Configuring credentials stored using DPAPI
Credentials are needed to authenticate with Pega Robot Manager, Windows, and applications throughout unattended Pega Robotic Automation sessions. The default, built-in credential provider for unattended Pega Robotic Automation sessions is Microsoft's DPAPI (Data Protection Application Programming Interface).
DPAPI is a cryptographic application programming interface that is available as a
built-in component in Microsoft Windows. By default, Pega
Robotic Automation uses DPAPI to securely store credentials for unattended
automations.
DPAPI keeps all credentials on the local system in a storage vault that is created by the
robotic automation component that you are using. For instance, the ASO Manager has a
vault for that is accessible only by the logged in user. The Credential Store component
has a separate vault that also is only accessible to the logged in user. If multiple
users work on a computer, each user will have a vault. This means that when you need to
update credentials, you must log in to each unattended Robot Runtime system and update the credentials
for each user.
For nearly all cryptosystems, one of the challenges is managing the keys — for example, how to store the decryption key. If you store the key in plain text, then any user who can access the key can access the encrypted data. If you encrypt the key, then you need another key, and on and on.
DPAPI allows you to encrypt keys using a symmetric key that is derived from the user's login secrets, or in the case of system encryption, by using the system's domain authentication secrets.
The DPAPI keys used for encrypting the user's RSA keys are stored in the following folder, where {SID} is the Security Identifier of the user:
%APPDATA%\Microsoft\Protect\{SID} Windows stores the DPAPI key in the same file as the master key that protects the users’ private keys. The DPAPI key typically contains 64 bytes of random data.
The following diagram shows the tasks you must perform to use DPAPI to authenticate
credentials:
For more information, see the following articles:
- Enabling the credential store to use DPAPI
Securely handle credentials for unattended automations by enabling the Pega Robotic Automation credential store to use DPAPI.
- Adding credentials to the RPA Service vault
Add the credentials that are stored using DPAPI to the RPA Service vault by using the Credential Manager (CredMgrUI.exe) utility.
- Updating RPA Service credential information
To ensure optimal security, use the RPA Service Credential Manager (CredMgrUI.exe) utility to keep your credential information up to date.
- Removing credentials
To maintain optimal security, use the RPA Service Credential Manager (CredMgrUI.exe) utility to remove any credential information that is no longer being used.
- Encryption and the Assisted Sign-On component
The Assisted Sign-On component in Robot Studio is based on the Windows Data Protection API (DPAPI). DPAPI encrypts data by using a private key derived from a user’s Windows identity. Once encrypted, data can only be decrypted by the same Windows user.
- Encryption settings for Pega Robotic Automation
Previous topic Integrating credential providers in your automation Next topic Enabling the credential store to use DPAPI