Mule Message Encryption With JCE

Introduction

“Don't reinvent the wheel”, that’s the principle Mule applies when it comes to Mule Message Security. Anypoint Enterprise Security is a suite that comes bundled with all the necessary modules and methods for applying security to Mule Service Oriented Architecture (SOA) implementations and Web services.

Objectives

My main concern regarding security was Mule Message Encryption. Mule provides three extraordinary Encryption Strategies:

• JCE Encrypter: encrypts stream, byte[] or string.
• XML Encrypter: encrypts string, encrypts individual fields using xpath expressions.
• PGP Encrypter: encrypts stream, byte[] or string.

In this blog post I will try to explain how to configure Anypoint Studio for applying encryption strategies to mule messages using the JCE Encrypter.

Getting Your Hands Dirty

Let’s get our hands dirty. I will try to explain everything starting from the installation of Anypoint Enterprise Security. Also I would like to point out the troubleshooting during the installation process.

Installation of Anypoint Enterprise Security

I am using Mule 3.8 EE for this experiment. Please take a look at this link for the installation guide in detail. Here is a screenshot:

Please select the Premium bundle and proceed. In my case I could not install the software initially. If the same problem continues in your case, uncheck the “Contact all update sites during install to find required software” checkbox.

After successful installation, restart your Anypoint studio. You should see the following components under the security group palettes.

Now you are ready to go!

Create a Mule Maven Project

Let’s create a simple Mule Maven project using Anypoint Studio. The most important point is to add the following repository in the pom.xml file.

<repository>
   <id>mulesoft-public</id>
   <name>MuleSoft Public Repository</name>
   <url>https://repository.mulesoft.org/nexus/content/repositories/public/</url>
   <layout>default</layout>
</repository>

Creating a Simple Flow

Let’s create a simple flow. The scenario is as follows: we send some JSON data to an HTTP endpoint. Then the JSON data is encrypted using JCE Encryption Strategy, and we log the encrypted data. After that we simply decrypt the encrypted data and log it. Here is a diagram of the flow.

Digging Into JCE Encryption

From Wikipedia:

“The Java Cryptography Extension ( JCE) is an officially released Standard Extension to the Java Platform and part of the Java Cryptography Architecture. JCE provides a framework and implementation for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms.”

Step 1

First let’s configure a global Encryption element.

Do mind it to select the Default Encryptor dropdown as JCE_ENCRYPTER. I have named the global element as JCE.

Step 2

Now after configuring the global Encryption element in step 1, let’s configure the Encryption component (labeled as JCE Encryption in the flow. This is a Encryption palette found under the Security category of Mule palettes). Here is the screen shot:

In the Connector Configuration please select the global encryption element(JCE) that we have defined in step 1. In the Operation dropdown select Encrypt. In the Input Reference field I am putting the whole payload (JSON data) for encryption. Do remember that you can use the MEL expression here to encrypt some part of the payload too. As we are using JCE_ENCRYPTER in this example, let us configure it. Select the Define attributes radio button in the JCE encrypter Strategy Configuration for operation category.

Key: It must be a 16 digit phrase.

Key Password: (whatever you wish)

Algorithm: Choose an algorithm from the dropdown list.

Encryption Mode: Choose from the dropdown list.

That’s it. You are ready to go. There is another way to make it more secure using Keystore. I will show you later in another post.

Step 3

In the step 2 we have encrypted the message. Now let’s decrypt the encrypted message. Here we are going to configure the component labeled as Decrypt payload. It’s nothing but a Encryption palette found under the Security category of Mule palettes. Here is the configuration:

The configuration is almost same as for encryption. The only difference is the Operation: Decrypt.

Testing

Now let us run the project. After running the project, send a POST request with JSON payload. I am using Postman for this operation. On observing it in the Anypoint console, you can see the encrypted message as well as decrypted message.

Please find the source code here.

N.B: Use mvn eclipse:eclipse to import the maven dependencies.