Enabling HTTPS for Mule applications

  • May 28, 2020

Enabling HTTPS for Mule applications is a complex process that requires understanding several concepts:

  • TLS with Keystores and Truststores
  • The difference between Keystores and Truststores
  • How to generate a Keystore and a self-signed certificate
  • How to configure TLS in Mule 4

TLS with Keystores and Truststores

TLS is a cryptographic protocol that provides communications security for your Mule application. It offers different ways to exchange keys for authentication, encrypt data and guarantee message integrity.

The difference between Keystores and Truststores

A Java Keystore stores private key entries, certificates with public keys or just secret keys that you can use for various cryptographic purposes. Generally speaking, Keystores hold keys that your application owns and that you can use to prove the integrity of a message and the authenticity of the sender. Servers usually use a Keystore and want to use HTTPS.

A Truststore is the opposite. Whereas a Keystore typically holds onto certificates that identify you, a Truststore holds onto certificates that identify others. If you don’t specify a Truststore, then the default JVM values are used. These values usually include a Truststore with certificates for all major certifying authorities.

How to generate a Keystore and a self-signed certificate

The standard JDK distribution doesn’t include a Keystore by default. Use a keytool to generate your Keystores and certificates. The Keystore you generate contains a private key and a public certificate. This certificate is self-signed, so clients can’t trust it unless you share the public certificate with them.

Here’s the Keytool command to create a self-signed certificate:

keytool -genkeypair -keystore keystore.jks   -dname “CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown”  -keypass password  -storepass password  -keyalg RSA  -sigalg SHA1withRSA -keysize 1024  -alias mule  -ext SAN=DNS:localhost,IP:127.0.0.1 -validity 9999

Keytool command to create a self-signed certificate

The resulting keystore.jks file is your certificate.

How to configure TLS in Mule 4

  • Put the keystore.jks file under the src/main/resources directory of your mule project
  • Configure the HTTPS Listener …

Configuring HTTPS Listener

… where ${https.port} is the 443 used for HTTPS communication

  • Configure the TLS for HTTPS Listener

Configuring TLS for HTTPS Listener

Configuring TLS for HTTPS Listener

  • Test the HTTPS-enabled Mule applications using Postman
  • Go to Postman -> Settings -> Certificates and turn on the CA certificates tab, which defaults to off

Turn on CA certificates tab

Enabling HTTPS confirms a more secure version for your Mule applications.

— By Nikhil Kunkulol