orchestrator
latest
false
重要 :
新发布内容的本地化可能需要 1-2 周的时间才能完成。
UiPath logo, featuring letters U and I in white

Orchestrator 用户指南

上次更新日期 2025年10月16日

Managing credential proxies

您可以为自己的自定义凭据存储创建和管理代理,从而单独控制凭据的安全性。

代理类型

您可以在以下两种类型之间进行选择:

  • 已连接的代理(由 Orchestrator 管理) - 当机器人请求凭据时,Orchestrator 会从代理检索凭据,并将其传递给机器人。
    图 1. 连接代理架构

  • 断开连接的代理(由代理服务管理) - 当机器人请求凭据时,会直接从代理检索凭据,而无需通过 Orchestrator。此类型仅与 23.10 及更高版本的 Robot 兼容。
    图 2. 已断开的代理架构 断开连接的代理架构的图形表示
    重要提示:
    • 企业 仅当您订阅企业版 - 高级许可计划时,才可以使用已断开连接的 Credentials Proxy。
    • 如果要检索断开连接的代理凭据,则需要使用以下最低版本:2.0.1(针对代理)和 24.3(针对系统活动包)。

断开连接设置

Orchestrator Credentials Proxy 的断开连接工作方式与连接设置类似,但存在一些关键区别。

appsettings.json 文件中指定代理应以断开连接模式启动。要执行此操作,请在 AppSettings 下为参数 CredentialsProxyType 设置 Disconnected 值。
这将告诉代理在启动时以不同的方式执行操作,并从 appsettings.json 文件中读取其安全存储配置。如果参数缺失或值不同,代理将以其连接模式启动。
请在 appsettings.json 文件中指定代理应以断开连接模式启动。要执行此操作,请在 AppSettings 下为 CredentialsProxyType 参数设置 Disconnected 值。
{
...
  "AppSettings": {
  ...
    "CredentialsProxyType": "Disconnected",
  ...
  }
}{
...
  "AppSettings": {
  ...
    "CredentialsProxyType": "Disconnected",
  ...
  }
}
这将告诉代理在启动时以不同的方式执行操作,并从appsettings.json文件中读取其安全存储配置。如果参数缺失或值不同,代理将以其连接模式启动。

安全存储配置

每个配置条目必须包含:

  • :在链接存储时在 Orchestrator 中使用的唯一标识符。在配置列表中必须是唯一的

  • 类型:安全存储的类型(例如 Azure Key Vault、BeyondTrust、CyberArk、HashiCorp 保险库、InMemory 等)。

  • 上下文:安全存储实施所需的数据,因存储类型而异。

选中以下安全存储配置示例:
{
...
  "AppSettings": {
  ...
    "SecureStoreConfigurations": [
      {
        "Key": "SecureStoreKey1",
        "Type": "AzureKeyVault (read only)",
        "Context": {
          "KeyVaultUri": "{someUri}",
          "DirectoryId": "{someDirectoryId}",
          "ClientId": "{someClientId}",
          "ClientSecret": "{someClientSecret}"
        }
      },
      {
        "Key": "SecureStoreKey2",
        "Type": "BeyondTrust Password Safe - Managed Accounts",
        "Context": {
          "Hostname": "{someHost}",
          "APIRegistrationKey": "{someApiKey}",
          "APIRunAsUsername": "{someApiUsername}",
          "DefaultManagedSystemName": "",
          "SystemAccountDelimiter": "/",
          "ManagedAccountType": "system"
        }
      },
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {
        }
      }
    ]
  ...
  }
}{
...
  "AppSettings": {
  ...
    "SecureStoreConfigurations": [
      {
        "Key": "SecureStoreKey1",
        "Type": "AzureKeyVault (read only)",
        "Context": {
          "KeyVaultUri": "{someUri}",
          "DirectoryId": "{someDirectoryId}",
          "ClientId": "{someClientId}",
          "ClientSecret": "{someClientSecret}"
        }
      },
      {
        "Key": "SecureStoreKey2",
        "Type": "BeyondTrust Password Safe - Managed Accounts",
        "Context": {
          "Hostname": "{someHost}",
          "APIRegistrationKey": "{someApiKey}",
          "APIRunAsUsername": "{someApiUsername}",
          "DefaultManagedSystemName": "",
          "SystemAccountDelimiter": "/",
          "ManagedAccountType": "system"
        }
      },
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {
        }
      }
    ]
  ...
  }
}
备注:
SecureStoreConfigurations参数是配置数组,因此您可以根据需要拥有尽可能多的配置。
相同类型的多个配置均受支持,只要 Key 值唯一。

