One Way and Two Way(Mutual) SSL for MuleSoft Application
Introduction:
Any communication that needs to be secured between two applications connecting over a network can be transmitted using the Secure Sockets Layer (SSL) protocol.
SSL provides secure connections by:
Allowing an application to authenticate the identity of another application
Using a private key to encrypt and decrypt data transferred over the SSL connection
When applications are configured for SSL, web traffic is over HTTPS instead of HTTP as reflected in the URLs.
When processes communicate with each other, the process making a request acts as the client and the process responding to a request acts as the server.
Implementing One Way SSL:
In one way SSL, only the client validates the server to ensure that it receives data from the intended server. For implementing one-way SSL, the server shares its public certificate with the clients.
In case of one-way SSL:
1.Client requests for some protected data from the server on HTTPS protocol. This initiates the SSL handshake process.
2.Server returns its public certificate to the client along with a server hello message.
3.Client validates the received certificate. Client verifies the certificate through certification authority (CA) signed certificates.
4.The client sends back a symmetric session key generated using the server public certificate.
5.The server will decrypt the symmetric session key using its private certificate and send back the encrypted session key to the client for establishing a secure connection
After agreeing on this secret key, client and server communicate further for actual data transfer by encrypting/decrypting data using this key.
Step-1:
Create Server KeyStore
We will use below Command to generate Server KeyStore:
C:\Program Files\Java\jdk1.8.0_333\bin>keytool -genkey -alias mule-server -keyalg RSA -keystore D:/Certificates/server-keystore.jks
Step-2:Extract public certificate from Server KeyStore
Use the below command to extract the public certificate from the server keystore.
keytool -export -alias mule-server -keystore D:/Certificates/server-keystore.jks -file D:/Certificates/server_public.crt
Step-3:After Extracting public Certificate from Server Keystore We need to Import Server Public Certificate Into Client Truststore
To import Server Public Certificate into Client TrustStore:
keytool -import -alias mule-client-public -keystore D:/Certificates/client-truststore.jks -file D:/Certificates/server_public.crt
Step-4:Now We need to configure Mulesoft HTTP Listener and Requester
Server Side Configuration:
HTTP Connector configuration —> General Settings—> Protocol must be HTTPS
Make sure Server-keystore.jks and Client-truststore.jks that are generated must be copied under the folder src/main/resources.
HTTP Connector configuration —> General Settings—> TLS —> TLS configuration —> Edit Inline.
Client Side Configuration:
Providing Connection settings on HTTP Requester.
Now we need to configure TLS by providing a client truststore path, type and password.
Implementing Two Way(Mutual) SSL:
In case of two-way SSL, both client and server authenticate each other to ensure that both parties involved in the communication are trusted. Both parties share their public certificates to each other and then validation is performed based on that.
In case of two-way SSL:
1.Client requests a protected resource over HTTPS protocol and the SSLhandshake process begins.
2.Server returns its public certificate to the client along with server hello.
3.Client validates/verifies the received certificate. Client verifies the certificate through certification authority (CA) signed certificates.
4.If Server certificate was validated successfully, client will provide its public certificate to the server.
5.Server validates/verifies the received certificate. Server verifies the certificate through certification authority (CA) signed certificates.
After completion of handshake process, client and server communicate and transfer data with each other encrypted with the secret keys shared between the two during handshake
Step-1:Create Server KeyStore
We will use below Command to generate Server KeyStore:
C:\Program Files\Java\jdk1.8.0_333\bin>keytool -genkey -alias mule-server -keyalg RSA -keystore D:/Certificates/server-keystore.jks
Step-2: Extract public certificate from Server KeyStore
Use the below command to extract the public certificate from the server keystore.
keytool -export -alias mule-server -keystore D:/Certificates/server-keystore.jks -file D:/Certificates/server_public.crt
Step-3:After Extracting public Certificate from Server Keystore We need to Import Server Public Certificate Into Client Truststore
To import Server Public Certificate into Client TrustStore:
keytool -import -alias mule-client-public -keystore D:/Certificates/client-truststore.jks -file D:/Certificates/server_public.crt
Step-4:Create Client KeyStore
We will use below Command to generate Client KeyStore:
C:\Program Files\Java\jdk1.8.0_333\bin>keytool -genkey -alias mule-client -keyalg RSA -keystore D:/Certificates/client-keystore.jks
Step-5:Extract public certificate from Client KeyStore
Use the below command to extract the public certificate from the server keystore.
keytool -export -alias mule-client -keystore D:/Certificates/client-keystore.jks -file D:/Certificates/client_public.crt
Step-6:After Extracting public Certificate from Client Keystore We need to Import Client Public Certificate Into Server Truststore
To import Client Public Certificate into Server TrustStore:
keytool -import -alias mule-server-public -keystore D:/Certificates/server-truststore.jks -file D:/Certificates/client_public.crt
Step-7:Now We need to configure Mulesoft HTTP Listener and Requester
Server Side Configuration:
HTTP Connector configuration —> General Settings—> Protocol must be HTTPS
Make sure Server-keystore.jks, Server-truststore.jks, Client-keystore.jks and Client-truststore.jks that are generated must be copied under the folder src/main/resources.
HTTP Connector configuration —> General Settings—> TLS —> TLS configuration —> Edit Inline.
Client Side Configuration:
Providing Connection settings on HTTP Requester.
Now, we will do the TLS configuration. Provide the client Trust Store Path, Password and Path. Provide the Key Store Path, Password, Type, and Path
