Configuring IBM RPA for high availability

You can configure your IBM RPA server for high availability. See the following procedures to prepare your envCERTIFICATEment to reduce downtimes and increase reliability of your services.

Before you begin

  1. For more information about high availability, see High availability and disaster recovery considerations.
  2. This topic considers that you are installing the IBM RPA server on a cluster. For instructions about how to install the server, see Install the server.
  3. Each machine that runs the server must have their own instance of the IBM RPA server, but they must share the Storage, log, and antivirus folders. You can share these folders through your cluster's network, or through a common server that is dedicated to storage.
  4. You must install external dependencies such as IBM MQ, SQL Server, an identity provider (LDAP), and Redis in different servers in the cluster, and you must provide access to these resources for all the IBM RPA server instances.
  5. For more information about how to install IBM MQ, see Installing IBM MQ.
  6. For more information about how to install the database, see Set up the databases and see Lesson 2: Connecting from Another Computer - SQL Server to set up an external connection to SQL Server.
  7. For more information about how to set up an identity provider, see Installing and configuring OpenLDAP.
  8. Redis is an essential component for high availability. For more information about how to install Redis, see Installing Redis.

Configuring certificates for the cluster

When you install multiple instances of the server in a cluster, the API of the server must communicate using common keys and certificates.

Configuring common certificates for UMS

Your servers in the cluster must use the same keys to communicate with the User Management Service (UMS) that register the users in the database. To do that, you must provide a custom certificate to UMS on each server.

For more information about how to generate a certificate signed by a Certificate Authority (CA), see Ordering a CA-signed certificate. For more information about how to provide a custom certificate to UMS, see Changing the UMS certificate.

Configuring common machine keys

Choose one of the servers in the cluster to perform the following actions:

  1. Go to the Server Manager, click Dashboard > Tools > Internet information services IIS 6.0 Manager.

  2. On the Connections panel on the left, select the WDG API under the Sites folder on the server instance.

  3. On the ASP.NET section, click the Machine Key option.

  4. Unmark the Automatically generate at runtime options for both the Validation key and the Decryption key.

  5. Copy both of the keys and paste into a text file for later reference.

  6. Click Apply.

  7. Run the following command on PowerShell to encrypt the keys in the IBM RPA's web API configuration file:

    powershell
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -PEF

"system.web/machineKey" "C:\Program Files\IBM Robotic Process Automation\IBM Robotic Process Automation Server\Api" ``` After that, you must then configure the other servers to use the same machine keys as the first one.

Configuring server keys for Internet Information Services (IIS)

Choose one of the servers in the cluster to configure your server keys:

  1. Go to one of the Internet Information Services (IIS) servers.
  2. Toggle off Automatic generation.
  3. Click Generate Keys on the left.
  4. Copy the steps to the next server and toggle off Automatic generation.

Configuring IBM RPA with a load balancer

To deliver high availability, you must set up a load balancer to manage the traffic in your server cluster. For more information about how to set up a load balancer on your cluster, see Setting up a load balancer on Windows Server.

After you install the server instances, you must ensure that the instances point to the load balancer hostname instead of the servers themselves. With that, the load balancer can reroute the traffic to other instances of the server and avoid overloading one of the servers.

Follow these instructions to change the hostnames on each server that runs IBM RPA in the cluster.

  1. Open C:\Program Files\IBM Robotic Process Automation\IBM Robotic Process Automation Server\Web\web.config and add the load balancer hostname to the API to all the CSP directives. You can add the load balancer API hostname next to the server's API hostname.

  2. Some of the IBM RPA server configuration files are encrypted for security reasons. However, to proceed you must edit the configuration files to point to the load balancer address. You can use the following script to decrypt some of the authentication and settings configuration files:

    $ApiPath = "C:\Program Files\IBM Robotic Process Automation\IBM Robotic Process Automation Server\Api"

$ConfigurationEditorDLLPath = Join-Path -Path $ApiPath -ChildPath "bin\WDG.Automation.ConfigurationEditor.dll"
$AuthenticationDLLPath = Join-Path -Path $ApiPath -ChildPath "bin\WDG.Automation.Authentication.dll"

$RegiisFolderPath = "C:\Windows\Microsoft.NET\Framework\v4.0.30319"

Set-Location $RegiisFolderPath
Copy-Item -Path $ConfigurationEditorDLLPath -Destination $RegiisFolderPath
Copy-Item -Path $AuthenticationDLLPath -Destination $RegiisFolderPath
.\aspnet_regiis.exe -pdf "appSettings" $ApiPath
.\aspnet_regiis.exe -pdf "wdg.auth" $ApiPath

  3. Open the Settings.config file that is located in the C:\Program Files\IBM Robotic Process Automation\IBM Robotic Process Automation Server\Api directory.