启动验证

在断开连接模式下运行时,代理会在启动时执行验证:

  • 验证 appsettings.json中是否存在所需的配置
  • 验证在 SecureStoreConfigurations中未找到重复的密钥。
  • 确认所有Type值都有效。
  • 验证保险库连接(ValidateContextAsync对每个商店进行调用)。

代理级设置

某些安全凭据存储需要主机级配置,需要在appsettings.Production.json中指定:
  • CyberArk:设置(例如 CLIPasswordSDKExePathUsePowerShellCLI、 和 AdditionalAllowedCharacters)必须在 AppSettings 下定义。
    {
    // ...
      "AppSettings": {
        "Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath": "D:\\SomePath\\CLIPasswordSDK.exe",
        // ...
      }
      // ...
    }{
    // ...
      "AppSettings": {
        "Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath": "D:\\SomePath\\CLIPasswordSDK.exe",
        // ...
      }
      // ...
    }
  • CyberArkCCP:可能需要 Plugins.SecureStores.CyberArkCCP.KeyStorageFlags = "MachineKeySet"
    {
    // ...
      "AppSettings": {
        "Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
        // ...
      }
      // ...
    }{
    // ...
      "AppSettings": {
        "Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
        // ...
      }
      // ...
    }

配置测试示例

查看以下实际 appsettings.Production.json 示例。

示例 1:基本

使用 BeyondTrust 和 Azure 密钥保险库 进行配置:

{
  "Jwt": {
    "Keys": [
      "<YourKey>"
    ]
  },
  "AppSettings": {
    "CredentialsProxyType": "Disconnected",
    "SecureStoreConfigurations": [
      {
        "Key": "SecureStoreKey3",
        "Type": "BeyondTrust Password Safe - Team Passwords",
        "Context": {
          "Hostname": "<Hostname",
          "APIRegistrationKey": "<APIRegistrationKey",
          "APIRunAsUsername": "<Username>",
          "FolderPathPrefix": "/", // default is "/", but it can be changed to anything
          "FolderPasswordDelimiter": "/" // default is "/", but it can be changed to anything
        }
      }
    ]
  }
}{
  "Jwt": {
    "Keys": [
      "<YourKey>"
    ]
  },
  "AppSettings": {
    "CredentialsProxyType": "Disconnected",
    "SecureStoreConfigurations": [
      {
        "Key": "SecureStoreKey3",
        "Type": "BeyondTrust Password Safe - Team Passwords",
        "Context": {
          "Hostname": "<Hostname",
          "APIRegistrationKey": "<APIRegistrationKey",
          "APIRunAsUsername": "<Username>",
          "FolderPathPrefix": "/", // default is "/", but it can be changed to anything
          "FolderPasswordDelimiter": "/" // default is "/", but it can be changed to anything
        }
      }
    ]
  }
}

