Flowgear DropPoints provide a secure mechanism for Flowgear to integrate with on-premise systems. DropPoints install as a Windows Service and create an encrypted, outbound, persistent connection into the Flowgear Cloud in order to facilitate execution of Nodes in the on-premise environment. For general high-level information about DropPoints, refer to DropPoints.

This article discusses the security features provided by v5 DropPoints.


Client-Side Certificates


In order for Flowgear to trust a DropPoint is who it claims to be, DropPoint's now support client-side certificates. This means that without the correct certificate, a DropPoint will not be able to impersonate another.

We strongly recommend adding a client-side certificate to all DropPoints, including test DropPoints.

Adding a certificate

Follow these steps to add a certificate once you have upgraded to a v5 DropPoint:

  • Launch the DropPoint Configuration from the Start Menu
  • Click the Certificate tab
  • Select a certificate or click Create Certificate. You can use any existing certificate in the Local Computer/Personal certificate store, or alternatively, have the DropPoint create a certificate and install it there
  • Click Apply & Restart
  • In the DropPoints Pane, you should see a green padlock next to the DropPoint name which signals that the connection is secured with a client-side certificate

Changing a certificate

If you change (or remove) the certificate associated with a DropPoint, Flowgear will not trust the connection and will not bring the DropPoint online. To trust a new certificate, follow these steps:

  • Sign in to the Flowgear Console
  • Go to the DropPoints pane. The DropPoint with the changed certificate will show a red open lock icon to indicate that an untrusted certificate is being used
  • Click the DropPoint
  • Click Trust the new Certificate
  • Restart the DropPoint service

Node Whitelisting


Node whitelisting ensures that only Nodes that have been explicitly whitelisted can be executed at a DropPoint. Use this technique as part of security best practice to ensure that least-access permission at the DropPoint.

By default, whitelisting is disabled. For existing production DropPoints, we recommend upgrading to v5 and leaving the DropPoint for a week before enabling whitelisting. This will allow the DropPoint to gather all Nodes that are being invoked. 

To enable whitelisting, follow these steps:

  • Launch the DropPoint Configuration from the Start Menu
  • Click the Whitelisting  tab
  • Click Enable Whitelisting  and follow the prompts
  • For every Node/Version displayed, click the Whitelisted  checkbox for any that you want to allow
  • Click Save changes 

If you would like to precisely control the input properties that are allowed for a Node, follow these steps:

  • Select the Node from the Whitelisting list
  • Ensure the Whitelisted  checkbox is checked
  • For each of the Properties that display, choose a TestMode  for that Property. 

None  indicates that no Property-level testing will be performed.
AllTests  indicates that ll tests must pass.
AnyTest  indicates that any of of the tests defined for the current Property must Pass.

  • In the Tests list that displays, add the tests that you would like
  • Click Save Changes  to apply changes. The DropPoint will immediately discover new whitelisted Nodes or tests that pass without needing to restart the DropPoint service. If you have disabled a previously whitelisted Node, you'll need to restart the DropPoint service for this to take effect

Whitelisting test options

None

No test will be performed against the Property.

String

The Property must match the exact string defined in Expression. For example, if you are whitelisting the Query  Property of a SQL Query  Node, you could specify select top 10 * from contacts in Expression to match that exact query.

Regex

The Regex defined in Expression must match the query property. For example, to enable a File Node to read only text files in a particular folder, the following regex could be used: c:\\watchfolder\\.*.txt.

JsonPath

The JsonPath defined in Expression must have a match on the property. For example, if the property contained the following JSON:

{
  "order": {
    "account": "CASH"
  }
}

The following JsonPath would match it:

order[?(account=='CASH')]

XPath 

The XPath defined in Expression must have a match on the property. This test type can also be used to validate parameters in a connection. For example, a connection for a SQL Query arrives at the DropPoint in the following form:

<root>
  <Server>10.0.0.4</Server>
  <Database>somedb</Database>
  <Username>someuser</Username>
  ...
</root>


The following XPath will validate that a specific server is specified:

XPath root/Server[.="10.0.0.4"] 

Did this answer your question?