Blue Prism server

Blue Prism can be operated in two different network architectures:

  • Direct Access – Blue Prism clients, whether running the full Blue Prism client software, or simply running as a runtime resource, have direct access to the database which governs the Blue Prism environment. This requires each client to store the authentication details for the database and, depending on the authentication mode utilized, may give the user full access to the Blue Prism database, which is not desirable.
  • Blue Prism Server – The Blue Prism clients and resources connect to the BP Server service running on a central machine. This acts as a proxy for the database, and becomes the only place within the system which needs the authentication data to access and modify the data.

The diagram below shows a comparison between the Direct Access and Blue Prism Server architectures.

Server Configurations - Click for a larger image

The Blue Prism Scheduler also runs within a BP Server service and it is possible to retain a direct access architecture with a BP Server instance running primarily for the purpose of running the scheduler.

Configure a Blue Prism server

A Blue Prism Server service is installed as part of the Blue Prism software installation process. It can be found in the Installed Services list in the Start Menu under: All Programs : Administrative Tools: Services.

The server is configured by running BPServer.exe, which is installed in the Blue Prism installation directory (typically C:\Program Files\Blue Prism Limited\Blue Prism Automate).

The dialog box which opens can be used to specify multiple configurations of Blue Prism Server, which can connect to disparate databases and listen to multiple clients.

Configuring BP Server

This dialog is no longer used to configure the Blue Prism Scheduler. This can now be configured on an environment-wide basis in System Manager.

Edit an existing configuration

On installation, a default configuration named 'Default' is created for the Blue Prism Server. When opening the server configuration dialog, this configuration is selected in the Configuration drop down box.

To edit a configuration, select it in the Configuration drop down and click Edit....

This will open the Server Configuration Details dialog with the current details stored for the selected configuration.

The Blue Prism server must be restarted for the changes to be recognized.

The Blue Prism Server service which is installed by default when installing Blue Prism attempts to load a server configuration named 'Default' – if that doesn't exist, it will not start up. See Running Multiple BP Servers for guidance on how to configure a service to load a different configuration.

Create a configuration

Clicking New... will open the Server Configuration Details dialog where the configuration can be specified.

Delete a configuration

To delete a configuration, select it in the Configuration drop down and click Delete.

Note that the configuration will be deleted and the changes saved immediately.

Server configuration details

In the Server configuration details dialog, you can specify:

Details

Name

The name of the configuration. This is largely documentary, but is also used to indicate which server configuration a service should use when defining multiple BP Server services. Note that in that case, a simple name without spaces or punctuation is recommended in order to simplify the installation of the corresponding service.

Connection

The connection settings that the server configuration should use to connect to the Blue Prism database it is serving. The available connections are drawn from the connections configured in the Blue Prism client Connections dialog, available from the login page.

Connection mode

There following connection modes can be used for connections between a Blue Prism client and the Blue Prism server:

  • WCF: SOAP with Message Encryption & Windows Authentication
    • Requires trust relationship between devices: Yes
    • Blue Prism authentication modes: Blue Prism Native/Single Sign-on
    • Requires server-side certificate: No
    • Transport: SOAP over HTTP

    Only the message content is encrypted.  The SOAP and HTTP headers remain unencrypted which assists complex routing, load balancers, proxies etc.  Client and server identity is validated via Windows/Active Directory.

  • WCF: SOAP with Transport Encryption & Windows Authentication
    • Requires trust relationship between devices: Yes
    • Blue Prism authentication modes: Blue Prism Native / Single Sign-on
    • Requires server-side certificate: Yes
    • Transport: SOAP over HTTPS

    The transport including SOAP headers are encrypted using certificate-based encryption. Client and server identity is validated via Windows/Active Directory.

  • WCF: SOAP with Transport Encryption
    • Requires trust relationship between devices: No
    • Blue Prism authentication modes: Blue Prism Native
    • Requires server-side certificate: Yes
    • Transport: SOAP over HTTPS

    The transport including SOAP headers are encrypted using certificate-based encryption. Server identity is validated using certificates.

