Hub install preparation

Prior to undertaking an installation of Blue Prism Hub it is important to ensure that the architecture is configured to support the installation. Multiple systems are required to support the installation of Hub.


Before carrying out the installation, the following conditions must be met:

  • A SQL Server must be available to host the Blue Prism component databases, such as, Authentication Server , Hub, Audit, and so on. Administrator-level access is required during the installation process. See Minimum SQL permissions for more details.
  • A Message Broker Server must be available hosting RabbitMQ Message Broker. See Install the Message Broker server for more details.

  • A Web Server for the Hub installation. See the Prerequisites for further information.
  • Administrator access to the devices where Blue Prism Hub is to be installed must be available. All devices must meet the minimum specifications and the devices must be able to communicate with each other over the local network, including communication with your Blue Prism Database. DNS should be available to all components.
  • The account performing the installation must have access to the hosts file. This is typically stored in C:\Windows\System32\drivers\etc\hosts or %SYSTEMROOT%\System32\drivers\etc\hosts.

When planning your deployment, the following points should be considered:

  • Will the database be added to an existing database server or will a new one be commissioned?

    Blue Prism recommend that databases are kept on separate database servers.

  • Is there sufficient space and resources to host the added databases?

    You should check and ensure that sufficient disk space and compute resources can cope with the additional load.

  • What authentication mode is required for the SQL database (SQL Native or Windows Authentication)?

    This is your IT organizations decision.

  • Has the Message Broker server been setup and configured to support the installation of Hub?

    A Message Broker server is required to complete the installation of Hub.

  • Do all devices where Blue Prism Hub is to be installed meet the minimum requirements?

    See Hub software requirements and permissions for details.


See Hub software requirements and permissions for details of software requirements and minimum SQL permissions.

Installing Hub requires the following prerequisites:

  • SQL Server must be configured to use SSL encryption. If your organization does not already use SSL encryption (you have been running your environment without certificates for your SQL Server, or you have been using a self‑signed certificate), your organization should obtain a certificate from a trusted certificate authority and import it into SQL Server to enable this. For more information, see Microsoft's documentation.

    To import the certificate into SQL Server:

    1. From the Windows task bar, open SQL Server Configuration Manager.

    2. In the SQL Server Configuration Manager, expand SQL Server Network Configuration and right-click Protocols for <SqlServerInstanceName>, and then click Properties.

    3. In the Protocols for <SqlServerInstanceName> Properties dialog, select the Certificate tab, and then select or import the required certificate.

    4. Click Apply.

    Certificates from trusted certificate authorities should be used for Production environments. However, a self-signed certificate could be used for Proof of Concept, or Development environments. It is important that the fully qualified domain name (FQDN) used by SQL Server matches the FQDN defined in the certificate. If these do not match, a connection to the database will not be established and your installation will not function correctly. For information on using and configuring self-signed certificates, see Self-signed certificates.

    In addition to the databases installed by the Hub installer, your Blue Prism database must also use SSL encryption, using a certificate that the Hub server trusts, such as from a trusted certificate authority.

  • The Message Broker server build is a generic setup and base install of a RabbitMQ Message Broker service. It is recommended that the default passwords are changed and any security requirements such as applying SSL certifications are completed by your IT department.

    To complete the Message Broker build, the following need to be downloaded:

    Installation guidance is provided here:

  • Blue Prism Hub is installed on the web server and therefore requires Internet Information Services Manager (IIS) and the .NET Core components installed. These need to be pre-installed to enable a successful installation of Blue Prism Hub. See Install and configure the web server – Hub for more information.

  • You will be creating the following websites – you should define the URLs based on your organizations domain:

    Website in IIS

    Default URL (example only)

    Websites with a user interface for use by end-users

    Blue Prism – Authentication Server


    Blue Prism – Hub


    Websites for use by the application only (services)

    Blue Prism – Email Service


    Blue Prism – Audit Service


    Blue Prism – File Service


    Blue Prism – Notification Center


    Blue Prism – License Manager


    Blue Prism – SignalR


    The default URLs shown above are suitable for a standalone environment, such as a test environment. Your organization’s DNS and Domain structures must be considered when choosing host names for your installation.

  • Certificates – During the installation process you will be asked for the SSL certificates for the websites being setup. Depending on your infrastructure and IT organization security requirements this could be an internally created SSL certificates or purchased certificates to protect the websites. The installer can be run without the certificates being present, though for the sites to operate, the bindings in the IIS websites will need to have valid SSL certificates present. For more information, see Configure SSL certificates.

  • Your Customer ID – During the installation process, you will be asked to enter your Customer ID. This can be found in the email that was sent to you when you purchased ALM, Decision or Interact for use with Hub.

    If you are only installing Control Room, you will not need a Customer ID. Customer IDs are only provided with, and required by, ALM, Decision or Interact.

  • When using Windows Authentication, defined Windows Service Accounts are required for use with the Blue Prism environment. This is so that Windows Services and Application Pools can be configured correctly for the websites created during the Hub installation. For more information, see Installing Hub using Windows Authentication.
  • By default, IIS Application Pools are used. Application pools must have access to the application files and certificates that are created during installation for data protection and authorization. These certificates are BluePrismCloud_Data_Protection and BluePrismCloud_IMS_JWT which are located within the default Windows certificate folder. The Application Pool for Hub will also need access to the BPC_SQL_CERTIFICATE certificate. If using Windows Authorization for access to SQL server, this will need to be configured manually. For more information, see Default application information.

  • By default, the ‘Local System’ account is used for services. This account must have access to application files. If using Windows Authorization for access to SQL server, this will need to be configured manually.

  • The Group Policy settings for Script Execution must be set to RemoteSigned at machine level (the highest level) during installation. These settings are required to allow the installer to run signed Powershell scripts, and not by Hub itself, so when the installation is complete you can return the settings to their former values if necessary.

    To determine whether you need to temporarily update the Script Execution settings, run the command Get-ExecutionPolicy -List (for more information, see Get-ExecutionPolicy), and check the output. If either MachinePolicy or UserPolicy is not set to RemoteSigned, you must update the settings as follows:

    1. In the Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.

    2. Double-click the Turn on Script Execution option.

      The Turn on Script Execution screen displays.

    3. Select Enabled, and in the Execution Policy dropdown, select Allow local scripts and remote signed scripts.

    4. Click OK, and close the Group Policy Editor.

    5. Force a policy update, either by rebooting the machine, or by running a gpupdate /force command.

    6. Run Get-ExecutionPolicy -List again to confirm that the policy change has taken effect (MachinePolicy should now be set to RemoteSigned).