Outbound connections to Runtime Servers

Transport Layer Security (TLS) client settings can be configured for outbound connections from Design Server to Runtime Servers.

These settings are intended to allow secure connections to runtime installations. Connecting to a customized runtime installation which uses mutual authentication (mTLS) is supported.

Use of these settings is not required if the previous behavior for outbound connections to runtime installations is sufficient. The default settings provide backwards-compatible behavior.

Connections to a Runtime Server are only allowed if the server is on the Design Server allowlist. See server.runtime.servers in config.yaml.

The client TLS settings are configured with the mapping server.outbound.ssl in config.yaml. These settings apply to all connections from Design Server to runtime installations.

If TLS is used for connections to Runtime Servers, a trust store must be provided as a PEM file which contains one or more CA certificates. The absolute path of the file should be provided as the value of server.outbound.ssl.caFile.

If a Runtime Server uses mTLS, a client certificate and client private key must be provided as PEM files. Absolute paths to these files should be provided as the values of server.outbound.ssl.certFile and server.outbound.ssl.keyFile, respectively.

The setting server.outbound.ssl.acceptCertificatesStrategy controls certificate verification. If the value signed is provided, then only those certificates for which a valid trust chain can be constructed are accepted. This is the recommended setting for production servers when TLS is used. If the value all is provided, then all server certificates are accepted. This setting should not be used for production servers. When a value is not provided, self-signed certificates are accepted in addition to valid CA-signed certificates.

If the boolean-valued setting server.outbound.ssl.verifyHostName is set to true, hostname verification is performed for the server certificate in addition to the verification indicated by server.outbound.ssl.acceptCertificatesStrategy.

Below is an example of the default values in config.yaml.
server:
  outbound:
    ssl:
      certFile: ""
      keyFile: ""
      caFile: ""
      acceptCertificatesStrategy: ""
      verifyHostName: false