  • .NET Remoting: Secure
    • Requires trust relationship between devices: Yes
    • Blue Prism Authentication Modes: Blue Prism Native/Single Sign-on
    • Requires server-side certificate: Yes
    • Transport: TcpChannel over SChannel

    Provided for backwards compatibility. Encryption is negotiated between the client and server. Client and server identity is validated via Windows / Active Directory.

  • .NET Remoting: Insecure
    • Requires trust relationship between devices: No
    • Blue Prism authentication modes: Blue Prism Native
    • Requires server-side certificate: No
    • Transport: TcpChannel

    Not recommended – provided for backwards compatibility. Connection security will need to be provided entirely by third-party solutions.

  • WCF: Insecure
    • Requires trust relationship between devices: Yes
    • Blue Prism authentication modes: Blue Prism Native/Single Sign-on
    • Requires server-side certificate: Yes
    • Transport: SOAP over HTTP

    Not recommended. Connection security will need to be provided entirely by third-party solutions.

Host name or IP address / IP address

When a server has multiple network interfaces, you can specify which IP address the server should use to listen on for connections. When using WCF connection modes, a host name can be used as an alternative to an IP address.

If this field is left empty, then Blue Prism Server will accept requests on any address.

Listening port

The TCP/IP port on which it should listen for connections from Blue Prism clients. If running multiple servers simultaneously, these must be different for each server configuration otherwise the server may not be able to start.

Disable scheduler

With this option checked the server using this configuration will not attempt to run any scheduled tasks. This might be useful in multiple server environments where a single server is required to be responsible for running schedules.

Certificate (WCF connection modes only)

Certificate listing

Any certificate bindings found on the machine for the current port will be listed on this panel. All bindings for the port are listed so that the user can determine whether they apply to the selected host name or IP address.

New certificate bindings can be added from this section. Existing certificate bindings can be viewed or removed.

Add new certificate binding window (WCF connection modes only)

New certificate bindings can be added from the Certificate tab.

  • Certificate Binding Address – This section allows you to select whether to add your certificate binding for the current port using a "wildcard" IP address, a specific IP address or a host name. Options will vary according to the IP address or hostname specified for the server.

    Note that operating systems prior to Windows 8 do not support bindings using host names. A warning will display and you will need to add a binding using the Any IP address option instead.

  • Local Machine Certificate Store – This allows you to specify the store from which to select certificates. In most cases you should use the default My (Personal) option. You will be asked to select a certificate from this store after clicking OK.

Key store

Encryption keys

Any encryption schemes defined within Blue Prism that do not have their associated key held in the database should have their key added to the Server Key Store along with the name of the scheme it is associated with.

Once in place, and the server started, connected Blue Prism clients will be able to use the keys to encrypt and decrypt credentials and queue item data for this connection.

Store keys separately in individual files

When this option is selected the keys themselves are held separately from the main server configuration, allowing access to them to be controlled via operating system permissions and encryption policies where required. Each key will be written to a separate file in the specified folder and named according to its associated encryption scheme name.

It is recommended that the specified folder is only used to hold Blue Prism encryption key files. Note that multiple server configurations cannot use the same folder.

In the event that the user modifying the server configuration does not have read access to one or more of the key files, this option will be disabled to prevent accidental key loss.

Server services

Windows services listing

A list of Blue Prism Server Windows services that have been detected on the local machine are displayed here. The list only displays services that are associated with the configuration being edited. The list includes information about the service setup and status.

In addition, it also includes details of whether the user account that runs the service has permission to listen on the address and port specified for the server configuration. Clicking Manage Permissions will open a window where these permissions can be managed.

If there are no Windows Services detected on the local machine for configuration currently being edited then you can create a new service by clicking Create Service or by running the example command text displayed on the tab from an elevated command prompt.

Manage URL permissions (WCF connection modes only)

URL Permissions Listing – Any URL permissions found on the machine for the configuration's address and port will be listed on this panel.

Note that URL permissions set up for an http URL will not work with a server that uses https and vice versa. It is also not possible to set up separate URL permissions for both http and https URLs (where the URLs are identical other than the http / https part). The listing will include permissions that use both http and https URLs so that the user can see any possible conflicts.

