instead. For more information, see the Google documentation. Mozilla have not announced a date by which they will remove support for MV2 browser extensions so the Blue Prism Firefox browser extension still uses Manifest V2 and is therefore not impacted by this restriction. For more information, see the upgrade notices and the Chrome, Edge, and Firefox integration guide.	BP-9806 BP-7159 (BP-7541) BP-9025 BP-10661 BP-10663
The following enhancements have been made to the Blue Prism connection configuration functionality: If using the following connection modes with a Blue Prism Server connection, a Service Principal Name (SPN) must be configured against the Active Directory account under which each Blue Prism Server service instance is running: WCF: SOAP with Message Encryption & Windows Authentication WCF: SOAP with Transport Encryption & Windows Authentication .NET Remoting Secure This is because when a Blue Prism interactive client or a runtime resource connects to an application server using one of the connection modes above, the Microsoft Negotiate Security Package is used to select the best Security Support Provider (SSP) to authenticate the connection. The internal code of the Blue Prism interactive client provides the expected SPN to the Microsoft Negotiation Security Package, which prompts Microsoft Negotiation to select the Kerberos SSP over New Technology LAN Manager (NTLM) SSP, provided the SPN is present in Active Directory. This configuration applies to all Blue Prism environments, however, if the Active Directory account under which the BP Server instances are running resides in a different domain to the Active Directory account used for the Blue Prism interactive client and runtime resource, the following settings must be configured in Automate C: /setkerberosrealm – For example, /setkerberosrealm mycompany.com.This must be configured for each BP Server connection in the interactive client where the user's Kerberos realm is different to that of the account configured to run BP Server. The Kerberos realm is usually the same as the domain name, however, please check with your IT team for the correct value. /forcentlm <flag> – For example, /forcentlm true. This forces Microsoft Negotiate Security Package to select New Technology LAN Manager (NTLM) as the Security Support Provider (SSP) for the last used or specified connection (using the /dbconname switch) when authenticating the Blue Prism server connection. This option is provided so that NTLM can be used when Kerberos is unavailable or not configured. Please consult with your security team before enabling this option as NTLM is considered a less secure protocol. For more information, see the Blue Prism Enterprise installation guide.	BP-8773 BP-8918

Description of change

Reference

The following enhancements have been made to the browser extensions functionality:

Due to changes in Google's extensions platform and the move to Manifest V3, new MV3 compatible browser extensions for Chrome and Edge have been created and are included in this release. The Advanced Install screen in the Blue Prism installation wizard has been updated to allow users to select between installing the Manifest V2 browser extensions for Chrome, Edge, and Firefox (which use the existing 6.10.4 browser extensions) or the new Manifest V3 browser extensions for Chrome and Edge.

If users do not select the Advanced install option on the Install location screen, the Blue Prism 6.10.4 (Manifest V2) browser extensions will be installed by default for all browsers. This is to allow users to still take advantage of the other capabilities provided with Blue Prism 6.10.5 whilst allowing more time to upgrade to Manifest V3.
New command line options have been added to allow users to deploy Blue Prism silently with the new Manifest V3 browser extensions for Chrome and Edge. The existing command line options will deploy Blue Prism with Manifest V2 browser extensions. If no command line options are entered for Manifest V3, the Manifest V2 browser extensions will be installed by default.

The previously available functionality to insert or invoke JavaScript on web pages via the Chrome or Edge browser extension is no longer available. This is a limitation enforced by Manifest V3 for security reasons. Where existing processes or objects are making use of the insert or invoke JavaScript functionality, we recommend that the design be amended following an upgrade to version 6.10.5 to replace this functionality using standard in‑built features instead. For more information, see the Google documentation.

Mozilla have not announced a date by which they will remove support for MV2 browser extensions so the Blue Prism Firefox browser extension still uses Manifest V2 and is therefore not impacted by this restriction.

For more information, see the upgrade notices and the Chrome, Edge, and Firefox integration guide.

