Two-Way SSL In Mule Application - Part 2

Introduction

In my previous article in DZone or here, I omitted the procedure to create a trust store for the application. This is important if the applications are deployed to the CloudHub.

In this article, I will describe the procedures to create the trust store and how to configure the HTTPS request for Mule application

Create A Trust Store FOR MULE HTTPS Request

The procedures to import the server's PEM certificate to a trust store are the following.

First, we will create a trust store using the following command:

keytool -genkey -keyalg RSA -alias cyberark-poc -keystore truststore.ks

Enter anything. They are not important as we will delete it.

Second, delete the content of the trust store just created:

keytool -delete -alias cyberark-poc -keystore truststore.ks

Third, import the server's certificate:

keytool -import -v -trustcacerts -alias cyberark-server -file SERVER-CERT.pem -keystore truststore.ks

Now, copy the truststore.ks to Mule application project /src/main/resources

HTTPS Request Configuration

The following is the complete HTTPS Request configuration:

Note: I put both client.pfx and truststore in the directory of /src/main/resources. You may put them into different directory. In that case, you need to give the full path relative to the Mule Application Project, such as ssh/cert/client.pfx.

The Key Takeaways

The best practice for certificates manipulation is:

1. If the deployment is on-prem, import servers' certificates to cacert. In this way if the server's certificate is expired, we just need to reimport, not code change is required.
2. If the deployment is CloudHub, we have to import the servers' certificate to a truststore as described in this article.
3. Use JKS format for the trust store used in the HTTPS request. It is most popular one.