Automated Approval

The prime use case for VaultCode are automated approvals for using SKA keys.

In automated approval, VaultCode is used to run customer defined business logic to approve the key usage requests. This is useful to automate certain rules that can easily be checked for and that don't need human review. If the automated logic rejects the request, the request is forwarded to other approvers listed in the SKA policy. These human approvers can then review the request and decide whether to approve or reject it.

The detailed steps of the entire workflow are shown below:

0. Operators loads a JAR file to VaultCode and generates an SKA key k1 with approver policy k2 OR k3 OR k4.
1. The application makes a signing request to TSB with SKA key k1.
2. TSB fetches SKA policy and creates approval tasks in TSB.
3. Using the SKA key k1 requires approval from keys k2 or k3 or k4. The TSB forwards the approval request to VaultCode.
4. VaultCode executes logic based on metadata from signing request (step 1).
5. The custom JAR executable runs approval logic, and returns a positive or negative result. The VaultCode runtime uses the key k2 to sign the JAR's output. The output together with the signature makes up the approval.
6. VaultCode returns the execution result to the TSB.
7. If the approval was rejected by the automated logic (k2), the TSB requests manual approval by k3 or k4, by sending notifications to the approver apps.
8. If enough approvals are collected, the TSB sends the signing request to the HSM. The HSM verifies that the SKA policy is satisfied and performs the signing operation with k1.
9. The TSB returns the signature to the application.