Blue Prism Installation Engineer Exam Notes AIE02
Here’s the notes that I made to prepare for this exam.
Provisioning a DB
- Collation: Key is codepage 1252 and CI
- Latin1_General_CI_AS, SQL_Latin1_General_CP1_CI_AS
- Recommended to install every single part on a different drive: OS, sql server, tempdb, data file, log file
- Enable Instant File Initialization. This feature typically benefits the speed at which transaction log files can be grown automatically by removing the step of zero-initialisation from the process
- Ensure that the following Database options are turned ON for the Blue Prism Database(s):
- Required permissions aka role memberships (3 of them):
- Anything with bpa_ prefix
- Best to NOT virtualize the db
- vCPU is not a one to one mapping to CPU. E.g. 4 VPU may be like 1.5 CPU in reality, less than you’d expect
- We can’t separate the disks for performance reasons anymore
Maintaining a DB
- Don’t shrink
- Simple vs. full DB backup. Full backup also requires clearing up the transaction log files
- Disk space, fragmentation (esp for log file), paging file set to appropriate size (based on RAM)
- Verify backups using RESTORE VERIFY ONLY
- Check integrity : DBCC CHECKDB
- Index fragmentation: ALTER INDEX
- UPDATE STATISTICS WITH FULLSCAN, COLUMNS
- Better to grow db file size during maintenance periods instead of waiting for it
- DBCC SQLPERF(logspace). This shows the log size of each db and log space used % for each db
- There’s also a provided query that shows the file size used and the file size for a specific DB.
- Archive from the command line: automatec.exe /archive /sso /age 3m
- Add /delete flag for delete only
3 Security policies, 1 group policy to set:
Security Settings > Local Policies > Security Options
- Ctrl alt delete
- Login message text
- Login message title
Computer Configuration > Administrative Templates > Control Panel > Personalization.
- Do not lock screen
- Security policies can be applied by AD, but group policies cannot
- Need to create credentials in format Windows Login: [MachineName]. Windows Login: robot0001
- C:\ProgramData\Blue Prism Limited\Automate V3\LoginAgentService.config
- If no connection is specified in the configuration file, the first connection specified in the Blue Prism client connection list on the local device will be used
- Login agent logs, enable reg key: HKEY_LOCAL_MACHINE\SOFTWARE\Blue Prism Limited\LoginAgent
- Anonymous Runtime Resource PC can prevent the Login Agent from working
- Use AD when possible for security
- Simplifies access to network resources such as shared drives, mailboxes, printers etc.
- Set access by (authorization)
- User roles. It is not appropriate to restrict based on User Role when process sessions are created by the scheduler
- Processes. The parent must have access. Sub processes don’t need
At the request of an authorized and validated client, a credential is decrypted locally on the Blue Prism Server and passed to that client via a secure connection.
- For app server connections, the app server encrypts/decrypts.
- For Direct DB connections, the RR does it (requests key from FB).
- Once the conversion has taken place the memory on the device is immediately cleared and disposed
Work queues can choose encryption for all work queue data.
Securing Network Connectivity
- Require secure inbound instructional connections connections – all RR must have certs
- Allow anonymous public Runtime Resources – Specifies that public Runtime Resources do not need to explicitly authenticate to connect to the environment
- Session Management enforces permissions of controlling user – Enabled by default, disables some legacy create, delete CLI commands, replacing them with createas, deleteas, startas
3 ways to encrypt AS to DB connection. Encryption is up to the DB side.
- Use verifiable certs & specify sql params (encrypt=true)
- Use self signed cert and sql params (encrypt=true; trustservercertificate=true)
- Use verifiable cert and force encryption on the db side
Secure Windows Authentication
- Talks about Login Agent
- Talks about how credential manager can rotate passwords automatically based on # of days. I’m guessing this means inside the actual process
Infra Ref Guide
Installaling Enterprise Edition
For SSO DB conneciton, need to input
- Domain name
- Security group for admin users
Resource registration and addressing – FQDN vs shortname (machine name)
- register and communicate using short name
- register short name, communicate fqdn
- register and communicate using fqdn (best)
Single sign-on for Blue Prism does not support built-in Groups or those with derived membership such as Domain Users or Authenticated Users. It is also recommended that the Security Groups used do not contain Foreign Security Principals.
To install Blue Prism use the command:
msiexec /i “BluePrism6.3.0_x64.msi” /QB- ALLUSERS=1
msiexec /i BluePrism6.3.0_x64 ADDLOCAL=BluePrism,BrowserPlugin,OutlookAutomation /qn
SQL auth = put name in createdb, windows auth means use empty string ?
Database secured using SQL Authentication
AutomateC.exe /createdb “*“
Database secured using Windows Authentication
AutomateC.exe /createdb “”
-64-bit application integration using invasive techniques is not supported.
-Microsoft .NET Framework 4.7 required
- All Blue Prism components on each Interactive Client, Resource and Server must be restarted for license changes to be recognized
- Error Message 2869 on installation – means uninstall the previous version first
- Require secure inbound instructional connections = use sslcert
- Allow anonymous public Runtime Resources — if DISABLED we must use /user or /sso
I just passed this, wanted to jot down a few notes before I forget, especially since the exam needs to be retaken once version 7 comes out
- There were tons of Choose X out of Y. Choices could go up to like 6 or 7, e.g. choose 5 out of 7, choose 3 out of 5 etc.
- Multiple tricky questions around certificates, when does it prevent the Runtime Resource from starting? When does a cert problem prevent the RR from connecting (but still allows the RR to start)? I didn’t know.
- No questions around scripting
- No “you see this error message, what does it mean”?
- Nothing from the command line commands at all from what I recall
- The names of the options in the System Settings were incorrect? “Require Secure Inbound Connections” was named something else. I don’t know if this meant that this was the wrong answer or if it was just used as a generic text, and that it was a valid response.
- What permission (DB) are needed to perform an upgrade? I didn’t know if you needed db_owner or anything. I don’t know what permission is needed if you need to create a new table inside an existing database.
- I remember one question in particular where I thought that one of the choices was outside of the scope of BP, but still seemed like a valid response. It was something around security, and one of the options was to use firewalls to prevent unknown Runtime Resources from connecting to the App Server or something like that. It seemed valid from a technical standpoint but I didn’t choose that answer even though I thought it was doable.