o test PDF Combine only

Advanced configuration
This section provides details about advanced configuration techniques for configuring Blue Prism:

Multiple and co-hosted application servers

DNS resolution
Java Access Bridge
Active Directory
Scripted installation

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

1
o test PDF Combine only
3

DNS resolution
Blue Prism installations communicate with each other using their respective machine names – it is therefore necessary to
ensure that these can be resolved successfully, and that firewall rules allow appropriate communication on the defined
ports.
It may be necessary to set up DNS servers, Windows DNS search suffixes or local Host files to support this.
Enterprise organizations often use formal DNS management utilities, however for tactical or experimental configurations it
may be appropriate to use local host files to manipulate DNS.

1. Open the host file on the local machine using a text editor such as Notepad – administrator level access is required.
C:\Windows\System32\drivers\etc\hosts
2. Enter the IP addresses and host names that are relevant to the deployment.

3. Save and exit the text editor.

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

3
o test PDF Combine only
4

Java Access Bridge

If any of the target applications, including browser plug-ins, are deployed using the Java Runtime Environment, the Java
Access Bridge must be installed on each Blue Prism client desktop.

Information about obtaining the appropriate installers can be provided to the Blue Prism Support team by your Account
Manager.

Blue Prism uses Java Access Bridge to access a series of specialized techniques for interfacing with applications written
in the Java Programming Language.
For further information about the Java Access Bridge and Blue Prism, see Java Access Bridge (JAB).

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

4
o test PDF Combine only
7

Advanced installation
Select which optional components to install:

Outlook Automation – Installs the DLL required to use the Blue Prism Outlook Email VBO. Requires 952KB on
your hard drive.
Google Sheets Automation – Installs the APIs required to use the Blue Prism Google Sheets VBO. Requires
408KB on your hard drive.
Chrome Browser Extension – Applies the registry setting that instructs Chrome to add the Blue Prism browser
extension, required if interacting with Chrome from Blue Prism. Requires 1KB on your hard drive.
Firefox Browser Extension – Applies the registry setting that instructs Firefox to add the Blue Prism browser
extension. Requires 196KB on your hard drive.

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

7
o test PDF Combine only
9
Configure the database connection
Once Blue Prism is installed, the Blue Prism database connection can be configured.
For SQL native authentication mode, use:
Automate.exe /dbconname "Friendly name" /setdbname "DB Name" /setdbserver "DB Server" /setdbusername "DB
User" /setdbpassword "********"

For SQL windows authentication mode use:

Automate.exe /dbconname "Friendly name" /setdbname "DB Name" /setdbserver "DB Server"

Create a Blue Prism database

Once a database connection has been defined a Blue Prism database can then be created. The parameters that must
be used will depend on whether Blue Prism Native, or Single Sign-on will be used to secure access to Blue Prism.

Configuring a database for an environment to be secured using Blue Prism Native

Authentication

Database secured using SQL Authentication

AutomateC.exe /createdb "*******"

Database secured using Windows Authentication

AutomateC.exe /createdb ""

Configuring a database for an environment to be secured using Single Sign-on for Blue
Prism

Database secured using SQL Authentication

AutomateC.exe /createdb "*******" /setaddomain "Domain Name" /setadadmingroup "Group Name"

Database secured using Windows Authentication

AutomateC.exe /createdb "" /setaddomain "Domain Name" /setadadmingroup "Group Name"

The current user must belong to the AD Group specified as the /setadmingroup.
The configuration of additional Blue Prism security roles including associating with Active Directory Security Groups
must be completed via the User Interface.

Register the License

The license can be added to the deployment by specifying the path of the license file in the command below:
AutomateC.exe /license "Path of License File"

Create the server service profile

Create a server service that uses the created connection. An encryption scheme named Default Encryption Scheme will
be created by default.
AutomateC.exe /serverconfig "Profile Name" "Connection Name" "Port"

AutomateC.exe /serverconfig "Default" "Default Connection" "8199"

Do not use this method to create a server for an existing environment as the encryption scheme must match existing
schemes.