示例 2:额外日志和多个配置

包括多个保险库和高级记录。

{
  "Logging": {
    "LogLevel": {
      "Default": "Trace",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information",
      "Microsoft.AspNetCore.HttpLogging.HttpLoggingMiddleware": "Information"
    }
  },
  "Jwt": {
    "Keys": [ "<YourKey>" ]
  },
  "AppSettings": {
    "Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
    "UseInMemorySecureStore": "true",
    "CredentialsProxyType": "Disconnected",
    "SkipValidateSecureStoreConfigurations": "false", // for Testing only; never to be shown to clients or used in prod
    "SecureStoreConfigurations": [
      // AzureKeyVault owned by <username>; contact for more info
      // Robot externalName: "<name>"
      // The expected value of this secret is "<name>"
      {
        "Key": "SecureStoreKey1",
        "Type": "AzureKeyVault (read only)",
        "Context": {
          "KeyVaultUri": "<VaultURL>",
          "DirectoryId": "<DirectoryID>",
          "ClientId": "<ClientID>",
          "ClientSecret": "<ClientSecret>"
        }
      },
      // In case this fails, check our internal documentation on checking if BeyondTrust is down
      // <InternalDocsURL>
      // Robot externalName: "<ExternalName>"
      {
        "Key": "SecureStoreKey2",
        "Type": "BeyondTrust Password Safe - Managed Accounts",
        "Context": {
          "Hostname": "<Hostname>",
          "APIRegistrationKey": "<APIRegistrationKey>",
          "APIRunAsUsername": "<Username>",
          "DefaultManagedSystemName": "",
          "SystemAccountDelimiter": "/",
          "ManagedAccountType": "system"
        }
      },
      // In case this fails, check our internal documentation on checking if BeyondTrust is down
      // <InternalDocsURL>
      // Robot externalName: "<ExternalName>"
      {
        "Key": "SecureStoreKey3",
        "Type": "BeyondTrust Password Safe - Team Passwords",
        "Context": {
          "Hostname": "<Hostname>",
          "APIRegistrationKey": "<APIRegistrationKey>",
          "APIRunAsUsername": "<Username>",
          "FolderPathPrefix": "/", // default is "/", but it can be changed to anything
          "FolderPasswordDelimiter": "/" // default is "/", but it can be changed to anything
        }
      },
      {
        // asset external name: Operating System-WinDomain
        // password: <password>
        "Key": "SecureStoreKey1",
        "Type": "CyberArk Conjur Cloud (read only)",
        "Context": {
          "ServiceUrl": "<ServiceURL>",
          "LoginName": "<LoginName>",
          "ApiKey": "<APIKey>",
          "VariableIdPrefix": "data/vault/Safe"
        }
      },
      // Must have an empty context
      // No values on startup; should add values using the endpoints before trying trying to get anything
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {
        }
      }
    ]
  }
}{
  "Logging": {
    "LogLevel": {
      "Default": "Trace",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information",
      "Microsoft.AspNetCore.HttpLogging.HttpLoggingMiddleware": "Information"
    }
  },
  "Jwt": {
    "Keys": [ "<YourKey>" ]
  },
  "AppSettings": {
    "Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
    "UseInMemorySecureStore": "true",
    "CredentialsProxyType": "Disconnected",
    "SkipValidateSecureStoreConfigurations": "false", // for Testing only; never to be shown to clients or used in prod
    "SecureStoreConfigurations": [
      // AzureKeyVault owned by <username>; contact for more info
      // Robot externalName: "<name>"
      // The expected value of this secret is "<name>"
      {
        "Key": "SecureStoreKey1",
        "Type": "AzureKeyVault (read only)",
        "Context": {
          "KeyVaultUri": "<VaultURL>",
          "DirectoryId": "<DirectoryID>",
          "ClientId": "<ClientID>",
          "ClientSecret": "<ClientSecret>"
        }
      },
      // In case this fails, check our internal documentation on checking if BeyondTrust is down
      // <InternalDocsURL>
      // Robot externalName: "<ExternalName>"
      {
        "Key": "SecureStoreKey2",
        "Type": "BeyondTrust Password Safe - Managed Accounts",
        "Context": {
          "Hostname": "<Hostname>",
          "APIRegistrationKey": "<APIRegistrationKey>",
          "APIRunAsUsername": "<Username>",
          "DefaultManagedSystemName": "",
          "SystemAccountDelimiter": "/",
          "ManagedAccountType": "system"
        }
      },
      // In case this fails, check our internal documentation on checking if BeyondTrust is down
      // <InternalDocsURL>
      // Robot externalName: "<ExternalName>"
      {
        "Key": "SecureStoreKey3",
        "Type": "BeyondTrust Password Safe - Team Passwords",
        "Context": {
          "Hostname": "<Hostname>",
          "APIRegistrationKey": "<APIRegistrationKey>",
          "APIRunAsUsername": "<Username>",
          "FolderPathPrefix": "/", // default is "/", but it can be changed to anything
          "FolderPasswordDelimiter": "/" // default is "/", but it can be changed to anything
        }
      },
      {
        // asset external name: Operating System-WinDomain
        // password: <password>
        "Key": "SecureStoreKey1",
        "Type": "CyberArk Conjur Cloud (read only)",
        "Context": {
          "ServiceUrl": "<ServiceURL>",
          "LoginName": "<LoginName>",
          "ApiKey": "<APIKey>",
          "VariableIdPrefix": "data/vault/Safe"
        }
      },
      // Must have an empty context
      // No values on startup; should add values using the endpoints before trying trying to get anything
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {
        }
      }
    ]
  }
}

