Configuring Mule application using one-way SSL

  • May 17, 2022

In this technical article, we’ll understand one-way SSL and how to configure it for Mule applications using self-signed certificates.

Step 1: The client application sends a “ClientHello” message and makes a secured HTTPS call to access the server application’s resource.

Step 2: As the server application is configured with KeyStore, it retrieves its public certificate (.crt) from the KeyStore.

Step 3: The server application responds with a “ServerHello” message and sends its public certificate to the client. The server application’s public certificate also contains the server’s public key along with some other information.

Step 4: The client application uses its truststore to verify the certificate received from the server.

Step 5: After the verification is successful, the client application generates a session key.

Step 6: The client application encrypts this session key with the help of the public key received from the server application and sends this encrypted session key to the server application.

Step 7: The server application receives this encrypted session key and decrypts it by using its private key.

Step 8: Both client and server applications have the same session key and an encrypted link is established.

In summary, during the SSL/TLS handshake process, the certificate is presented by the server application and verified by the client application and the session key is negotiated.

After SSL/TLS handshake, the communication between client and server application is as follows:

  1. The client application sends the data to the server application by encrypting this data with the session key, and the server application decrypts the data using the same session key.
  2. Similarly, when the server application wants to send data to the client application, it encrypts the data using the session key. When the client application receives the encrypted data, it decrypts it using the same session key.

The KeyStore stores the identity of the server, and it contains the certificate and the private key of the identity of the server.

The truststore stores all the certificates that the server trusts.

Generation of keys/certificates

Here, we’ll be generating private keys and self-signed certificates.

We’ll be using a keytool utility that is a part of the Java Development Kit (JDK). You can find this keytool utility under the path JAVA_HOME/bin.

Keytool is a utility to manage keys and certificates.

Step 1: Creating server KeyStore

Create the server’s private key and public key using the -genkeypair command. The generated key and self-signed certificate will be stored in the server KeyStore.

Command:

keytool -genkeypair -keyalg RSA -alias mule-server-demo -keystore server-keystore.jks -storetype jks -keypass pass1234 -storepass pass1234

In the above command, there are some options used followed by ‘-’ sign. Let’s have a look at them:

  • alias:
  • Private key and certificate are stored together as a KeyStore entry.
  • This entry is identified using a unique string known as ‘alias.’
  • In this example, we’ve specified ‘mule–server-demo’ as the alias.

Note: There can be multiple certificates in the same KeyStore. In order to identify the right certificate, an alias is used in the command, which is used to search the certificate in the KeyStore.

  • keyalg: Algorithm being used to generate key pairs. In this example, the RSA algorithm is used.
  • storetype: Types of keystore are JKS and PKCS12. In this example, JKS type is used.
  • keypass: specify key password
  • storepass: specify KeyStore password

After the execution of this command, we need to answer some questions.

Note: KeyStore gets created after the execution of above command, if it doesn’t exist prior.

Now, we can see the server-KeyStore being created at the location where you executed the command in CMD.

Step 2: Exporting the server’s public certificate from the server KeyStore

Server’s public certificate is required to be installed at the client’s truststore. By this we mean, extracting the public key from the server KeyStore.

To retrieve the certificate from the server KeyStore, we use the -exportcert command. We need to fetch the certificate with the same alias used in the previous command.

keytool -exportcert -KeyStore server-KeyStore.jks -alias mule-server-demo -file server-certificate.cer -storepass pass1234

After the execution of the above command, we can see the server’s public certificate being exported from the server KeyStore.

  • file: Name which you would like to specify for retrieving certificate.

Step 3: Importing server’s public certificate into client’s truststore

To store the server’s public certificate into the client truststore, we need to use the -importcert command.

keytool -importcert -keystore client-truststore.jks -storepass pass1234 -file server-certificate.cer -alias mule-server-demo

After execution of the above command, we can see the client-truststore being created and the server’s public certificate being imported in it.

Configuring one-way SSL in MuleSoft application

Step 1: Start Anypoint Studio and create a new mule project named “one-way-ssl.”

Step 2: Copy the server-keystore.jks and client-truststore.jks that we generated and paste it into src/main/resources.

Step 3: Create a flow server-flow, which will act as a server application in our POC.

Step 4: Configure the server-flow as follows:

  1. Add a listener, and set the display name as /server : 8082, set the Path to /server.
  2. Now, we will do the connector configuration. Click on the green plus icon and a dialog box will appear.
  3. Set the protocol to HTTPS, and set the port to 8082
  4. Now, head over to the TLS tab > Under TLS Configuration, Select Edit Inline > Enter the KeyStore configuration.
  5. Add a transform message and enter the following DataWeave script:

%dw 2.0
output application/json

“Server”

Step 5: Configure the client-flow as follows:

  1. Add a listener, and set display name as /client : 8081, set path as /client.
  2. Now, we will do the connector configuration – Click on the green plus icon and a dialog box will appear.
  3. Set the protocol to HTTP, and set the port to 8081.
  4. Add a request component, and set its display name as call server – : 8082/server and set the path to /server.
  5. Now, we’ll do the configuration. Click on the green plus icon and a dialog box will appear.
  6. Set the protocol to HTTPS, and set host to localhost and set Port to 8082.
  7. Now, head over to the TLS tab > Under TLS Configuration, Select Edit Inline > Enter the truststore configuration.
  8. Add a transform message, and enter the following DataWeave script:

%dw 2.0
output application/json

Payload

Step 6: Go to Run > Run Configuration > Add the following in the VM arguments:

-M-Dcom.ning.http.client.AsyncHttpClientConfig.acceptAnyCertificate=true

And run the application.

Step 7: Go to your browser and enter the URL http://localhost:8081/client.

You’ll be able to see the output as “Server.”

— By Shyam Kulkami