Configure a connection to the application server

Configure the devices to connect to the environment via the Blue Prism Server.
Automate.exe /dbconname "Friendly name" /setbpserver "Server Name" "Port"

Import processes
If there are business objects or processes to be imported the XML files can be imported individually using the
command(s):
AutomateC.exe /import "C:\My Process.xml" /user admin admin

AutomateC.exe /import "C:\My Object.xml" /user admin admin

The user credentials supplied here (username "admin" and password "admin") are the sample options for native
authentication; these have not yet been changed but will be changed later. Where Active Directory authentication is
being used, the option "/user admin admin" should be replaced with "/sso"; this assumes that the Active Directory
groups have already been configured.

Publishing processes

9
o test PDF Combine only
11
WCF mode using message encryption with a server binding specified on the server profile

netsh http add urlacl url=http://bpserver001.mydomain:8199/bpserver user=Domain\UserName

WCF mode using transport encryption with no server binding specified on the server profile

netsh http add urlacl url=https://+:8199/bpserver user=Domain\UserName

WCF mode using transport encryption with a server binding specified on the server profile

netsh http add urlacl url=https://bpserver001.mydomain:8199/bpserver user=Domain\UserName

Associating a Certificate with the network interface

When the Blue Prism Server service is configured to use a WCF connection mode that requires a deployed certificate,
these steps provide the commands to associate a locally deployed certificate with the listening IP address and port.
The certificate must be deployed for the computer account. Likewise ensure that the issuing certificate authority is
trusted by this device and that the certificate, and its issuing authority, are trusted by all client devices.
netsh http add sslcert ipport=[IP Address:Port] certhash=[Thumbprint] appid={00112233-4455-6677-8899-
AABBCCDDEEFF}

For example:
netsh http add sslcert ipport=10.0.2.15:8199 certhash=bac31cc4094793d275167cf02b31bbac2718f3c7 appid=
{00112233-4455-6677-8899-AABBCCDDEEFF}

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

11
o test PDF Combine only
12

Login Agent
When executing an automated process on a Blue Prism runtime resource, it is necessary for the runtime resource to be
running on a device which is logged in and not locked. This allows the process to operate under the context of that user
and provides access to all of the local applications and network resources it may need.
Blue Prism Login Agent provides a mechanism for automating the log in process for a Windows machine so that a Blue
Prism runtime resource can be started. This includes:

Configuring the Login Agent service with appropriate information to launch a Login Agent runtime resource.
A Login Agent runtime resource being started automatically when a device is powered on (or rebooted) that
connects to the appropriate Blue Prism environment.
The Login Agent runtime resource being instructed to log in manually or via a schedule.
The Login Agent securely retrieving the appropriate credential from the database and using this to authenticate with
Windows.

The diagram below shows the flow of events that occur to take a device from being powered on to being logged in and
able to receive process automation instructions.

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

12
o test PDF Combine only
13

13
o test PDF Combine only
14

Security policies
It is common for security policies to have been configured that apply each time a
device is logged onto the network. Login Agent is used to automatically log
devices, that host runtime resources, onto the network. If security policies that
require human intervention are applied to these devices, this can prevent Login
Agent from working. Therefore, it is necessary for these policies to be disabled
on the devices or policy needs to be applied that allows them to be
programmatically traversed.

For devices on which there are no policies that require human intervention
Login Agent can automatically login without having to enable and
configure the SAS service.
For devices on which there are policies that require human intervention,
the SAS service can be used to programmatically send Ctrl + Alt + Del
and, whilst not a recommended approach, it also provides unsupported
functionality that can attempt to temporarily disable some policies.

The SAS service must run with by a local system or local admin account.

The following sections provide recommended and alternative solutions for

traversing common security policies.

