Flow Access using mutual TLS (mTLS)

The flows can be accessed through the mTLS endpoints only when the following conditions are met:

  • A client CA certificate is uploaded to Connect Console.

  • A service account with the mTLS credential type must exist and have access to the relevant flows.

The flows are accessible through the following endpoint:

https://{org-id}.mtls.YOUR_FOUNDATION_DOMAIN/connect/flows/[rs|ws]/{flowId}

Where, rs - REST-based flow invocation ws: Websocket-based flow invocation

Example:

https://gridos.mtls.env-connect-mvp-ingress.local/connect/flows/rs/echo

mTLS is a certificate-based authentication method that secures access to flows in GridOS. Unlike Basic Auth or API keys, mTLS requires both the client and the server to present valid certificates during the TLS handshake. You can use mTLS to authenticate and authorize requests.

If your organization wants to send data to flows using mTLS, the client certificate must meet the following requirements:

  • The client-cert subject field contains the organization (O field) with the exact same owner/org ID used for your Connect deployment. This same value is used for the required deployer parameters.

  • The client-cert subject field contains the organizational unit (OU field) with the exact string literal: Connect Service Account.

  • The client-cert subject field contains the common name (CN field) with the exact string matching <serviceAccountId> of the Service Account with the mTLS credential type.

To generate a client certificate with the subject attributes above, see the following code example:

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/O=<YOUR-ORG-ID>/OU=Connect Service Account/CN=<YOUR-SERVICE-ACCOUNT-ID>"
cat << EOF > client-ext.cnf
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
[client_ext]
keyUsage = critical, digitalSignature
extendedKeyUsage = clientAuth
EOF
openssl x509 -req \
  -in client.csr \
  -CA ca.crt \
  -CAkey ca.key \
  -CAcreateserial \
  -out client.crt \
  -days 365 \
  -sha256 \
  -extfile client-ext.cnf \
  -extensions client_ext

  • Save the client.key and client.crt securely, you need to include this in your client.

  • This client-ext.cnf and client.csr files can be deleted after the client-crt is created.

Replace the placeholders <YOUR-ORG-ID> and <YOUR-SERVICE-ACCOUNT-ID> with the appropriate values.

The client certificate must be signed by a Certificate Authority (CA). Before a client certificate can be used, the CA that signed it must be uploaded to the Connect Console. Registering a CA allows GridOS Connect to trust any client certificates issued by that CA.

For more information on how to validate certificates, see Client Certificate Validation.

To troubleshoot flow access issues related to mTLS, see Troubleshooting.