Encrypt The Elasticsearch Details In The Appsettings With Azure App Orchestrator

How to encrypt / hide the Elasticsearch username and password in the Azure app service?

Issue Description:

For PaaS deployments of Orchestrator using the Azure Web App service, only the configuration settings defined specifically in the Configuration section of the portal are encrypted by default. Every other detail on the file system for the application is not encrypted. This means that anything defined in the UiPath.Orchestrator.dll.config file (or any other item) is not encrypted.

This can be an issue where connection strings are used in the nlog configuration section.

Issue Resolution:

  1. A solution for this already exists. The Nlog configuration has multiple database targets defined and for that a connection string is needed. UiPath has a mechanism for referencing connection strings that are defined in the Azure web app and the same solution can be used here.
    • Note this solution actually would apply to on-prem msi installations. Where the DB connection string is defined, in the UiPath.Orchestrator.dll.config file, the same updates can be made. However, for on-prem.msi installations, there is a solution for encrypting parts of the .dll.config file.
  2. In the Azure app, go the section 'Settings' and select 'Configuration'.
  3. Under 'Connection strings' create a new connection.
  4. Specify a name that corresponds to the the part of the credentials that needs to be encrypted. Each part of the credentials needs to be its own seperate string. The name is arbitrary but here are some examples
    1. For username use: ElasticSearchUsername
    2. For password use: ElasticSearchPassword
    3. For the URL use: ElasticSearchURI
  5. Next, go to the UiPath.Orchestrator.dll.config file and update the nlog reference
    1. This can be accessed using App Service Editor under Development tools. Open the editor and find the UiPath.Orchestrator.dll.config file.
    2. Alternatively, the Kudu console under Development Tools -> Advanced Tools can be used.
      1. Once the Kudu console is open, go to Debug Console -> cmd
      2. Then navigate to site/wwwroot.
      3. Then locate and open up the UiPath.Orchestrator.dll.config file
    3. Before updating the file, make sure to make a back up.
    4. Edit the connection string for elastic search to reference the connection string that was created.
      1. The reference works like this: ${ui-connection-strings:item=<name of connection string>}
      2. Here are some examples
        • For username use: ${ui-connection-strings:itemElasticSearchUsername}
        • For password use: ${ui-connection-strings:item:ElasticSearchPassword}
        • For the URL use: ${ui-connection-strings:item:ElasticSearchURI}
    5. The final product will look like:
      • <target xsi:type="ElasticSearch" name="robotElastic" uri="${ui-connection-strings:item:ElasticSearchURI}" requireAuth="true" username="${ui-connection-strings:itemElasticSearchUsername}" password="${ui-connection-strings:item:ElasticSearchPassword}" index="${event-properties:item=indexName}-${date:format=yyyy.MM}" documentType="logEvent" includeAllProperties="true" layout="${message}" excludedProperties="agentSessionId,tenantId,indexName" />
    6. The way it works is that the start string: 'ui-connection-strings' tells our software to populate the value using a connection string. The final part ':<connection string name>' specifies which connection string to use.