Ctrl + Alt + Del – Secure Attention

Sequence
If there is a requirement for users to press Ctrl + Alt + Del (Secure Attention
Sequence) as part of the login:

14
o test PDF Combine only
15
Recommended Policy setting
Apply Local Security Policy that Local Group Policy > Administrative
enables a software SAS to be Templates > Windows Components >
submitted on all runtime resources. Windows Logon Options >
Disable or enable software Secure
Configure the Blue Prism automated
Attention Service
process to request the SAS service to
programmatically send the SAS as Value: Enabled for either Services or
part of the Login operation. Services and Ease of Access
applications.
Login Agent install options

Install the SAS service and

enable the SAS proxy
Configure login process to
instruct a software SAS to be
sent

Alternative Policy setting

Disable the requirement for users to Local Security Policy > Interactive
traverse the SAS as part of the Login Login >
operation. Do not require Ctrl + Alt + Del
(Only needs applying on devices that Value: Enabled
will be used as runtime resources).

Alternative (unsupported) Login Agent install options

Configure the Blue Prism SAS service Install the SAS service and set
to attempt to disable the policy setting the local SAS proxy
on-the-fly.
Login process does not need to
send a software SAS

15
o test PDF Combine only
16

On-screen pre-login message

If there is a requirement for users to traverse an on-screen message as part of
the login:

Recommended Policy setting

Disable the requirement for users to Local Security Policy > Interactive
traverse a login message as part of Login >
the Login operation. Message text for users attempted to
log on
(Only needs applying on devices that
will be used as runtime resources). Value: [Blank]
Local Security Policy > Interactive
Login >
Message title for users attempted to
log on
Value: [Blank]

Alternative (Unsupported) Login Agent install options

Configure the Blue Prism SAS service Install the SAS service and set
to attempt to disable the policy setting the local legal message policy
on-the-fly.

Display lock screen

There should be no requirement to traverse a lock-screen making it possible for
Login Agent to be used to unlock a locked runtime resource. This helps to
ensure secure operation of devices as it makes it easier to lock and unlock
devices.
Local Group Policy Editor: Do not display the lock screen.
Value: Enabled.

If you have any feedback about this topic or any other aspect of the help,
please contact us at [email protected].

© Blue Prism Limited, 2001 – 2020

16
o test PDF Combine only
17

Install Login Agent

Editions of Login Agent

This guide provides information on using Login Agent with Blue Prism 6.5 and above. For previous versions, download the
appropriate guide from the Blue Prism Portal.

Location of installer Contained within the Installers directory of the install location of Blue Prism.

Supported Blue Prism The version of Blue Prism that the installer was provided with.
versions

Supported Operating Same as the version of Blue Prism that the installer was provided with.
Systems

Prerequisites An appropriate version of Blue Prism must be installed and configured prior to installing
Login Agent.
When installing onto a virtual device, the host virtualization technology must support third-
party credential providers

User access Administrator access is required on the target system

Distributable files
There are two installers available for each version of Login Agent:

LoginAgent_x86.msi
LoginAgent_x64.msi

Prerequisites
Login Agent should only be installed on a device where Blue Prism has been installed and at least one Blue Prism
connection has been configured.
When installing on virtualized devices, it is necessary for the virtualization host technology to support third-party
credential providers.
Login Agent must be used with the version of the VBO that is provided within the associated Blue Prism release file.

17
o test PDF Combine only
19

Command line installation

To install Login Agent without the SAS service, use the command:
msiexec /i LoginAgent_x64.msi /q

Custom install options

To install Login Agent with the SAS service, use the ADDLOCAL parameter:
msiexec /i LoginAgent_x64.msi /q ADDLOCAL=LoginAgent,SasService

To set the SAS service configuration settings:

msiexec /i LoginAgent_x64.msi /quiet EnableSASProxy=true AttemptOverrideSASGPO=false
AttemptOverrideLegalMsgGPO=true

Apply the required true/false values as required – the setting names and values are not case sensitive.

