Introduction

UiPath Robots log in to Windows machines to perform automated functions using username and passwords. Integrating the UiPath Robotic Process Automation (RPA) platform with the nShield Hardware Security Module (HSM) provides strong client authentication. When HSM-integrated Robots log in to domain systems, they are using certificate-based login.

Product configurations

Entrust has successfully tested nShield HSM integration in the following configurations:

Product	Version
UiPath Orchestrator (Local and Cloud)	2022.4
UiPath Studio (Robot)	2022.4
Operating system for the Robot machine	Windows Server 2022
nShield 5c	13.3.2
PowerShell	5.1 or later
.NET Framework	4.7.2 or later
IIS	8 or later

Product

Version

UiPath Orchestrator (Local and Cloud)

2022.4

UiPath Studio (Robot)

2022.4

Operating system for the Robot machine

Windows Server 2022

nShield 5c

13.3.2

PowerShell

5.1 or later

.NET Framework

4.7.2 or later

IIS

8 or later

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
12.80.4	12.72.1 (FIPS 140-2 certified)	12.80.5		✓
13.3.2	12.72.1 (FIPS 140-2 certified)	12.80.5		✓

Entrust has successfully tested with the following nShield hardware and software versions:

nShield 5c

Security World Software	Firmware	Image	OCS	Softcard	Module
13.3.2	13.2.2	13.3.2		✓

Security World Software

Firmware

Image

OCS

Softcard

Module

13.3.2

13.2.2

13.3.2

✓

Supported nShield HSM functionality

Feature	Support
Module-Only key	No
OCS cards	No
Softcards	Yes
nSaaS	Yes
FIPS 140 Level 3	Yes ¹

Feature

Support

Module-Only key

OCS cards

Softcards

Yes

nSaaS

Yes

FIPS 140 Level 3

Yes ¹

¹ When using FIPS 140 Level 3, ECDSA credential is required for the Robot to force Windows PKINIT to use something other than SHA-1.

Requirements

An nShield Security World Software installation is required prior to using UiPath RPA. Instructions on how to set up an nShield Connect, a Remote File System (RFS) for the nShield Connect, a client computer, and installation instructions for the nShield Security World are included in the nShield Installation Guide and nShield User Guide.

To access and use cryptographic keys from within a Security World, you must:

Load or create a Security World on the nShield Connect.
Map the key management data folder (kmdata) from your container host machine into the running application containers.

Before installing these products, read the associated documentation:

For the nShield HSM: Installation Guide and User Guide.
If nShield Remote Administration is to be used: nShield Remote Administration User Guide.
UiPath documentation (https://docs.uipath.com/).

In addition:

The integration between nShield HSMs and UiPath RPA requires:
- A correct quorum for the Administrator Card Set (ACS).
- On the Firewall, configure 9004 for the HSM (hardserver).
The following design decisions have an impact on how the HSM is installed and configured:
- Whether your Security World must comply with FIPS 140 Level 3 standards.
  
  If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.
  
  Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
- Whether to instantiate the Security World as recoverable or not.

More information

For more information about OS support, contact your UiPath sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.