Skip to content

Commit b49c7b4

Browse files
vishwa-ubervishwa-uber
committed
docs: Wiki for mTLS
Signed-off-by: [email protected] <[email protected]>
1 parent 9af3053 commit b49c7b4

File tree

1 file changed

+124
-0
lines changed

1 file changed

+124
-0
lines changed

docs/03-concepts/14-mutual-tls.md

Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
---
2+
3+
## layout: default title: Mutual TLS (mTLS) Authentication permalink: /docs/concepts/mutual-tls
4+
5+
# Mutual TLS (mTLS) Authentication
6+
7+
This guide explains how to implement Mutual TLS (mTLS) authentication in Cadence to secure communication between clients and servers. mTLS provides bidirectional authentication, ensuring that both the client and server verify each other's identities before exchanging data.
8+
9+
---
10+
11+
## Overview
12+
13+
### What is Mutual TLS?
14+
15+
Mutual TLS (mTLS) is an enhanced version of the standard TLS protocol where both parties in a communication authenticate each other. Unlike standard TLS where only the server is authenticated, mTLS requires both the client and server to present and verify certificates.
16+
17+
In mTLS, both the client and server have a certificate, and both sides authenticate using their public/private key pair. This bidirectional authentication provides an additional layer of security, ensuring that:
18+
19+
- Clients can verify they're connecting to the legitimate server
20+
- Servers can verify the identity of connecting clients
21+
- All communication is encrypted end-to-end
22+
23+
---
24+
25+
## How mTLS Works
26+
27+
The mTLS handshake process involves the following steps:
28+
29+
```
30+
┌─────────────────────────────────────────────────────────────────────────┐
31+
│ mTLS Handshake Flow │
32+
└─────────────────────────────────────────────────────────────────────────┘
33+
34+
35+
CLIENT SERVER
36+
│ │
37+
│ (1) Client initiates connection │
38+
├─────────────────────────────────────────────────────--─> │
39+
│ │
40+
│ (2) Server sends its certificate │
41+
│ <────────────────────────────────────────────────────── ┤
42+
│ │
43+
│ (3) Client verifies server certificate │
44+
│ ✓ Check signature │
45+
│ ✓ Validate certificate chain │
46+
│ ✓ Check expiration │
47+
│ │
48+
│ (4) Client sends its certificate │
49+
├───────────────────────────────────────────────────--───> │
50+
│ │
51+
│ (5) Server verifies client certificate │
52+
│ ✓ Check signature │
53+
│ ✓ Validate certificate chain │
54+
│ ✓ Check expiration │
55+
│ │
56+
│ (6) Server grants access │
57+
│ <────────────────────────────────────────────────────── ┤
58+
│ │
59+
│ (7) Encrypted TLS connection established │
60+
│ <═══════════════════════════════════════════════════> │
61+
│ All subsequent data is encrypted │
62+
│ │
63+
```
64+
65+
### Step-by-Step Process
66+
67+
1. **Client connects to server**: The client initiates a connection to the server
68+
2. **Server presents its TLS certificate**: The server sends its certificate to prove its identity
69+
3. **Client verifies the server's certificate**: The client validates the server's certificate against trusted Certificate Authorities (CAs)
70+
4. **Client presents its TLS certificate**: The client sends its own certificate to prove its identity
71+
5. **Server verifies the client's certificate**: The server validates the client's certificate
72+
6. **Server grants access**: Once both certificates are verified, the server allows the connection
73+
7. **Client and server exchange information over encrypted TLS connection**: All data is now transmitted securely
74+
75+
---
76+
77+
## Implementing mTLS in Cadence
78+
79+
### Server Configuration
80+
81+
To enable mTLS in Cadence server, you need to configure TLS settings and start the server with the appropriate environment configuration.
82+
83+
#### Starting the Server with TLS
84+
85+
Use the `--zone` flag to specify the TLS configuration when starting the Cadence server:
86+
87+
```shell
88+
./cadence-server --env development --zone tls start
89+
```
90+
91+
This will load [config/development.yaml](https://github.com/cadence-workflow/cadence/blob/master/config/development.yaml) \+ [config/development\_tls.yaml](https://github.com/cadence-workflow/cadence/blob/master/config/development_tls.yaml). See [CONTRIBUTING.md](https://github.com/cadence-workflow/cadence/blob/master/CONTRIBUTING.md#4-run) for more details.
92+
93+
---
94+
95+
### Client Implementation
96+
97+
To connect a Cadence client with mTLS, you need to configure TLS credentials and pass them to the Cadence client. Cadence client will use a gRPC transport object using your TLS settings to communicate with the server.
98+
99+
---
100+
101+
## Complete Working Example
102+
103+
The [helloworld\_tls sample](https://github.com/cadence-workflow/cadence-samples/tree/master/new_samples/client_samples/helloworld_tls) provides a complete, tested implementation of mTLS with Cadence, including:
104+
105+
- Certificate generation scripts
106+
- Complete client implementation with mTLS
107+
- Instructions for running with a TLS-enabled server
108+
- Step-by-step setup guide
109+
110+
For additional server configuration examples, refer to the [Cadence server repository](https://github.com/cadence-workflow/cadence)
111+
112+
---
113+
114+
## Testing Scenarios
115+
116+
The following table outlines various testing scenarios for mTLS configuration:
117+
118+
| Server | Client | Expected | Steps |
119+
| :---- | :---- | :---- | :---- |
120+
| Unsecured | Unsecured | Success | Server without TLS enabled; Client without TLS certs |
121+
| Secured | Unsecured | Fail | Server with TLS enabled; Client without TLS certs |
122+
| Unsecured | Secured | Fail | Server without TLS enabled; Client **with** TLS certs |
123+
| Secured | Secured | Success | Mutual TLS: Server with TLS enabled; Client with TLS enabled |
124+

0 commit comments

Comments
 (0)