BP-9806

BP-7159 (BP-7541)

BP-9025

BP-10661

BP-10663

The following enhancements have been made to the Blue Prism connection configuration functionality:

If using the following connection modes with a Blue Prism Server connection, a Service Principal Name (SPN) must be configured against the Active Directory account under which each Blue Prism Server service instance is running:
- WCF: SOAP with Message Encryption & Windows Authentication
- WCF: SOAP with Transport Encryption & Windows Authentication
- .NET Remoting Secure
This is because when a Blue Prism interactive client or a runtime resource connects to an application server using one of the connection modes above, the Microsoft Negotiate Security Package is used to select the best Security Support Provider (SSP) to authenticate the connection. The internal code of the Blue Prism interactive client provides the expected SPN to the Microsoft Negotiation Security Package, which prompts Microsoft Negotiation to select the Kerberos SSP over New Technology LAN Manager (NTLM) SSP, provided the SPN is present in Active Directory.
This configuration applies to all Blue Prism environments, however, if the Active Directory account under which the BP Server instances are running resides in a different domain to the Active Directory account used for the Blue Prism interactive client and runtime resource, the following settings must be configured in Automate C:
- /setkerberosrealm – For example, /setkerberosrealm mycompany.com.This must be configured for each BP Server connection in the interactive client where the user's Kerberos realm is different to that of the account configured to run BP Server. The Kerberos realm is usually the same as the domain name, however, please check with your IT team for the correct value.
- /forcentlm <flag> – For example, /forcentlm true. This forces Microsoft Negotiate Security Package to select New Technology LAN Manager (NTLM) as the Security Support Provider (SSP) for the last used or specified connection (using the /dbconname switch) when authenticating the Blue Prism server connection. This option is provided so that NTLM can be used when Kerberos is unavailable or not configured.

Please consult with your security team before enabling this option as NTLM is considered a less secure protocol. For more information, see the Blue Prism Enterprise installation guide.

BP-8773

BP-8918

Fixes and minor improvements

Description of change	Reference
An issue has been fixed for Blue Prism environments that use both multi-team environments (MTEs) and resource pools. In MTEs, sessions from resources in a resource pool in a restricted group can no longer be viewed in Control Room by users without appropriate permission. The access rights applied to a group now apply to all items, including pools and any child groups and their contents, so only users with relevant process and resource pool permissions can see restricted sessions. For additional information about MTEs and resource pools, see Multi-team environments and Resource pools.	BP-8890
Various security improvements around server permissions and communication have been made in this release. The following Common Vulnerabilities and Exposures (CVEs) have been addressed: CVE-2022-36115 CVE-2022-36116 CVE-2022-36117 CVE-2022-36118 CVE-2022-36119 CVE-2022-36120 CVE-2022-36121 CVE-2022-36662 For details of these CVEs, see Security Vulnerabilities August 2022 on the customer portal.	BP-10244
An issue has been fixed where, when working with application elements using the Match Index attribute and the value of this index was greater than 0, the Java changes introduced in 6.10.3 by BP-5099 could cause intermittent crashes of Java applications that were automated using the Java Access Bridge spy mode.	BP-10711
When executing a process against a 64-bit Java application, an error triggering the message Arithmetic operation resulted in an overflow no longer occurs when automating data in Java tables using the Get All Items action.This has been fixed by updating the conversion mechanism so long values are converted to integer values.	BP-3786
The security of the existing browser extensions using Manifest V2 has been improved by removing several permissions that were not required.	BP-10649
Control Flow Guard (CFG) has been activated for unmanaged code projects in the Blue Prism Automate application, such as C++ and Activator (32-bit and 64-bit) projects, in line with information security industry standards.	BP-9228 BP-9226 BP-9648
All DLL files included in the Blue Prism Automate application are now digitally signed in line with information security industry standards.	BP-9298
An error no longer occurs during the GetEffectiveRunMode call when the same process is configured to be run by multiple runtime resources at the same time using concurrent schedules.	BP-9185

Browser extension versions

The table below shows when each Blue Prism extension, compatible with this release was introduced. For details of the latest browser versions Blue Prism is tested against, see the Browser extension compatibility matrix.

Browser

Blue Prism extension versions

Date available

Chrome

Manifest V2:

Blue Prism 6.10.4 Browser Extension

Manifest V3:

Blue Prism 6.10.5 Browser Extension

16 August 2022

Edge Chromium

Manifest V2:

Blue Prism 6.10.4 Browser Extension