Server Validation in Workflow Hub

Introduction

The Workflow Hub supports capabilities to interact with any OPEN API REST based end-point. The end points could be within the same Data Center or could be distributed across the region. Distributed communication require the traffic to be routed over the Wide Area Network (WAN) and therefore, they are susceptible to Man-in-the-Middle attacks. Transport Layer Encryption with Server Certificate Validation is a mechanism that's used to prevent against MiM attacks.

Workflow Hub provides an interface for the customer to upload their CAs to the Workflow Hub so that subsequent workflow-runs can make use of these CAs and validate the servers to whom the workflows are connecting to.

How does it work

User would upload CAs to the Workflow Hub using the tenant-administration tab
User would create workflows where the functions are defined to validate the server certificate
When user runs these workflows, the Workflow Hub uses CAs provided by the user to validate the server certificate. If the validation fails, the workflow is terminated with the appropriate error
User has the option to bypass Certificate validation, by defining the functions to ignore server validation

CA Management

Introduction

To validate a server, a list of Certificate Authorities must be present in Workflow Hub. This is especially necessary when the CA is NOT a public CA, but customer's own CA. In this section, we discuss the LCM of CAs through the Workflow Hub UI.

Permissions and Privileges

Management of CAs is restricted to tenant administrators by default and to any other role that has the following privileges.

Workflow Hub Certificate Authority Read
Workflow Hub Certificate Authority Write

The CA management is available in the Tenant-Administrator tab. If you cannot see the tab, then you do not have the required privileges. If you need to manage the CAs, please raise a request with your IT team to elevate your privileges.

CA Life Cycle Management

Click on Tenant Administration
Expand on Certificates
Click Add
This will open up a tab to add the CA.

The two fields are described below:


Field	Description	Example
Identifier	This is a user provided Identifier to ID the Certificate	Region-2/DC-2/CA
Certificate	PEM encoded CA.	-----BEGIN CERTIFICATE-----MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzELMAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4tVEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh888nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvbGjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqFqXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNGKTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUyn7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dSrUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HFYpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqVHP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1yYE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmOBZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJBgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIjBh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEthrvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9IAJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5Pylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/JkX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jVy3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+SahEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw=-----END CERTIFICATE-----

Once we save the certificates, the UI will show options for Edit, Delete and viewing the certificates.
Using the UI, the customer can add multiple CAs to the tenant.

Support for Multi-tenancy

Certificate Authorities are tenant scoped. Hence, CAs uploaded by one tenant will NOT be accessible to other tenants. Each tenant administrator must upload their own trusted CAs for server validation.

Server Validation during Workflow Execution

Sample Workflow that validates the Server

Validating server using CA
id: greetings_secure name: secure tls connection to sample tls server version: 0.1.0 description: Greets the person after validating the server specVersion: 0.7.0 start: Get_Greeted_V1 functions: - name: GreetingsV1 operation: https://sample-api:8889/api/v1/docs/openapi.json#GreetV1 metadata: tlsVerify: true states: - name: Get_Greeted_V1 type: operation actions: - functionRef: refName: GreetingsV1 arguments: name: hello-world Content-Type: application/json end: true

Validating server using CA

id: greetings_secure
name: secure tls connection to sample tls server
version: 0.1.0
description: Greets the person after validating the server
specVersion: 0.7.0
start: Get_Greeted_V1
 
functions:
  - name: GreetingsV1
    operation: https://sample-api:8889/api/v1/docs/openapi.json#GreetV1
    metadata:
      tlsVerify: true
   
states:
  - name: Get_Greeted_V1
    type: operation
    actions:
      - functionRef:
          refName: GreetingsV1
          arguments:
            name: hello-world
            Content-Type: application/json
    end: true

In the above example, the metadata tlsVerify is set to true. This indicates to the Workflow Hub that the server needs to be validated against the CA. When the server presents its certificate, it is validated against the CAs (public CAs that are part of Workflow Hub and CAs uploaded by the tenant). If the server cannot be validated, then the workflow execution will throw the appropriate error message and terminate the execution.

Sample Workflow that bypasses the Server Validation

Validating server using CA
id: greetings_insecure name: insecure tls connection to sample tls server version: 0.1.0 description: Greets the person but skips validations of server specVersion: 0.7.0 start: Get_Greeted_V1 functions: - name: GreetingsV1 operation: https://sample-api:8889/api/v1/docs/openapi.json#GreetV1 metadata: tlsVerify: false states: - name: Get_Greeted_V1 type: operation actions: - functionRef: refName: GreetingsV1 arguments: name: hello-world Content-Type: application/json end: true

Validating server using CA

id: greetings_insecure
name: insecure tls connection to sample tls server
version: 0.1.0
description: Greets the person but skips validations of server
specVersion: 0.7.0
start: Get_Greeted_V1
 
functions:
  - name: GreetingsV1
    operation: https://sample-api:8889/api/v1/docs/openapi.json#GreetV1
    metadata:
      tlsVerify: false
   
states:
  - name: Get_Greeted_V1
    type: operation
    actions:
      - functionRef:
          refName: GreetingsV1
          arguments:
            name: hello-world
            Content-Type: application/json
    end: true

In this workflow the metadata tlsVerify is set to false. This will instruct the execution to ignore server validation. While the transport layer would still be encrypted, the server certificate will not be validated. The workflow will continue independent of whether the server possesses a valid or a invalid certificate.