Blue Prism server

A comparison of the Direct Access and Blue Prism Server architectures.

Server Configurations - Click for a larger image

Blue Prism can be operated in two different network architectures:

  • Direct Access – Blue Prism clients, whether running the full Blue Prism client software, or simply running as a runtime resource, have direct access to the database which governs the Blue Prism environment. This requires each client to store the authentication details for the database, and, depending on the authentication mode utilised, may give the user full access to the Blue Prism database, which is not desirable.
  • Blue Prism Server – The Blue Prism clients and resources connect to the BP Server service running on a central machine. This acts as a proxy for the database, and becomes the only place within the system which needs the authentication data to access and modify the data.

The Blue Prism Scheduler also runs within a BP Server service and it is possible to retain a 'Direct Access' architecture with a BP Server instance running primarily for the purpose of running the scheduler.

Configure a Blue Prism server

A Blue Prism Server service is installed as part of the Blue Prism software installation process. It can be found in the Installed Services list in the Start Menu, reachable under: All Programs : Administrative Tools : Services.

The server is configured by running BPServer.exe, which is installed in the Blue Prism installation directory (usually C:\Program Files\Blue Prism Limited\Blue Prism Automate).

The dialog box which opens can be used to specify multiple configurations of Blue Prism Server, which can connect to disparate databases and listen to multiple clients.

Configuring BP Server

This dialog is no longer used to configure the Blue Prism Scheduler. This can now be configured on an environment-wide basis in System Manager.

Edit an existing configuration

On installation, a default configuration for Blue Prism Server is created with the name Default. On opening the Server configuration dialog, it is this configuration which will be selected in the Configuration drop down box.

To edit a configuration, ensure that it is selected in the Configuration drop down and click on the Edit... button.

This will open the Server Configuration Details dialog with the current details stored for the selected configuration.

The Blue Prism server must be restarted for the changes to be recognized.

The Blue Prism Server service which is installed by default when installing Blue Prism attempts to load a server configuration named 'Default' – if that doesn't exist, it will not start up. See Running Multiple BP Servers for guidance on how to configure a service to load a different configuration.

Create a configuration

Clicking on the 'New...' button will open the Server Configuration Details dialog where the configuration can be specified.

Delete a configuration

To delete a configuration, ensure that it is selected in the Configuration drop down and click on the Delete button.

Note that the configuration will be deleted and the changes saved immediately.

Server configuration details

Configuring a BP Server Instance

Within the 'Server configuration details' dialog, you can specify:

Details tab

Name

The name of the configuration. This is largely documentary, but is also used to indicate which server configuration a service should use when defining multiple BP Server services. Note that in that case, a simple name without spaces or punctuation is recommended in order to simplify the installation of the corresponding service.

Connection

The connection settings that the server configuration should use to connect to the Blue Prism database it is serving. The available connections are drawn from the connections configured within the Blue Prism client's Connections dialog, available from the login page.

Listening port

The TCP/IP port on which it should listen for connections from Blue Prism clients. If running multiple servers simultaneously, these must be different for each server configuration or the server may not be able to start.

Connection Mode

There following connection modes can be used for connections between a Blue Prism client and the Blue Prism server:

  • WCF: SOAP with Message Encryption & Windows Authentication
    • Requires trust relationship between devices: Yes
    • Blue Prism Authentication Modes: Blue Prism Native / Single Sign-on
    • Requires server-side certificate: No

    • Transport: SOAP over HTTP

    Only the message content is encrypted.  The SOAP and HTTP headers remain unencrypted which assists complex routing, load balancers, proxies etc.  Client and server identity is validated via Windows / Active Directory.

  • WCF: SOAP with Transport Encryption & Windows Authentication
    • Requires trust relationship between devices: Yes
    • Blue Prism Authentication Modes: Blue Prism Native / Single Sign-on
    • Requires server-side certificate: Yes

    • Transport: SOAP over HTTPS

    The transport including SOAP headers are encrypted using certificate-based encryption. Client and server identity is validated via Windows / Active Directory.

  • WCF: SOAP with Transport Encryption
    • Requires trust relationship between devices: No
    • Blue Prism Authentication Modes: Blue Prism Native
    • Requires server-side certificate: Yes
    • Transport: SOAP over HTTPS

    The transport including SOAP headers are encrypted using certificate-based encryption. Server identity is validated using certificates.

  • .NET Remoting: Secure
    • Requires trust relationship between devices: Yes
    • Blue Prism Authentication Modes: Blue Prism Native / Single Sign-on
    • Requires server-side certificate: Yes
    • Transport: TcpChannel over SChannel

    Provided for backwards compatibility. Encryption is negotiated between the client and server. Client and server identity is validated via Windows / Active Directory.

  • .NET Remoting: Insecure
    • Requires trust relationship between devices: No
    • Blue Prism Authentication Modes: Blue Prism Native
    • Requires server-side certificate: No
    • Transport: TcpChannel

    Not recommended – provided for backwards compatibility. Connection security will need to be provided entirely by third-party solutions.

  • WCF: Insecure
    • Requires trust relationship between devices: Yes
    • Blue Prism Authentication Modes: Blue Prism Native / Single Sign-on
    • Requires server-side certificate: Yes
    • Transport: SOAP over HTTP

    Not recommended. Connection security will need to be provided entirely by third-party solutions.

Host name or IP address / IP address

When a server has multiple network interfaces, you can specify which IP address the server should use to listen on for connections. When using WCF connection modes, a host name can be used as an alternative to an IP address.

If this field is left empty, then Blue Prism Server will accept requests on any address.

Disable scheduler

With this option checked the server using this configuration will not attempt to run any scheduled tasks. This might be useful in multiple server environments where a single server is required to be responsible for running schedules.