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

19
o test PDF Combine only
20

Install Login Agent

Editions of Login Agent

This guide provides information on using Login Agent with Blue Prism 6.5 and above. For previous versions, download the
appropriate guide from the Blue Prism Portal.

Location of installer Contained within the Installers directory of the install location of Blue Prism.

Supported Blue Prism The version of Blue Prism that the installer was provided with.
versions

Supported Operating Same as the version of Blue Prism that the installer was provided with.
Systems

Prerequisites An appropriate version of Blue Prism must be installed and configured prior to installing
Login Agent.
When installing onto a virtual device, the host virtualization technology must support third-
party credential providers

User access Administrator access is required on the target system

Distributable files
There are two installers available for each version of Login Agent:

LoginAgent_x86.msi
LoginAgent_x64.msi

Prerequisites
Login Agent should only be installed on a device where Blue Prism has been installed and at least one Blue Prism
connection has been configured.
When installing on virtualized devices, it is necessary for the virtualization host technology to support third-party
credential providers.
Login Agent must be used with the version of the VBO that is provided within the associated Blue Prism release file.

20
o test PDF Combine only
22

Command line installation

To install Login Agent without the SAS service, use the command:
msiexec /i LoginAgent_x64.msi /q

Custom install options

To install Login Agent with the SAS service, use the ADDLOCAL parameter:
msiexec /i LoginAgent_x64.msi /q ADDLOCAL=LoginAgent,SasService

To set the SAS service configuration settings:

msiexec /i LoginAgent_x64.msi /quiet EnableSASProxy=true AttemptOverrideSASGPO=false
AttemptOverrideLegalMsgGPO=true

Apply the required true/false values as required – the setting names and values are not case sensitive.

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

22
o test PDF Combine only
23

Advanced installation and configuration

Update or customize the Login Agent configuration

The configuration of Blue Prism Login Agent service, responsible for initialising the Login Agent runtime resource, is stored
within a local configuration file:
C:\ProgramData\Blue Prism Limited\Automate V3\LoginAgentService.config
The workingdirectory element points to the installation directory for the Blue Prism software.
The startuparguments element gives the arguments that will be used when launching the Login Agent runtime resource.
Common start-up argument configuration changes include:

Updating the Blue Prism connection that the Login Agent runtime resource will use
Updating the port number that Login Agent runtime resource will listen on
Configuring the Login Agent runtime resource to apply certificate-based encryption
Adding custom parameters to be included in the start-up process of the Login Agent runtime resource

Set the Blue Prism connection used by the Login

Agent runtime resource
The Login Agent runtime resource will use the default Blue Prism Connection to establish a connection into the Blue Prism
environment. Alternatively, it is possible to use the dbconname parameter to force which connection will be used.
The value of the connection name must exactly match the name of an existing Blue Prism connection on the local device.
<startuparguments>

<argument name="resourcepc" />

<argument name="public" />

<argument name="port">

<value>8181</value>

</argument>

<argument name="dbconname">

<value>Prod: Financial Services</value>

</argument>

If no connection is specified in the configuration file, the first connection specified in the Blue Prism client connection list on
the local device will be used.

23
o test PDF Combine only
24

Update the port that the Login Agent runtime

resource listens on
The listening port, used by the Login Agent runtime resource, is configured separately to the listening port that will be used
by the runtime resource used once the device has been logged on. There is no requirement for the Login Agent runtime
resource and the Blue Prism runtime resource to use the same port.
<startuparguments>

<argument name="resourcepc" />

<argument name="public" />

<argument name="port">

<value>8181</value>

</argument>

<argument name="dbconname">

<value>Prod: Financial Services</value>

</argument>

Configure the Login Agent runtime resource with

certificate-based encryption
Where the conventional runtime resources are configured to force encryption of incoming connections using a specified
certificate (e.g. where the runtimes are started using the /sslcert switch), it is necessary to manually apply the appropriate
configuration to the Login Agent runtime resource.
The startuparguments element within the configuration file can be updated to include the appropriate information:
<argument name="dbconname">

