How to configure AI Center to use HSTS and TLS1.2/TLS1.3 ?

Note: Due to certain security scanning results, the below steps to configure AI Center to use TLS 1.2 / TLS 1.3 protocol and HSTS can be used.

Resolution:
The product, AI Center does include HSTS for calls to the backend AI Center. Only the first call to the AI app lacks the HSTS header.

The first call to AI - App does not enforce HSTS as of now, but any further calls to AIC backend enforce HSTS. Lack of HSTS is a very low risk for the use of AI Center on-premise. URL rewrite is done at the backend, so every request towards the AI Center server, coming from the outside, will be done in HTTPS.

What does HSTS do?
HSTS prevents a browser from connecting to a domain via HTTP the next time it connects to a domain. This prevents an attacker from creating an HTTP site with the same domain name to trick a user to accessing a fake malicious host.

In the context of an AI Center deployment at USDA, several other mitigating factors would prevent an attacker from being able to execute such an attack. UiPath will look to implement this functionality in a future release, but it is a very low risk.

Step to configuring AIC to use TLS min v1.2 ( v21.10+):
Execute the below command on the AI Center Linux server with sudo privilege. The following command can patch the AI Fabric gateway to use TLS 1.2 as a minimum:

• kubectl -n istio-system patch gw aifabric-gateway --type=json -p='[{"op":"replace","path": "/spec/servers/0/tls/minProtocolVersion", "value": "TLSV1_2"}]'