フリーITエンジニアを目指す＠タイ王国のブログ: 2019

Nginx needs Client Certificate, Private Key files, and Root Certificate in order to proxy UiPath Orchestrator ssl. Both Server Certificate and Root Certificate files are created by extracting the .pfx file of SSL certificate downloaded from IIS where Orchestrator is running.

○ Environment:

［Nginx］
Version: 1.17.3
[OS]
Windows Server 2016 (for Nginx)
Windows 10 (for Openssl)

○ Create a Certificate and Private Key files for MuleSoft.

1. Export .pfx file from IIS where Orchestrator is running.

Open IIS Manager on the server where Orchestrator is running. Then Open "Server Certificate".
Select the certificate file to be exported.
Select the "Detail" tab and press "Copy to File..." button.
Press "Next" button.
Select "Yes, export the private key" and press "Next" button.
Check on "Personal Information in the certification path if possible" and press "Next" button.
Input "Password" and "Confirm password" and press "Next" button.
Input "File name" and press "Next" button.
Press "Finish" button. The .pfx file is created.
Export Root Certificate as .pfx file as like the above.

2. Convert .pfx files.

Openssl must be installed. You can download MSI file for Openssl on Windows from here.
The exported .pfx file must be copied in any directory in the PC where openssl is installed.
Type the below command in the directory that .pfx file is copied in order to extract Certificate from .pfx file.

C:\any directory> openssl pkcs12 -in {server_pfx_file_name} -clcerts -nokeys -out domain.cer
Enter Import Password: {input_password_for_server_pfx_file}
MAC verified OK
Warning unsupported bag type: secretBag

Type the below command in order to extract a Private Key file from .pfx file.

C:\any directory> openssl pkcs12 -export -in {server_pfx_file_name} -nocerts -nodes -out domain.rsa
Enter pass phrase for orchestrator.pem: {input_password_for_pem_file_above}
unable to write random state'

Type the below command in order to convert root .pfx file to pem file.

C:\any directory> openssl pkcs12 -export -in {root_pfx_file_name} -out root.pem
Enter pass phrase for orchestrator.pem: {input_password_for_pem_file_above}
Enter PEM pas prase: {input_new_password_for_PEM_file}
Verifying - Enter PEM pass phrase: {retype_new_password}
unable to write random state'

3. Set the configuration for converted file on Nginx.

Set the 3 files created aboce (domain.cer, domain.rsa and root.pem) in Nginx onf file as the below

        ...
        location / {
     proxy_ssl_server_name on;
            proxy_ssl_name orchestrator.nbdlab.local;
            proxy_pass https://orchestrator;
            proxy_ssl_session_reuse off;
            proxy_redirect https://{orchestrator_server_name} https://{proxy_server_name};

            proxy_http_version 1.1;  
            proxy_ssl_password_file PATH_TO_PASSWORD_FILE/password.txt;
            proxy_ssl_certificate PATH_TO_DOMAIN_CER//domain.crt;
            proxy_ssl_certificate_key PATH_TO_DOMAIN_RSA/domain.rsa;
            proxy_ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            proxy_ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
            proxy_ssl_trusted_certificate PASS_TO_ROOT_PEM/root.pem;
            proxy_ssl_verify on;
            proxy_ssl_verify_depth 2;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host orchestrator.nbdlab.local;
            proxy_set_header X_FORWARDED_PROTO https;
        }
        location /MixedAuth {
     proxy_ssl_server_name on;
            proxy_ssl_name orchestrator.nbdlab.local;
            proxy_pass https://orchestrator;
            proxy_ssl_session_reuse off;
            proxy_redirect https://{orchestrator_server_name} https://{proxy_server_name};

            proxy_http_version 1.1;  
            proxy_ssl_password_file PATH_TO_PASSWORD_FILE/password.txt;
            proxy_ssl_certificate PATH_TO_DOMAIN_CER//domain.crt;
            proxy_ssl_certificate_key PATH_TO_DOMAIN_RSA/domain.rsa;
            proxy_ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            proxy_ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
            proxy_ssl_trusted_certificate PASS_TO_ROOT_PEM/root.pem;
            proxy_ssl_verify on;
            proxy_ssl_verify_depth 2;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host orchestrator.nbdlab.local;
            proxy_set_header X_FORWARDED_PROTO https;
            proxy_set_header Connection "";
        }

        location /signalr {

     proxy_ssl_server_name on;
            proxy_ssl_name orchestrator.nbdlab.local;
            proxy_pass https://orchestrator;
            proxy_ssl_session_reuse off;
            proxy_redirect https://{orchestrator_server_name} https://{proxy_server_name};

            proxy_http_version 1.1;  
            proxy_ssl_password_file PATH_TO_PASSWORD_FILE/password.txt;
            proxy_ssl_certificate PATH_TO_DOMAIN_CER//domain.crt;
            proxy_ssl_certificate_key PATH_TO_DOMAIN_RSA/domain.rsa;
            proxy_ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            proxy_ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
            proxy_ssl_trusted_certificate PASS_TO_ROOT_PEM/root.pem;
            proxy_ssl_verify on;
            proxy_ssl_verify_depth 2;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host orchestrator.nbdlab.local;
            proxy_set_header X_FORWARDED_PROTO https;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
        ...

○ Reference:

1. https ://nginx.org/en/

MuleSoft Standalone needs pkcs12 file in order to proxy UiPath Orchestrator REST API. Both Certificate and Private Key files are created by extracting the .pfx file of SSL certificate downloaded from IIS where Orchestrator is running.

○ Environment:

［MuleSoft Standalone］
Version: 3.9.0
[MuleSoft Anypoint Studio]
Version: 6.4
[OS]
Windows Server 2016 (for MuleSoft Standalone)
Windows 10 (for MuleSoft Anypoint Studio)

○ Create a Certificate and Private Key files for MuleSoft.

1. Export .pfx file from IIS where Orchestrator is running.

Open IIS Manager on the server where Orchestrator is running. Then Open "Server Certificate".
Select the certificate file to be exported.
Select the "Detail" tab and press "Copy to File..." button.
Press "Next" button.
Select "Yes, export the private key" and press "Next" button.
Check on "Personal Information in the certification path if possible" and press "Next" button.
Input "Password" and "Confirm password" and press "Next" button.
Input "File name" and press "Next" button.
Press "Finish" button. The .pfx file is created.

2. Create pkcs12 files.

Openssl must be installed. You can download MSI file for Openssl on Windows from here.
The exported .pfx file must be copied in any directory in the PC where openssl is installed.
Type the below command in the directory that .pfx file is copied in order to convert to pem file.

C:\any directory> openssl pkcs12 -in {.pfx_file_name} -out orchestrator.pem
Enter Import Password: {input_password_for_pfx_file}
MAC verified OK
Enter PEM pas prase: {input_new_password_for_PEM_file}
Verifying - Enter PEM pass phrase: {retype_new_password}
Warnug unsupported bag type: secretBag

Type the below command in order to convert pem file to p12 file.

C:\any directory> openssl pkcs12 -export -in {.pfx_file_name} -out orchestrator.p12 -name "orchestratotr"
Enter pass phrase for orchestrator.pem: {input_password_for_pem_file_above}
Enter Export Password: {input_new_password_for_pkcs12_file}
Verifying - Enter Export Password: {retype_new_password}
unable to write random state'