Decipher IDP post-installation configuration

When you have installed the SS&C | Blue Prism® Enterprise and SS&C | Blue Prism® Decipher IDP components, you need to complete the following configuration steps before you can get started. These should be done in the following order:

  1. Configure database access:
  2. Secure the Decipher website with a Secure Sockets Layer (SSL) (production environments)
  3. Ensure all Decipher services are running
  4. Activate sites and services for Decipher IDP
  5. Enable machine learning training (optional)
  6. Update and encrypt database connection strings (optional)
  7. Reporting database configuration (optional)
  8. Configure RabbitMQ connection timeout (optional)

Grant system access (NT AUTHORITY) to the Decipher database

By default, the Decipher Server service runs under the local system account (NT AUTHORITY). In order to access the Decipher database, this user must be given access to the database.

If you don't want to provide this level of access for the current user, you can set Decipher Server to run as a service account. This offers enhanced security as you can configure a more complex password. If set to use a service account, this account also needs to be configured with
db_datareader and db_datawriter database permissions.

To give NT authority access to the Decipher database:

  1. Open Microsoft SQL Server Management Studio and connect to the instance that is hosting your Decipher database. If you installed SQL Express, the default for this is .\SQLEXPRESS.

  2. Click Security > Logins, and double-click NT AUTHORITY\SYSTEM. If you are not using the default account, select the relevant user from the list.

    The Login Properties dialog displays.

  3. Click User Mapping and select the relevant the check boxes to ensure the user has db_datareader and db_datawriter access to the Decipher database and the Decipher reporting database, if applicable.

    SQL user mapping

  4. Click OK to save the changes.

Grant access to the Decipher database for additional service accounts

For environments where the Decipher Web Client has been installed using a database connection string enabling Windows authentication (for example, Data Source=.\SQLEXPRESS;Initial Catalog=DecipherServerDb;Integrated Security=True), the IIS Service user needs to be granted
db_reader and db_writer access to the Decipher database.

By default this is the NT AUTHORITY\SYSTEM user, but if the IIS Service is being run by a different user (such as a service account), that user account needs to be configured with the relevant permissions using the steps above.

In addition, if the Web Client has been installed with a specified credential in the database connection string, this credential also requires configuring with the same permissions.

Grant Decipher Licensing Service access to the Blue Prism database

The user running the Decipher Licensing Service needs db_reader access to the Blue Prism database where the license is stored. By default, the service is run by the NT AUTHORITY\SYSTEM user, but in a production environment this should be configured to a service account. To grant the relevant permissions to the service account:

  1. Open Microsoft SQL Server Management Studio and connect to the instance that is hosting your Blue Prism database. If you installed SQL Express, the default for this is .\SQLEXPRESS.

  2. Click Security > Logins and double-click the relevant account.

    The Login Properties dialog displays

  3. Click User Mapping and select the relevant the check box to ensure the user has db_datareader access to the Blue Prism database.

  4. Click OK to save the changes.

Configure Windows Authentication (production environments)

For production environments, Blue Prism recommends the use of Windows Authentications using service accounts.

The Decipher services and the website application pool must run under the context of a user that has access to the relevant databases.

Configure the Decipher services

The following Decipher services must be configured with database access:

Service name Database

Required database permissions

Decipher Licensing Service

The Blue Prism database to which the Decipher license is applied.

db_datawriter / db_datareader

Decipher Server The Decipher database.

db_datawriter / db_datareader

Decipher Web SDK The Decipher database.

db_datawriter / db_datareader

To configure Windows authentication for each Decipher service listed above:

  1. From Windows Services, right-click the Decipher service and select Properties.
  2. Click the Log On tab and select This account.
  3. Enter the location and password of your service account.
  4. Perform this task for each Decipher service.
  5. Restart the Decipher services.

Grant the service account access to Decipher folders

The service account used to access the Decipher databases also needs access to the following Decipher folders:

  • The Decipher Image Storage Path – This location is defined during the Decipher Server installation and can be viewed in: C:\Program Files (x86)\Blue Prism\Decipher Server\ SsiServer.exe.config under the "ImageStorageRoot" key.
  • The Decipher application filesC:\Program Files (x86)\Blue Prism\
  • The default Decipher logging locations:
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Blue Prism\Blue Prism
    • C:\Windows\System32\config\systemprofile\AppData\Local\Decipher

    • C:\Windows\System32\config\systemprofile\AppData\Local\Blue Prism

  • The default website folderC:\inetpub\wwwroot

Configure the Decipher website identity

The Decipher website identity should be set to an account that has db_datareader and db_datawriter access to the Decipher database. The service account that was specified in the Service configuration can be used.

To change the application pool identity:

  1. Open Internet Information Services (IIS) Manager.
  2. On the left-hand pane, navigate to Application Pools.

  3. Select Decipher AppPool.

  4. On the right-hand pane, click Advanced Settings.

  5. The Advanced Settings dialog displays.

  6. Under Process Model, click Identity.

  7. The (ellipsis) button displays.

  8. Click the (ellipsis) button.
  9. The Application Pool Identity dialog displays.

  10. Select Custom Account and click Set.
  11. Enter the account credentials, as prompted.
  12. Once complete, navigate back to the Application Pools list.

  13. Select Decipher AppPool and click the Recycle button.

Recycling the IIS logs will log the user out of the current Decipher IDP session. If frequent recycling of the IIS logs is required, it is recommended that this is scheduled for outside of operating hours.

