- TLS is cryptographic protocol that secures communications in mule apps. Mule provide out-of-the-box support for HTTPS
- One-way SSL
- Server presents certificate to the client. Client must authenticate the server. Client is not required to present a certificate to the server. Server will accept any client into the connection.
- Two-way SSL
- Both the client and server have to present a certificate before the connection is established between the two.
- One-way SSL
- A client requests access to a protected resource.
- The server presents its certificate to the client.
- The client verifies the server’s certificate.
- If successful, the client sends its certificate to the server.
- The server verifies the client’s credentials.
- If successful, the server grants access to the protected resource requested by the client.
- KeyStore
- Used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification
- TrustStore
- Used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in SSL connection.
The tls:context element in Mule flow defines a configuration for TLS, which can be used from both the client and server sides.
- From the server side
- The truststore contains certificates of the trusted clients, the keystore contains the private and public key of the server.
- From the client side
- The truststore contains certificates of the trusted servers, the keystore contains the private and public key of the client.
Adding both a keystore and a truststore to one same config implicitly implements two-way TLS authentication, also known as mutual authentication
Commands (You can either use the commands OR "KeyStore Explorer“ (https://keystore-explorer.org/)
-
Create KeyStore (To store Localhost server’s credentials)
- keytool -noprompt -validity 365 -genkeypair -v -alias localhost-server -keyalg RSA -storetype PKCS12 -keystore server-keystore.p12 -dname "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -storepass password -keypass password -ext san="DNS:localhost,IP:127.0.0.1"
-
Create TrustStore (To store localhost client’s and/or external server’s credentials)
- keytool -noprompt -validity 365 -genkeypair -v -alias localhost-client -keyalg RSA -storetype PKCS12 -keystore trusted-client-truststore.p12 -dname "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -storepass password -keypass password
-
Add cert of external server (API) to TrustStore:
- Example: https://gorest.co.in/public-api/users/45
- Extract its cert from browser and copy to file
- Add cert to the above TrustStore
- Go to File --> Settings --> Certificates tab --> Add Certificate
- You would supply host, and port where your Mule API is hosted at, along with Truststore file info and its password.
Extract Certificate for External API when you are calling external HTTPS secured API from HTTP Request component in Mule API
-
Example: API being called in the sample project: https://gorest.co.in/public-api/users/359
-
Go to Browser and put the above in the address bar
-
Click the lock icon
-
Click Certificate
-
Go thru default settings, and select the path and name of the file with .cer extension to which certificate is to be copied.
-
Then go to Keystore Explorer tool --> open the Truststore you created (trusted-client-truststore.p12) --> supply password --> go to Tools --> Select import trusted certificate option --> supply the above certificate file .cer extension --> finish adding
-
Use the Truststore in Mule Application