Sign in Subscribe
SSL

Two-Way SSL In Mule 4

Subramanian T

5 min read
Two-Way SSL In Mule 4
Two-Way SSL In Mule 4

Introduction 

In Mule 4, Two-Way SSL, also known as mutual SSL or client authentication, plays a vital role in bolstering the security of integrations by establishing mutual trust between clients and servers. This authentication method requires both parties to present digital certificates, verifying their identities before establishing a secure connection.

In essence, Two-Way SSL acts as a digital handshake, ensuring that only trusted clients and servers can communicate and exchange sensitive information securely. Through its implementation, Mule 4 empowers developers to build robust and resilient integrations that prioritize data privacy and security, safeguarding against unauthorized access and potential threats in the digital landscape. 

Keystore 

  • A Keystore contains private key and associated certificates having the public key.
  • It has its own password.
  • The owner (e.g server) retrieve a certificate from its keystore and present it to the other side.

 Truststore 

  • A truststore has a list of all certificates which client trusts.
  • It is also protected by a password.
  • So, when a server presents its certificate, the client will verify it using the certificate present in Truststore.

SSL/TLS 

  • Configuration: In Mule 4, you can configure Two-Way SSL in the HTTP listener component or any other connector that supports SSL/TLS. 
  • Keystore and Truststore: You'll need to configure both a keystore and a truststore. The keystore contains the server's private key and certificate, while the truststore holds the certificates of trusted clients. 
  • Client Authentication: With Two-Way SSL, the client presents its certificate to the server during the SSL handshake process. Mule 4 allows you to configure the server to request client authentication. 
  • Server Authentication: Similarly, the server presents its certificate to the client, allowing the client to verify the server's identity.
IMPLEMENT 2-WAY-SSL

Generation of Keys/Certifacates for Two-Way-SSL

Execute the relevant commands to complete the respective processes.

1. Creating Server Keystore: 

keytool –genkeypair –keyalg RSA –alias my-server-demo –keystore server-keystore.jks -storetype jks –keypass pwd4321 –storepass pwd4321   
Creating Server Keystore

2. Creating Client Keystore: 

keytool –genkeypair –keyalg RSA –alias my-server-demo –keystore client-keystore.jks -storetype jks –keypass pwd4321 –storepass pwd4321   
Creating Client Keystore

3. Exporting the server’s public certificate from the server keystore 

keytool –exportcert –keystore server–keystore.jks -alias my-server-demo –file server-certificate.cer -storepass pwd4321 
Exporting the server’s public certificate from the server keystore

4. Exporting the client’s public certificate from the server keystore 

keytool –exportcert –keystore client–keystore.jks -alias my-server-demo –file client-certificate.cer -storepass pwd4321 
Exporting the client’s public certificate from the server keystore

5. Importing Serve’s Public Certificate into Client’s truststore 

keytool –importcert –keystore client-truststore.jks  -storepass pwd4321 –file server-certificate.cer -alias my-server-demo 
Importing Server’s Public Certificate into Client’s truststore

6. Importing Serve’s Public Certificate into Server’s truststore 

keytool –importcert –keystore server-truststore.jks  -storepass pass4321 –file client-certificate.cer -alias mule-server-demo 
Importing Serve’s Public Certificate into Server’s truststore
  • Now in the respective folder, you can see all the files for which you have used the command prompt to create.
successfully generated
  • Now let’s see the details in the certificate, we can see all the information we have given automatically.
Details of the certificate

Prerequisites

  • Create a Mule project in Anypoint studio and name it as you like.
Creating Mule Project
  • Now drag HTTP Listener component from mule palette.
  • Configure HTTP Listener Global configuration with default values and set path as /one-way.
Listener Configuration
  • Configure the HTTP Request connection in Studio.
Request Configuration
  • Both the Request and the Listener is also https where the path is test one way and the port for this is 8091.
Test two way
Listener Properties - Port is 8091
  • If you see the request again we are calling the listener for the server with on 8091 Port as we are deploying it locally and here we have the option so whenever you enable a HTTPS you have to provide a TLS configuration.
  • Now there are multiple ways of doing that either in-line like within the configuration itself you can provide that or if the same TLS config is going to be repeated as well so you can choose a global one.
  • Now globally I have created both Keystore and Truststore are enabled in here.
Global TLS Configuration Properties
  • Globally I have created a Keystore and here are the password, path and type that we used in test for one way listener configuration.
Global TLS Configuration Properties
  • Now our application is running and we will call our one-way endpoint.
Application is running
  • So this is establishing a oneway where the server has provided the certificate and the requestor has validated it.
Success Response in Postman

Conclusion 

In conclusion, two-way SSL, or mutual SSL authentication, offers a robust security mechanism for ensuring mutual authentication between clients and servers in web communications. By requiring both parties to authenticate each other using digital certificates, it significantly enhances security and mitigates the risk of impersonation attacks.

While implementation may be more complex compared to traditional SSL and there might be some performance overhead, particularly in the authentication process, the heightened level of security provided outweighs these concerns, making it an ideal choice for applications where safeguarding sensitive data is crucial, such as in banking, healthcare and government sectors.

 

Mulecraft Footer