ASCR server configuration

Interactive clients no longer have direct connections to each runtime resource when operating with application server controlled resources, however, there is some information that needs to be passed back from runtime resources in a timely manner. For this purpose, a new callback connection is established by each interactive client with its application server to allow this information to be passed back. After the client has established a connection with the server, it downloads the callback information specified on the server, and uses it to establish a secondary connection which the server uses for this purpose.

This section describes how to set up the callback connection in the application server configuration, which is referenced by Automate.config. This configuration can be set in the following ways:

The ASCR settings are applied to all interactive clients that connect via an application server with Blue Prism version 7. When upgrading a Blue Prism application server from version 6 to version 7, the server console output will display a message informing the user that the security mode cannot be none. This is to ensure the ASCR settings are configured, as described below.

For guidance on the troubleshooting of potential issues that users may encounter when using ASCR including ASCR logging, connections, and load balancing, see ASCR troubleshooting and logging.

ASCR configuration via BP Server

This procedure shows how to configure ASCR in BPServer and must be carried out for all Blue Prism application servers.

  1. Open the BPServer.exe. By default, this is located in C:\Program Files\Blue Prism Limited\Blue Prism Automate or possibly C:\Program Files (x86)\Blue Prism Limited\Blue Prism Automate\ depending on your installation environment.
  2. To open the server configuration, select the relevant environment from Current configuration and click Edit.
  3. Select the ASCR Settings tab.

  4. In Protocol Settings, select the required Callback Protocol method from the following options:

    gRPC

    This is the default callback channel and requires HTTP/2. The application server and all interactive clients that connect to it must be running Windows 11, Windows 10, or Windows Server 2016 or later.

    This is the recommended option.

    WCF

    This callback channel supports Windows 11, Windows 10 and Windows Server 2016 and earlier.

    WCF should only be used if gRPC cannot be used.

    If you select this option and the service login account is not a local administrator, you will need to run the commands below to grant the service login account user permissions to start the listener using the default port settings:

    If the ASCR host name is blank, use the following command, which contains a wildcard:

    netsh http add urlacl url=http://+:80/bpinstruct user=<domain>\<user>

    If the ASCR host name is explicit, use the following command and include the host name:

    netsh http add urlacl url=http://<fqdn>:80/bpinstruct user=<domain>\<user>

  5. Under Binding Settings, enter the Host Name for the channel to bind to.

    This is the host name of the application server that will be used by the clients to connect to the application server in order to establish the callback connection. The host name must be configured so that when used from the interactive clients it resolves to the application server on the configured port.

  6. Enter the required outbound/inbound Port for the selected callback protocol. The default value is 10000.

    For WCF, this value is applied to the outbound function only. The inbound function defaults to port 80, which is opened on the interactive client and is not configurable.

  7. Under Security Settings, select the Security Mode that you want to apply to the duplex channel from the following options:

    Certificate

    Use a Secure Socket Layer (SSL) certificate.

    Windows

    Windows integrated authentication and security. This option is available for the WCF callback protocol only.

    Insecure

    The callback protocol will not be secured.

  8. If you select the Certificate security mode, the following certificate options are enabled and must be completed:

    Certificate name

    This requires a certificate configured for the host name endpoint. See Certificate requirements for details.

    The certificate name is the Subject Name, however, for cases where multiple similar subject names exist, the Full Distinguished subject name can be used.

    Store name

    Select the name of the store from which the application server certificate will be retrieved.

    Client certificate name

    This requires a certificate configured for the host name endpoint. The client certificate needs to be configured for the same end point on the server. See Certificate requirements for details.

    The certificate name is the Subject Name, however, for cases where multiple similar subject names exist, the Full Distinguished subject name can be used.

    Store name

    Select the name of the store from which the interactive client certificate will be retrieved.

  9. Click Save to save the changes and apply the security settings.

ASCR configuration via command line

The ASCR settings can also be configured via AutomateC using the following commands:

AutomateC /ascrconfig <servername> <conntype> <hostname> <port> <connectionmode> <certificatename> <clientcertificatename> <servercertstore> <clientcertstore>

The certificate options are only required when <connectionmode> specifies certificates.

The following table lists relevant commands and possible values:

Commands

Values

<conntype>
  • 1 – grpc
  • 2 – wcf
<servername>

The name of the server configuration in BPServer.exe. By default this is Default.

<connectionmode>
  • 1 – certificate
  • 2 – windows
  • 3 – insecure

For further information about these and other commands, see the command line help by entering /help from an AutomateC command line.

Certificate requirements

The Certificate security mode encrypts all data exchanged between client and server. Given the ASCR channel utilizes WCF messaging, the main purpose of certificate security is to encrypt the runtime resource change data events rather than authenticate identity.

If you have chosen to use the Certificate security mode, you will need a server and a client certificate, both of which must exist in the specified certificate store on the application server. The client certificate will be provided on-demand to an establishing client connection.

The certificate or certificate pair must meet the following requirements:

gRPC only

  • Use an RSA Cryptographic Service Provider.
  • Both certificates must include an exportable private key

WCF and gRPC

  • Certificate DNS must align to the configured hostname.

  • Include a private key.

  • Client certificate must include an exportable private key.

  • If different, the server and the client certificate must be signed against the same authority.

Direct database connection to runtime resources

To prevent potential performance issues caused by high numbers of resources, if an interactive client connects directly to the SQL server rather than via an application server, the following controls are applied during login:

  • If fewer than 200 resources are detected, the connections are made and no warning messages display.
  • If between 200 and 800 resources are detected, a message displays prompting the user to choose whether or not to connect to the resources. If the user chooses not to connect, the connections to the resources are disabled.
  • If the user chooses not to connect to the resources, the status of the resources can be still be viewed in Control Room, but they cannot be instructed by the interactive client in use.

  • If more than 800 resources are detected, the automatic connection is disabled and a warning displays notifying you that the connection has not been made.

In the Blue Prism interactive client Control Room, the Toggle Connections menu option can be used to toggle the direct connection to the runtime resources on and off, as required.