Secure the Decipher website with a Secure Sockets Layer (SSL) (production environments)

To secure your Decipher website to use an SSL certificate:

  1. Open Internet Information Services (IIS) Manager.
  2. On the left-hand pane, expand the Sites node and select Decipher.
  3. Under Edit Site in the right-hand pane, click Bindings.
  4. The Site Bindings dialog displays.

  5. Click Add.
  6. The Add Site Binding dialog displays.

  7. From the Type drop-down, select https.
  8. Add the host name of the Decipher Server to the Host name field.

  9. Select an SSL certificate.
  10. The SSL certificate drop-down is populated with certificates from the personal certificate store on the local machine.

  11. Click OK to accept the changes.
  12. Navigate to the Decipher website and click Restart.

Any clients connecting to the Decipher website will have to trust the certificate that you selected in the above process. Self-signed certificates will need to be imported onto client machines, but it is more advisable to use a certificate from a certificate authority so that it is implicitly trusted by all clients.

Check all Decipher services are running

Check that the necessary services exist and are running – you can do this by typing services into the Windows search bar and checking these services:

  • Decipher Automated Client Manager
  • Decipher Licensing Service
  • Decipher Server
  • This service will not run until the LocalSystem user has been given access to the database; or the Decipher Licensing Service has started.

  • Decipher Web SDK Service
  • RabbitMQ

See Troubleshooting if you encounter any issues starting the services.

Activate sites and services for Decipher IDP

By default, IIS creates a website on port 80. If you want Decipher IDP to run on port 80, then this default web site must be disabled or moved to avoid it conflicting with Decipher. To do this:

  1. Open IIS and click the Sites folder in the Connections panel.

  2. Select Default Web Site and click Stop on the Actions > Manage Website panel.
  3. Select Decipher and click Start or Restart.

See Log on and set up Decipher IDP admin for next steps.

Enable machine learning training (optional)

Machine learning training can be switched on and off in the Decipher IDP user interface via Document types. However, it first needs to be configured in the SsiDataCaptureClient.exe.config file.

  1. Using Notepad++, open the SsiDataCaptureClient.exe.config file as an Admin. (The default location is C:\Program Files (x86)\Blue Prism\Decipher Automated Clients.)
  2. Find <add key="EnableModelTrainingML" value="false" /> and set the value to true.

  3. Save the changes to the config file.

  4. Restart the Decipher Server Service.

For information on why machine learning is not enabled by default, see the Decipher IDP frequently asked questions.

Update and encrypt database connection strings (optional)

For enhanced security, you can choose to encrypt your database connection settings.

Update the connection string

  1. Using Notepad++, open the SsiServer.exe.config file. The default location is C:\Program Files (x86)\Blue Prism\Decipher Server\SsiServer.exe.config.
  2. Find connectionString and update the string with the name of the SQL database connection and user credentials.

    The existing connection string depends on whether the option to encrypt was selected when installing Decipher Server, and how the user was configured. The following are examples of typical connection strings:

    • Data Source=.\SQLEXPRESS; Initial Catalog=DecipherServerDb; Integrated Security=True;

    • Data Source=.\SQLEXPRESS; Initial Catalog=DecipherServerDb; User Id=myUsername; Password =myPassword;

    • If already encrypted: enc:AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAardddLezc0amPmM328

  3. Save the changes to the config file.

  4. Restart the Decipher Server service.

Encrypt the connection string

  1. Launch the command prompt.

  2. Set the directory to the installation location, for example cd C:\Program Files (x86)\Blue Prism\Decipher Server.

  3. Enter ssiserver -enc and press Enter.

  4. Restart the Decipher Server service to test if the configuration is successful. If the service does not start, follow the Troubleshooting suggestions.

Reporting database configuration (optional)

If you have chosen to create a separate reporting database during the installation of the Decipher server, you can then copy across any existing reporting data from the Decipher database to the new reporting database.

  1. Using Notepad++, open the SsiServer.exe.config file. The default location is C:\Program Files (x86)\Blue Prism\Decipher Server\SsiServer.exe.config.
  2. Find WorkflowConfig and set the SyncOldDataToReportingDatabase value to True.
  3. Save the changes to the config file.

  4. Restart the Decipher Server service.

  5. Restarting the server may take some time while the data is copied across to the reporting database.

Configure RabbitMQ connection timeout (optional)

When the Decipher Licensing Service is installed, there is a default RabbitMQ connection timeout of 5 seconds. If the component cannot connect to RabbitMQ in this time, it will timeout and an exception message is logged in Windows Event Viewer: Failed to connect to RabbitMQ after 5 seconds of waiting.

If required, you can update the timeout value by editing the RabbitMqConnectionTimeoutInSeconds attribute in the component's config file:

  1. In Windows Services, locate the Decipher Licensing Service, right-click and select Stop. You can access Windows Services by typing Services into the Windows search bar.

  2. Navigate to the Decipher Licensing Service config file. The default location is C:\Program Files (x86)\Blue Prism\Decipher Licensing Service\config.

  3. Open the file in a text editor.

  4. In the Configurations section, locate the RabbitMqConnectionTimeoutInSeconds attribute and update the value as required. This must be a positive integer value.

  5. Save the changes to the config file.

  6. In Windows Services, restart the Decipher Licensing Service.

The Decipher Licensing Service will now use the updated timeout value.