Enable published dashboards

When checked the server will periodically retrieve data for any configured Published Dashboards and write the results to the Windows Event Log in JSON format for consumption by external applications.

Certificate tab (WCF connection modes only)

Certificate listing

Any certificate bindings found on the machine for the current port will be listed on this panel. All bindings for the port are listed so that the user can determine whether they apply to the selected host name or IP address.

New certificate bindings can be aped from this section. Existing certificate bindings can be viewed or removed.

Add new certificate binding window (WCF connection modes only)

New certificate bindings can be aped from the "Certificate" tab.

  • Certificate Binding Address – This section allows you to select whether to ap your certificate binding for the current port using a "wildcard" IP address, a specific IP address or a host name. Options will vary according to the IP address or hostname specified for the server.

    Note that operating systems prior to Windows 8 do not support bindings using host names. A warning will be displayed and you will need to ap a binding using the "Any IP address" option instead.

  • Local Machine Certificate Store – This allows you to specify the store to select certificates from. In most cases you should use the default "My (Personal)" option. You will be asked to select a certificate from this store after clicking the OK button.

Key store tab

Encryption keys

Any Encryption Schemes defined within Blue Prism that do not have their associated key held in the database, should have their key aped to the Server Key Store along with the name of the scheme it is associated with.

Once in place, and the Server started, connected Blue Prism clients will be able to use the keys to encrypt and decrypt credentials and queue item data for this connection.

Store keys separately in individual files

When this option is selected the keys themselves are held separately from the main server configuration, allowing access to them to be controlled via operating system permissions and encryption policies where required. Each key will be written to a separate file in the specified folder and named according to its associated Encryption Scheme name.

It is recommended that the specified folder is only used to hold Blue Prism encryption key files. Note that multiple server configurations cannot use the same folder.

In the event that the user modifying the server configuration does not have read access to one or more of the key files, this option will be disabled to prevent accidental key loss.

Server services tab

Windows services listing

A list of Blue Prism Server Windows services that have been detected on the local machine are displayed here. The list only displays services that are associated with the configuration being edited. The list includes information about the service setup and status.

In apition, it also includes details of whether the user account that runs the service has permission to listen on the address and port specified for the server configuration. Clicking the "Manage Permissions" link will open a window where these permissions can be managed.

If there are no Windows Services detected on the local machine for configuration currently being edited then you can create a new service by clicking the Create Service button or by running the example command text displayed on the tab from an elevated command prompt.

Manage URL permissions window (WCF connection modes only)

URL Permissions Listing – Any URL permissions found on the machine for the configuration's address and port will be listed on this panel.

Note that URL permissions set up for an http URL will not work with a server that uses https and vice versa. It is also not possible to set up separate URL permissions for both http and https URLs (where the URLs are identical other than the http / https part). The listing will include permissions that use both http and https URLs so that the user can see any possible conflicts.

New URL permissions can be aped from this section. Existing permissions can be edited or removed.

Add/edit URL permissions window (WCF connection modes only)

URL permissions can be aped or edited from the "Manage URL Permissions" window.

  • URL – This section allows you to select whether to ap your URL permission using a "wildcard" IP address or a specific IP address or host used by the server. Available options will vary according to the address specified for the server.
  • Users – User accounts that are set to run the Windows services detected on the machine (together with other accounts that belong to an existing URL permission when editing) will be available to select here.

Logging tab

  • Send Service status messages to Event Log – Set checked to log status messages to the windows event log for this configuration.
  • Log verbose messages – With this option checked all 'marshaled' and 'disconnected' messages will be logged to the Windows event log in apition to status messages.
  • Log traffic detail – When enabled, all calls from clients to remote object instancesn on the server are logged. This option is provided for diagnostic purposes only.

The OK button will commit your changes, and Cancel will discard them. Note that the configuration will be saved permanently when you click OK.

Run a Blue Prism server

The server can be executed directly from the configuration program by selecting the desired server configuration details in the Configuration drop down and clicking the Start button. The server will run until the program is closed, or the Stop button is clicked.

Alternatively, it can be executed in the form of a Windows Service. Open the Services administrative tool and locate the Blue Prism Server entry.

From here, the service can be started or stopped, it can be made to start up automatically whenever Windows opens, and it can be configured to restart if any errors occur. Note that this will, by default, use the configuration named Default. If this has been renamed or removed, the service will fail to start.

Run multiple Blue Prism servers

You can run multiple Blue Prism Server instances on the same machine concurrently, potentially connecting to different databases, and serving different clients.

If running from the server configuration program, you can just open it multiple times, select different configurations to use and start each one independently.

If running as a service, then multiple services must be set up in order to enable this.

A service can be configured using the 'Service Control' program from Microsoft. See the Microsoft Knowledge Base article Q251192 for further details regarding the Service Control (SC) program.

Once the required configuration has been set up in the configuration dialog, a service can be registered specifically for that configuration by running the command:

sc create {SERVICENAME} binPath= "C:\Program Files\Blue Prism Limited\Blue Prism Automate\BPServerService.exe {CONFIGURATIONNAME}"

where {SERVICENAME} represents the name of the service to be used, and {CONFIGURATIONNAME} is the name of the server configuration that the service should use.

Note that the lack of space between 'binPath' and the equals sign, and the subsequent space between the equals sign and the path are important.

If the desired service name contains space characters, it should be wrapped in quotes, eg.

sc create "BP Server II" binPath= ...etc...

The configuration name should not contain any spaces or quote characters in order to be correctly referenced by the service control program.

Connect to a Blue Prism server

To configure a connection which can communicate with a Blue Prism Server instance, see the Connections dialog, available from the Login page of the Blue Prism client.