|
| 1 | +--- |
| 2 | +layout: default |
| 3 | +title: Mutual TLS (mTLS) Authentication |
| 4 | +permalink: /docs/concepts/mutual-tls |
| 5 | +--- |
| 6 | + |
| 7 | +# Mutual TLS (mTLS) Authentication |
| 8 | + |
| 9 | +This guide explains how to implement Mutual TLS (mTLS) authentication in Cadence to secure communication between clients and servers. mTLS provides bidirectional authentication, ensuring that both the client and server verify each other's identities before exchanging data. |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +## Overview |
| 14 | + |
| 15 | +### What is Mutual TLS? |
| 16 | + |
| 17 | +Mutual TLS (mTLS) is an enhanced version of the standard TLS protocol where both parties in a communication authenticate each other. Unlike standard TLS where only the server is authenticated, mTLS requires both the client and server to present and verify certificates. |
| 18 | + |
| 19 | +In mTLS, both the client and server have a certificate, and both sides authenticate using their public/private key pair. This bidirectional authentication provides an additional layer of security, ensuring that: |
| 20 | + |
| 21 | +- Clients can verify they're connecting to the legitimate server |
| 22 | +- Servers can verify the identity of connecting clients |
| 23 | +- All communication is encrypted end-to-end |
| 24 | + |
| 25 | +--- |
| 26 | + |
| 27 | +## How mTLS Works |
| 28 | + |
| 29 | +The mTLS handshake process involves the following steps: |
| 30 | + |
| 31 | +``` |
| 32 | +┌─────────────────────────────────────────────────────────────────────────┐ |
| 33 | +│ mTLS Handshake Flow │ |
| 34 | +└─────────────────────────────────────────────────────────────────────────┘ |
| 35 | +
|
| 36 | + CLIENT SERVER |
| 37 | + │ │ |
| 38 | + │ (1) Client initiates connection │ |
| 39 | + ├─────────────────────────────────────────────────────--─> │ |
| 40 | + │ │ |
| 41 | + │ (2) Server sends its certificate │ |
| 42 | + │ <────────────────────────────────────────────────────── ┤ |
| 43 | + │ │ |
| 44 | + │ (3) Client verifies server certificate │ |
| 45 | + │ ✓ Check signature │ |
| 46 | + │ ✓ Validate certificate chain │ |
| 47 | + │ ✓ Check expiration │ |
| 48 | + │ │ |
| 49 | + │ (4) Client sends its certificate │ |
| 50 | + ├───────────────────────────────────────────────────--───> │ |
| 51 | + │ │ |
| 52 | + │ (5) Server verifies client certificate │ |
| 53 | + │ ✓ Check signature │ |
| 54 | + │ ✓ Validate certificate chain │ |
| 55 | + │ ✓ Check expiration │ |
| 56 | + │ │ |
| 57 | + │ (6) Server grants access │ |
| 58 | + │ <────────────────────────────────────────────────────── ┤ |
| 59 | + │ │ |
| 60 | + │ (7) Encrypted TLS connection established │ |
| 61 | + │ <═══════════════════════════════════════════════════> │ |
| 62 | + │ All subsequent data is encrypted │ |
| 63 | + │ │ |
| 64 | +``` |
| 65 | + |
| 66 | +### Step-by-Step Process |
| 67 | + |
| 68 | +1. **Client connects to server**: The client initiates a connection to the server |
| 69 | +2. **Server presents its TLS certificate**: The server sends its certificate to prove its identity |
| 70 | +3. **Client verifies the server's certificate**: The client validates the server's certificate against trusted Certificate Authorities (CAs) |
| 71 | +4. **Client presents its TLS certificate**: The client sends its own certificate to prove its identity |
| 72 | +5. **Server verifies the client's certificate**: The server validates the client's certificate |
| 73 | +6. **Server grants access**: Once both certificates are verified, the server allows the connection |
| 74 | +7. **Client and server exchange information over encrypted TLS connection**: All data is now transmitted securely |
| 75 | + |
| 76 | +--- |
| 77 | + |
| 78 | +## Complete Working Example |
| 79 | + |
| 80 | +For a complete working example with detailed code and configuration, refer to the [helloworld_tls sample](https://github.com/cadence-workflow/cadence-samples/tree/master/new_samples/client_samples/helloworld_tls) in the Cadence samples repository. This sample demonstrates how to: |
| 81 | + |
| 82 | +- Generate test certificates using OpenSSL |
| 83 | +- Configure both server and client for mTLS |
| 84 | +- Implement a simple workflow with mTLS authentication |
| 85 | +- Test the mTLS connection |
| 86 | + |
| 87 | +--- |
| 88 | + |
| 89 | +## Testing Scenarios |
| 90 | + |
| 91 | +The following table outlines various testing scenarios for mTLS configuration: |
| 92 | + |
| 93 | +| Server | Client | Expected | Steps | |
| 94 | +|--------|--------|----------|-------| |
| 95 | +| Unsecured | Unsecured | Success | Server without TLS enabled; Client without TLS certs | |
| 96 | +| Secured | Unsecured | Fail | Server with TLS enabled; Client without TLS certs | |
| 97 | +| Unsecured | Secured | Fail | Server without TLS enabled; Client **with** TLS certs | |
| 98 | +| Secured | Secured | Success | Mutual TLS: Server with TLS enabled; Client with TLS enabled | |
| 99 | + |
0 commit comments