    1. Change the API_URL configuration to the load balancer hostname for the API.
    2. Change the WEB_URL configuration to the load balancer hostname for the IBM RPA Control Center.
    3. Optional: Add the server hostname for the Control Center in the TRUSTED_ORIGIN_URLs configuration. This makes it easier to debug.

Changing the UMS credentials

Choose one of the servers in the cluster to perform the following steps. Once you do that for one server, you don't need to do it for all the others.

  1. Use a Base64 encoder to encode your UMS admin and password credentials in the following format:

    ADMIN_USERNAME:PASSWORD

    This should give you a single Base64 encoded string, like the following one:

    QURNSU5fVVNFUk5BTUU6UEFTU1dPUkQ=

  2. Create a registration.json file with the following content, replacing the addresses with your the addresses to your load balancer (LB_HOSTNAME). You can omit the individual server addresses if you want to, but the following example uses the server's IP addresses in case you want to provide direct access to each individual server:

    {
    "scope": "openid profile email",
    "preauthorized_scope": "openid profile email",
    "introspect_tokens": true,
    "appTokenAllowed": true,
    "allow_regexp_redirects": true,
    "client_id": "ha_id",
    "client_secret": "ha_secret",
    "client_name": "ha_client",
    "response_types": [
        "code",
        "token",
        "id_token token"
    ],
    "grant_types": [
        "authorization_code",
        "client_credentials",
        "implicit",
        "refresh_token",
        "urn:ietf:params:oauth:grant-type:jwt-bearer",
        "password"
    ],
    "redirect_uris": [
        "https://LB_HOSTNAME:API_PORT/oidc-callback",
        "https://SERVER1_HOSTNAME:API_PORT/oidc-callback",
        "https://SERVER2_HOSTNAME:API_PORT/oidc-callback"
    ],
    "trusted_uri_prefixes": [
        "https://LB_HOSTNAME:API_PORT",
        "https://SERVER1_HOSTNAME:API_PORT",
        "https://SERVER2_HOSTNAME:API_PORT"
    ],
    "post_logout_redirect_uris": [
        "https://LB_HOSTNAME:WEB_PORT",
        "https://SERVER1_HOSTNAME:WEB_PORT",
        "https://SERVER2_HOSTNAME:WEB_PORT"
    ]
}

  3. Create a registration for the new OIDC application on UMS:

    curl -X POST "https://SERVER_HOSTNAME:9443/oidc/endpoint/ums/registration" --header "Content-Type: application/json" --header "Authorization: Basic BASE_64_CREDENTIALS" -d path/to/registration.json -k

    Replace the BASE_64_CREDENTIALS with your encoded credentials for UMS and replace path/to/registration.json with the path where you saved the registration.json file.

  4. Open the Authenticate.config file located in the C:\Program Files\IBM Robotic Process Automation\IBM Robotic Process Automation Server\Api\ directory.

  5. On the oidcSettings tag

    1. Change the endpoints addresses to point to your load balancer hostname.
    2. Change the clientId and clientSecret to ha_id and ha_secret, respectively.

  6. Use the following script to re-encrypt your configuration files:

    $ApiPath = "C:\Program Files\IBM Robotic Process Automation\IBM Robotic Process Automation Server\Api"
$RegiisFolderPath = "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
Set-Location $RegiisFolderPath
.\aspnet_regiis.exe -pef "appSettings" $ApiPath -prov "RsaProtectedConfigurationProvider"
.\aspnet_regiis.exe -pef "wdg.auth" $ApiPath -prov "RsaProtectedConfigurationProvider"

If you use different hostnames for the IBM RPA Control Center and the API, follow these steps:

  1. Open the env-config.js file located in the C:\Program Files\IBM Robotic Process Automation\IBM Robotic Process Automation Server\Web\ directory.

  2. Set the REACT_APP_API_URL value to the load balancer hostname for API.

  3. Open the server.xml file located in the C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\ directory.

  4. Configure the virtualHost tag to add your load balancer address, replacing LB_HOSTNAME with the hostname of your load balancer:

    <virtualHost id="default_host">
    <hostAlias>${hostname}:${https_port}</hostAlias>
    <hostAlias>LB_HOSTNAME:${https_port}</hostAlias>
</virtualHost>

  5. Start the umsServer service from the Windows Task Manager.