Sunday, August 11, 2019

Two-Way SSL In Mule Application

Introduction

In my previous article, I have explained how Two-Way SSL works with the context of Mule Application. Many people have asked the question about how to setup HTTPS request in Mule application. This article provide the details about the procedures to invoke HTTPS services which require Two-Way SSL or Mutual Authentication. Before we dive into the detail procedures, lets review how Two-Way SLL works between clients and servers.

The gist of Two-Way SSL is to exchange certificates between clients and servers. The details are pretty complicated and they beyond the scope of this article. Basically, here are the high level scheme of the exchange of certificates:
  1. Client send a ClientHello message to a server
  2. Server replies with ServerHello, Server's certificate, and Request for Client's certificate
  3. Client its certificate other information like cipher scheme, server's certificate verification, etc.
  4. Server replies with cipher scheme.
  5. Start to exchange information
Now, how do we setup Mule Application as client?

Client's Certificate Generation

In general, IT admin will generate client certificates similar as I describe in my blog here Let's assume that is the way for now so that we can describe how to setup Mule HTTPS Request. Before we continue, we need to obtain server's certificate in advance. The certificate can be in many forms like JKS, PKCS12, PEM, etc. Mule HTTPS request support three forms:
  • JKS
  • PKCS12
  • JCEKS
Let's say if we got PEM format from the server. We need to do one of the two things depending on the deployment pattern.
  • if it is on-prem deployment, the best way is to import the cert to JVM cacerts
  • if it is deployed to MuleSoft CloudHub, we need to convert the PEM to PKCS12.
If it is on-prem deplopment, we can import the the PEM certificate directly into cacerts here is the procedure (Make sure you have sudo permission, and server's cert is named like SERVER_CERT.pem)
cd ${JAVA_HOME}/jre/lib/security
cp SERVER_CERT.pem
sudo keytool -import -alias mule1-cyberark -keystore cacerts -file SERVER_CERT.pem
To be sure that server's cert is in pem format, you can use the following command:
$ openssl x509 -in SERVER_CERT.pem -text
If it is CloudHub deployment, we need to convert the pem file to PKCS12 format. Here is the command:
$ openssl pkcs12 -export -nokeys -in SERVER_CERT.pem -out SERVER_CERT.pfx

Note the option of "-nokeys". This means I do not have the private key of the certificate. Now we have server's certificates being taken care of. We need to convert the client's certificate to PKCS12. Here is the command to do so:

 openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out identity.p12 -name "mykey"

Note the above procedure will ask the password. Make sure you remember it.

Setup Mule Flow

The following diagram shows the simple Mule flow
The https request configuration is the following:

 
  
   
    
   
  
 
 
The import point here is that client's certificate is

and server's certificates is

4 comments:

  1. Hi Gary Liu,

    The json file (provided below) has a nested arrays, I want to retrieve all blog array list from array “onlineresources”.
    In order to achieve the above need, I have used below syntaxes.
    payload.resources.onlineresources.blog – giving null
    payload.resources.*onlineresources.blog – giving null
    payload.resources.onlineresources[0].blog – giving data
    payload.resources.onlineresources[1].blog – giving data

    instead of using indexes, I want to retrieve all blog arrays at a time but I am receiving null by using 1st and 2nd syntaxes.
    Could you please help me in this regard. PFB json

    {
    "resources": [
    {
    "book": [
    {
    "category": "cooking",
    "title": "Everyday Italian",
    "author": "Giada De Laurentiis",
    "year": "2005",
    "price": "30.00"
    },
    {
    "category": "children",
    "title": "Harry Potter",
    "author": "J K. Rowling",
    "year": "2005",
    "price": "29.99"
    },
    {
    "category": "web",
    "title": "Learning XML",
    "author": "Erik T. Ray",
    "year": "2003",
    "price": "39.95"
    }
    ],
    "magazine": [
    {
    "category": "web",
    "title": "Wired Magazine",
    "edition": "03-2017",
    "price": "15.95"
    },
    {
    "category": "business",
    "title": "Time Magazine",
    "edition": "04-2017",
    "price": "17.95"
    }
    ],
    "onlineresources": [
    {
    "blog": [
    {
    "category": "knowledge sharing",
    "title": "tibco ",
    "period": "03-2017",
    "views": "500000"
    },
    {
    "category": "knowledge sharing",
    "title": "mulesoft",
    "period": "03-2017",
    "views": "4343"
    }
    ],
    "website": [
    {
    "category": "education",
    "title": "communications skills",
    "period": "03-2017",
    "views": "500000"
    },
    {
    "category": "awareness",
    "title": "manners & mentars",
    "period": "03-2017",
    "views": "52416"
    }
    ]
    }
    ]
    }
    ]
    }

    Regards,
    Rajasekhar

    ReplyDelete
  2. Very informative post for mulesoft developers.You can also visit goformule.com for mulesoft stuff.

    ReplyDelete

Anypoint Studio Error: The project is missing Munit lIbrary to run tests

Anypoint Studio 7.9 has a bug. Even if we following the article: https://help.mulesoft.com/s/article/The-project-is-missing-MUnit-libraries-...