<value>Prod: Financial Services</value>

</argument>

<argument name="sslcert">

<value>[Certificate Thumbprint]</value>

</argument>

For example:
<argument name="dbconname">

<value>Prod: Financial Services</value>

</argument>

<argument name="sslcert">

<value>fee449ee0e3965a5246f000e89fde2a065fd89d4</value>

</argument>

Certificate-based encryption is only applied to the traffic received on the listening port. Encryption is applied separately to
the connection that retrieves the credentials that will be used as part of the login process.
Certificate-based encryption should only be applied to Login Agent runtime resources once the certificate has been
applied and tested with a Blue Prism runtime resource

24
o test PDF Combine only
25

Configuring the Login Agent runtime resource to

authenticate against Blue Prism
The Login Agent runtime resource can be configured to authenticate with the Blue Prism environment.
Blue Prism environments configured with native authentication – Start-up parameters will need to include /user [username]
[password]
<argument name="user">

<value>[username]</value>

<value>[password]</value>

</argument>

Blue Prism environments configured for Single Sign-on – Start-up parameters will need to include /sso to pass the context
of the currently logged in user.
<argument name="sso" />

Login Agent starts under the logon context of the Login Agent windows service.
When using single sign-on, the Login Agent service will need to be configured to start with a service account that has
appropriate access to Blue Prism.

Adding parameters to the start-up command

Where it is necessary to add additional start-up command parameters to the Login Agent runtime resource, they can be
added in a similar fashion. For example, to add a DB password for a SQL Server authenticated database add the XML
below before the closing </startuparguments> tag:
<argument name="setdbpassword">

<value>Password$123</value>

</argument>

25
o test PDF Combine only
26

Setting up Windows login credentials

The login credential is a Windows user account and password used to log into a specified machine. An environment
variable defines the format of the credential name that is used to log the machine in. The following process describes how
to create the environment variable and add a credential for Login Agent.

1. In the System tab, select Objects > Environment Variables.

2. Click Add Variable from the options menu.
3. The name of the environment variable must be formatted according to the environment variable Login Format
String.
It is recommended that Windows Login: {0} is used as the default value. The number in brackets is a placeholder for
the machine name of the runtime resource that you want to log in to. The value is substituted with the machine
name when the login process runs, and this is matched with an existing credential.

4. In the System tab, select Security > Credentials.

The credential must be created using the same connection type as the Blue Prism server. For example, if you create
the credential whilst logged into a direct database connection but the Login Agent client machine specifies a Blue
Prism Server type connection, the credential will not be found.
5. Click New from the options menu. The Credential Details dialog displays.
6. Enter the environment variable name as the credential name and the username and password for the specified
machine.

7. Click OK to save the credential.

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

26
o test PDF Combine only
27

Troubleshooting Login Agent

Common Issues
Common issues when trying to work with Login Agent include:

Incorrect configuration of security policies on the local device

It is essential that the specified security policies have been disabled. These include disabling lock screens, disabling the
requirement to press CTRL + ALT + DEL prior to logging in; and disabling log-on messages such as usage access policy
messages.
Security policies and settings can be inherited from different sources (e.g. local settings on the machine; and centrally via
group policy) and the policies that are actually applied on the local device must be verified. It is advisable to watch the
boot-up procedure to ensure the user is not prompted for unexpected or unsupported input.

Incorrect configuration of the Login Agent runtime resource

The configuration of the Login Agent runtime resource must be validated against the settings used for the conventional
runtime resources. In particular, verify that the connection used is one that works within the Blue Prism client.

Identifying login agent runtime resources in control

room
Login Agent runtime resources are shown using a dedicated icon within Control Room.

