Two-Way SSL In Mule Application

Introduction

In my previous article, I explained how Two-Way SSL works within the context of a Mule Application. Many people have asked how to set up a HTTPS request in a Mule application. This article provide details on how to invoke HTTPS services that require Two-Way SSL or Mutual Authentication. Before we dive into the detail procedures, let's review how Two-Way SLL works between clients and servers.

The gist of Two-Way SSL is to exchange certificates between clients and servers. The details are pretty complicated and are beyond the scope of this article. Here is a high-level scheme of the exchange of certificates:

1. Client sends a ClientHello message to a server.
2. Server replies with ServerHello, Server's certificate, and Request for Client's certificate.
3. Client sends its certificate and other information like cipher scheme, server's certificate verification, etc.
4. Server replies with cipher scheme.
5. Start to exchange information.

Now, how do we set up a Mule Application as a client?

Client's Certificate Generation

In general, IT admin will generate client certificates similar, as I have described in my blog here. Let's assume that is the way for now, so that we can describe how to set up a Mule HTTPS Request. Before we continue, we need to obtain the server's certificate in advance. The certificate can be in many forms like JKS, PKCS12, PEM, etc. A Mule HTTPS request supports three forms:

• JKS
• PKCS12
• JCEKS

Let's say that we got the PEM format from the server. We need to do one of two things depending on the deployment pattern.

• if it is on-prem deployment, the best way is to import the cert to JVM cacerts.
• if it is deployed to MuleSoft CloudHub, we need to convert the PEM to PKCS12.

If it is on-prem deployment, we can import the PEM certificate directly into cacerts. (Make sure you have sudo permission and the server's cert is named SERVER_CERT.pem.) Here is the procedure:

cd ${JAVA_HOME}/jre/lib/security 
cp SERVER_CERT.pem 
sudo keytool -import -alias mule1-cyberark -keystore cacerts -file SERVER_CERT.pem

To be sure that server's cert is in pem format, you can use the following command:

openssl x509 -in SERVER_CERT.pem -text

If it is CloudHub deployment, we need to convert the pem file to PKCS12 format. Here is the command:

openssl pkcs12 -export -nokeys -in SERVER_CERT.pem -out SERVER_CERT.pfx

Note the option of -nokeys. This means that you do not have the private key of the certificate. Now that we have the server's certificates taken care of, we need to convert the client's certificate to PKCS12. Here is the command:

openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out identity.p12 -name "mykey"

Note the above procedure will ask for the password. Make sure you remember it.

Setup Mule Flow

The following diagram shows the simple Mule flow

The HTTPS request configuration is:

<http:request-config name="HTTPS_Request_configuration" doc:name="HTTP Request configuration" doc:id="489bd416-2a79-4817-9968-627aaa6ee553">  
	<http:request-connection protocol="HTTPS" host="two-way-ssl.server.com" port="443">   
    	<tls:context>    
        	<tls:key-store type="pkcs12" path="identity.p12" keypassword="gary" password="gary">   
       	</tls:key-store></tls:context>  
    </http:request-connection> 
</http:request-config>

The import point here is that client's certificate is

<tls:key-store type="pkcs12" path="identity.p12" keypassword="gary" password="gary"> 
</tls:key-store>

and server's certificates is:

<tls:trust-store type="pkcs12" path="SERVER_CERT.p12" keypassword="gary" password="gary"> 
</tls:trust-store>