Setting up a secure infrastructure

Workflow isn’t a web server and although it has HTTP and NodeJS plugins it does not have the native architecture to be used as a public-facing server.

If it is used in a public application, take at least the following measures:

• Place your Workflow server behind a firewall.

• Use a reverse proxy.

• Hide your public URL destinations by rewriting the URL (also known as URL masking).

• Purchase and install a TLS certicate (see Obtaining a certificate). Then set up OL Connect Workflow to use secure communication so that communications between clients and the server(s) are protected through encryption.

• Keep your Windows and reverse proxy updated. Updates contain, among other things, fixes to newly discovered security faults.

Setting up secure communication

When you have obtained and installed a certificate and installed OL Connect Workflow, you can setup OL Connect Workflow to use secure communication.

The settings of the HTTP server, NodeJS server, and SMTP server are accessible through the Preferences button under the W (Workflow) button, or via the key combination Ctrl+Alt+P. Then go the first page of the server's preferences, depending on which plugins will be used in your processes:

• HTTP Server Input plugin preferences 1

• NodeJS Server Input plugin preferences 1*

• SMTP Input preferences

* If using the NodeJS server, the ppNode service needs to know the credentials and communication protocol to use for communicating with the Connect Server, in order to serve resources originating from the Connect Server. For instructions on how to do this, see NodeJS Server Input.

Known issue

If a 30 second delay occurs each time a connection is made, this is due to an incompatibility between various components of the HTTPS communication. To prevent the issue, use the option Force outgoing encrypted connections to use TLS 1.2 or lower in the Preferences (Network behavior preferences) to limit the protocol of the COTG Delete plugin, Secure Email Input plugin, Secure Email output plugin, and HTTP Input plugin, to TLS 1.2.

Security protocols

These are the security protocols used by different services and plugins in Workflow.

Component	Protocol
Messenger Service	SSL 2.3
SMTP Service	TLS 1.0, 1.1, 1.2 or 1.3 (user option, SMTP Input preferences)
HTTP Service	SSL 2.3 or TLS 1.0, 1.1, 1.2 or 1.3 (user option, HTTP Server Input plugin preferences 1)
COTG Delete plugin*	SSL 2.0, 2.3, 3.0 and TLS 1.0, 1.1, 1.2, 1.3
Secure Email Input plugin*	SSL 2.0, 2.3, 3.0 and TLS 1.0, 1.1, 1.2, 1.3
Secure Email Output plugin*	SSL 2.0, 2.3, 3.0 and TLS 1.0, 1.1, 1.2, 1.3
SOAP plugins	Up to TLS 1.3
HTTP Input plugin*	SSL 2.0, 2.3, 3.0 and TLS 1.0, 1.1, 1.2, 1.3
HTTPS connection to OL Connect Server	TLS 1.2
NodeJS Server, NodeJS Input plugin	TLS 1.2 or TLS 1.3 (depending on the server’s certificate)

* Using the option Force outgoing encrypted connections to use TLS 1.2 or lower in the Preferences (Network behavior preferences) limits the protocol of these plugins to TLS 1.2.