When appropriately configured, the Login Agent runtime resource is started whenever the machine is in a pre-logged in
state, and remains active until the device has been logged on and a conventional Blue Prism runtime resource has been
started. The Login Agent runtime resource is automatically shut-down by the start-up of a Blue Prism runtime resource.

Enable logging for Login Agent

Login Agent can be configured to generate diagnostic logs on a specific device by configuring the appropriate Registry key
settings.
For appropriate versions of Login Agent, the keys can be found within the Registry at the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Blue Prism Limited\LoginAgent

LogFileDir – specifies the location where the log file will be generated.
LogLevel – specifies the granularity of logs. 0: Disabled (default); 1: Error messages; 2: Debug messages; 4: Trace
messages. For a combination of levels, the values can be added together. E.g. a value of 7 will provide error
messages, debug messages and trace messages.

Logging is only recommend while troubleshooting.

It is necessary to reboot the device to apply registry setting changes.

Anonymous resourcepc logins are disabled

When the Blue Prism environment is configured to prevent anonymous public runtime resources this message indicates
that the runtime resource is preventing from connecting because it is trying to establish an anonymous connection.
Common approaches to this solution are:

Configure the runtime resource to authenticate against the environment when it starts up.
27
o test PDF Combine only
28
See the Advanced Installation section for information on configuring Login Agent runtime resources to authenticate
against Blue Prism.
Re-configure the environment to allow Anonymous Public runtime resources (not recommended)

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

28
o test PDF Combine only
29

Using the Login Agent

Once Login Agent has been deployed on the required devices, the Login Agent Release Package can be imported into the
environment. This package includes a number of components that can be used to illustrate how to interact with a device
that has been configured with Login Agent.
To import the package, select File > Import, browse to the Blue Prism Login Agent directory of the Blue Prism installation,
and select the Login Agent Release.bprelease file. The data is copied into the database so it only needs to be completed
once for each relevant Blue Prism environment.
The default Login and Change Password processes require that a Credential record is created for each device where the
process will be run. These credential records need to be created using the default naming format: Windows Login:
[MachineName]. For example, if the runtime resource is configured on robot0001 on port 8190, the default credential
name should be Windows Login: robot0001.
For more information, see Setting up Windows login credentials.

Example processes
A number of example Blue Prism processes are provided within the release package:

Change Password – Resets the password for the currently logged on user and overwrites the password associated
with the credential record. Provides support for configuring the complexity of the password that will be generated.
Intended for Login Agent runtime resource? No – process terminates immediately
Intended for Blue Prism runtime resource? Yes
Check Logged In – Checks the current logged in state of the device where the runtime resource is running.
Intended for Login Agent runtime resource? Yes
Intended for Blue Prism runtime resource? Yes
Login – Instructs a Login Agent runtime resource to retrieve a credential (based on a default static naming format)
and execute a login. Supports both local account and network account logins.
Intended for Login Agent runtime resource? Yes
Intended for Blue Prism runtime resource? No
Logout – Instructs a Blue Prism runtime resource to close all programs in the user session and log out of Windows.
An optional delay can be passed in as the parameter 'Delay' which will hold off from logging out for the time
specified. The process will still complete immediately, and the session will logout after the delay has passed.
Intended for Login Agent runtime resource? No
Intended for Blue Prism runtime resource? Yes
Specifying a Delay of 1 second (or greater) can help when troubleshooting.

29
o test PDF Combine only
30

Example actions
A business object, leveraged by the above processes, is provided that provides a set of example actions that can be used
to achieve common authentication actions with the operating system such as Log In, Is Logged In, Log Out, Change
Password, Lock Screen, Unlock Screen.
Information regarding the Login Agent VBO and its actions can be found in the API documentation under Help > API
Documentation.

When overwriting existing versions of the Login Agent VBO, it is necessary to re-verify any processes that use the
provided functionality.

If you have any feedback about this topic or any other aspect of the help, please contact us at
[email protected].

© Blue Prism Limited, 2001 – 2020

30