Configuring Workflow Manager without SSL on production server

Question

My production SharePoint 2016 & Project Server 2016 will be running on SSL (https). Now I am in the process of installing and configuring Workflow Manager on SharePoint 2016 server. I am confused whether I should configure my Workflow Manager on http port (12991) or https (12990).

I learned on TechNet articles that for production we must always configure SSL for Workflow Manager but troubleshooting will be difficult. If my SharePoint 2016 application and Project Server 2016 runs on https but my Workflow Manager is configured to use http (12291), will this affect communication between SharePoint and Workflow Manager? Will my workflow developed in SharePoint Designer 2013 Workflow Platform successfully execute in production?

Answer 1

it should work but as you mentioned it is not recommended. Industry standard is use https for the production. it is easy, you dont need to configure any extra certificate as WFM create and configure for those during the configuration (unless you want to use your own certs).

here is nice wording from Harbar's blog

Workflow Manager should use SSL. Period. :)

Why? Because it’s a Server to Server (S2S) trust, and Server to Server trusts leverage OAuth2. OAuth2 is an authorization framework, which can at best be described as an insecure authorization framework! Without going into that whole saga, a key consideration is that it presents tokens over the wire in plain text. Thus we leverage the Universal Firewall Bypass Protocol (UFBP) – otherwise known as Secure Sockets Layer (SSL) - to protect those tokens over the wire. Using SSL doesn’t make OAuth2 secure, but it does protect those tokens. And that’s critical for production environments.