示例 3:自定义日志路径和 InMemoryStore

{
  "NLog": {
    "throwConfigExceptions": true,
    "targets": {
      "logfile": {
        "type": "File",
        "maxArchiveFiles": 180,
        "fileName": "<FileName>",
        "layout": "${longdate} ${logger} ${message}${onexception:${newline}${exception:maxInnerExceptionLevel=10:format=shortType,message,stacktrace:separator=*:innerExceptionSeparator=&#xD;&#xA;&#x9;}}"
      }
    },
    "rules": [
      {
        "logger": "*",
        "minLevel": "Information",
        "writeTo": "logconsole,logfile,eventLog"
      }
    ]
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "Jwt": {
    "Keys": [
      "<YourKey>"
    ]
  },
  "AppSettings": {
    "Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.CyberArkConjur.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
    "UseInMemorySecureStore": "true",
    "CredentialsProxyType": "Disconnected",
    "SkipValidateSecureStoreConfigurations": "true",
    "SecureStoreConfigurations": [
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {}
      }
    ]
  }
}{
  "NLog": {
    "throwConfigExceptions": true,
    "targets": {
      "logfile": {
        "type": "File",
        "maxArchiveFiles": 180,
        "fileName": "<FileName>",
        "layout": "${longdate} ${logger} ${message}${onexception:${newline}${exception:maxInnerExceptionLevel=10:format=shortType,message,stacktrace:separator=*:innerExceptionSeparator=&#xD;&#xA;&#x9;}}"
      }
    },
    "rules": [
      {
        "logger": "*",
        "minLevel": "Information",
        "writeTo": "logconsole,logfile,eventLog"
      }
    ]
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "Jwt": {
    "Keys": [
      "<YourKey>"
    ]
  },
  "AppSettings": {
    "Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.CyberArkConjur.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
    "UseInMemorySecureStore": "true",
    "CredentialsProxyType": "Disconnected",
    "SkipValidateSecureStoreConfigurations": "true",
    "SecureStoreConfigurations": [
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {}
      }
    ]
  }
}

创建 Credentials Proxy

安装 Orchestrator Credentials Proxy 后,您可以创建一个自定义代理,用于保存自定义凭据存储。

图 3. “添加 Credentials Proxy”页面 “添加 Credentials Proxy”页面的屏幕截图
为完成此操作,请按照以下步骤操作:
  1. 在租户级别,单击“凭据”>“代理”>“添加 Credentials Proxy”。系统将显示“添加 Credentials Proxy”窗口。
  2. 选择“已连接的代理(由 Orchestrator 管理)”或“已断开的代理(由代理服务管理)”。
  3. 为代理添加名称。
  4. 添加与 Orchestrator Credentials Proxy 设置中包含的虚拟机相关的 URL。
  5. 添加密钥。

    对于已连接的代理,根据安装方法的不同,这是由 .msi 安装程序生成的密钥,或者是由 Jwt:Keys 参数保存的密钥。

    对于断开连接的代理,此密钥必须已存在于已断开连接的代理的某个本地配置文件中。

    您在步骤 4 和 5 中提供的信息在 Orchestrator 与包含自定义凭据存储插件的安装之间创建链接。

  6. 单击“创建”。

    然后,您可以按如下方式添加所需的存储:

  7. 在租户级别,单击“凭据”>“存储”>“添加凭据存储”
  8. 在“代理”列表中,选择刚刚创建的代理。
  9. 从“类型”列表中,选择插件定义的第三方凭据存储。

Editing a credentials proxy

要编辑代理,请单击“更多操作”>“编辑”。系统将显示“编辑 Credentials Proxy”页面,允许您根据需要更改名称、URL 或密钥。

正在删除 Credentials Proxy

要删除代理,请选择“更多操作”>“移除”。如果所选代理正在使用中,将出现一个警告对话框,列出将受影响的机器人和资产的数量。选择“”以确认移除,或选择“”以中止。

图 4. “代理”选项卡

此页面有帮助吗?

获取您需要的帮助
了解 RPA - 自动化课程
UiPath Community 论坛
Uipath Logo
信任与安全
© 2005-2025 UiPath。保留所有权利。