New URL permissions can be aped from this section. Existing permissions can be edited or removed.

Add/edit URL permissions (WCF connection modes only)

URL permissions can be added or edited from the Manage URL Permissions dialog.

  • URL – This section allows you to select whether to add your URL permission using a "wildcard" IP address or a specific IP address or host used by the server. Available options will vary according to the address specified for the server.
  • Users – User accounts that are set to run the Windows services detected on the machine (together with other accounts that belong to an existing URL permission when editing) will be available for selection here.

Logging

  • Send Service status messages to Event Log – Set checked to log status messages to the windows event log for this configuration.
  • Log verbose messages – With this option checked all 'marshaled' and 'disconnected' messages will be logged to the Windows event log in addition to status messages.
  • Log traffic detail – When enabled, all calls from clients to remote object instances on the server are logged. This option is provided for diagnostic purposes only.

Clicking OK button will commit your changes, and Cancel will discard them. Note that the configuration will be saved permanently when you click OK.

Data Gateways Settings

  • Enable Data Gateways Process – Enable the Data Gateways process for this server.
  • Communications Port – Enter the port that the application server will listen on for commands to start or stop the Data Gateways process.

    This port is also used by other Blue Prism application servers within the same environment to control the Data Gateways engine. This can be left as the default port (8101) unless there is another process on the application server that is already using that port.

    The application server must be stopped before changing the port number.

  • Log Data Gateways Output To Console – Send high-level Data Gateways messages to the console log in BPServer. This data can be used to help diagnose any potential issues with the Data Gateways integration. 
  • Enable Trace Logging – Enable verbose Data Gateways logging, which can be used to further diagnose any issues between Blue Prism and Data Gateways.

  • Data Gateways User Details – select one of the following options:
    • Run As Current User – If using SQL authentication with the Data Gateways SQL user, the service will run under the context of the Data Gateways service. The credentials used to access SQL must be provided separately via Blue Prism Data Gateways configuration. See Enable the Data Gateways process for details.

      If using Windows authentication, the Data Gateways process will run in the same user context as the Blue Prism application server service. This is option is not recommended when using Windows authentication.

    • Run As Specific User – If using Windows authentication (integrated security) this option enables you to run Data Gateways in a different user context than the Blue Prism server service. This is the recommended configuration when using Windows authentication.

Click Save to apply the settings. See the Data Gateways guide for more details.

Run a Blue Prism server

The server can be executed directly from the configuration program by selecting the desired server configuration details in the Configuration drop down and clicking the Start button. The server will run until the program is closed, or the Stop button is clicked.

Alternatively, it can be executed in the form of a Windows Service. Open the Services administrative tool and locate the Blue Prism Server entry.

From here, the service can be started or stopped, it can be made to start up automatically whenever Windows opens, and it can be configured to restart if any errors occur. Note that this will, by default, use the configuration named Default. If this has been renamed or removed, the service will fail to start.

Run multiple Blue Prism servers

You can run multiple Blue Prism Server instances on the same machine concurrently, potentially connecting to different databases, and serving different clients.

If running from the server configuration program, you can just open it multiple times, select different configurations to use and start each one independently.

If running as a service, then multiple services must be set up in order to enable this.

A service can be configured using the Service Control program from Microsoft. See the Microsoft Knowledge Base article Q251192 for further details regarding the Service Control (SC) program.

Once the required configuration has been set up in the configuration dialog, a service can be registered specifically for that configuration by running the command:

sc create {SERVICENAME} binPath= "C:\Program Files\Blue Prism Limited\Blue Prism Automate\BPServerService.exe {CONFIGURATIONNAME}"

where {SERVICENAME} represents the name of the service to be used, and {CONFIGURATIONNAME} is the name of the server configuration that the service should use.

Note that the lack of space between 'binPath' and the equals sign, and the subsequent space between the equals sign and the path are important.

If the desired service name contains space characters, it should be wrapped in quotes, eg.

sc create "BP Server II" binPath= ...etc...

The configuration name should not contain any spaces or quote characters in order to be correctly referenced by the service control program.

Connect to a Blue Prism server

To configure a connection which can communicate with a Blue Prism Server instance, see Connections.