Secure Endpoint Credentials with MuleSoft

Technology
Secure your API
_ _ Suresh Dhaka_ 0 Comments

Securing data is essential for every organization whether data is in-flight or in-rest. Enterprises secure these data by implementing by writing custom codes or using out of the box features from the platform and products.

Ideally there are two type of data enables an organization includes in the business process implementation.

 

Business Data Encryption

Business data flows through different products which implements the business process for an organization. However these data usually either in-flight or in-rest.

In flight

When an event occurs, multiple products get involves to accomplish certain tasks/actions. These task requires some short of data to create/manipulate or delete from various endpoints. This data needs to be secure when it passed by one product/platform to another. An organisation should utilize end to end encryption to achieve it. Today almost all the products allow to configure Transport Layer Security (TLS) for communication.

In Rest

In any company from SME to enterprises or govt store a lot of data inside their warehouses/cloud. If we don’t secure these data there is a potential risk to expose them to anyone who might have bad intention. We should have a proper encryption for the data which is stored by mean database, files, binary etc.

 

 

Product Data Encryption

A product enables an organization to achieve its vision. Business data flows through these product which eventually get manipulated based on the organization requirement. The product act as a bridge between two endpoint to enable a communication in secure manner.  These two endpoints trust each other by using some kind of authentication/authorization mechanism. This authentication mechanics could be a public key exchange (PKI), a digest password, a plain text password etc. 

 

Most of the products uses all of these security practices one on top of other. For example password authentication on TLS.

How to encrypt these passwords in MuleSoft?

MuleSoft provides a secure properties modules which allows to encrypt these endpoint credentials in a chosen algorithm. Which enables two endpoints to exchange business data communication.

MuleSoft provides a secure properties modules which allows to encrypt these endpoint credentials in a chosen algorithm.  

secure-property-api

We have created a very basic API which allows a developer to utilize this out of the box feature.

This project repository defines basic steps to create a secure property value using

 

Prerequisite

You should have basic understanding of Mule4 developement or an significant background in integration space to starts with.

 

 

Secure property tools jar file provided by MuleSoft.

How to encrypt a string in Mule4 using Secure property tool

Download Secure property tools

We will need to download secure property jar file from MuleSoft website, please click here for Mule 4.2 to downlaod the file.

Encrypt a string text value

To encrypt a string you need to specify below mentioned parameters:

java -jar secure-properties-tool.jar \
string \ 
encrypt \ 
AES \ 
CBC \ 
"abcdefghm123456789nMdGi74JfcPMlx" 
"this is encrypted value"
Item Description Example Other
method string or file string  
Operation encrypt or decrypt encrypt Decryption will be done by API itself
algorithm MuleSoft provide a set of supported algorithms and respective modes to encrypt the file, you can refer the page AES  
mode MuleSoft provide a set of supported algorithms and respective modes to encrypt the file, you can refer the page CBC  
key any key based on the algorithm and it’s more abcdefghm123456789nMdGi74JfcPMlx We need to pass this key to Mule runtime,
standlone: -D= -DAPI_MASTER_KEY=abcdefghm123456789nMdGi74JfcPMlx
Cloudhub: please click here      
value The secret we want to encrypt this is encrypted value   
java -jar secure-properties-tool.jar \
string \ 
encrypt \ 
AES \ 
CBC \ 
"abcdefghm123456789nMdGi74JfcPMlx" 
"this is encrypted value"

Output

9T5f/4hVrfREVPUjGg+ZK6lt/GCx1KcJDjjXUf8+w7A=

We will use this key to pass in our configuration file and then use the transform scope to read it.

How to use secure module in the project
install Extension Module in Studio

  1. Open your Mule project in Anypoint Studio. 

  2. Go to the Mule Palette section and click Search in Exchange. 

  3. In the Add Module to Project window, search for Mule Secure Configuration Property Extension in the Type a search term to look up in Exchange box.

  4. Select the module name in the list.

  5. Click Add and then Finish.

Use module in global configuration

  1. Open your global.xml in the project.

  2. Go to Global Element section and click on create 

  3. Now Provide the below mentioned configuration and click ok then save the file.

Item Description Example Other
File Configuration file which has encrypted values configs-LOCAL.yaml  
Key Master secret key reference to use to encypt the text string ${API_MASTER_KEY} This is an envrionment valiable (command line argument) refernce which we will pass to the Mule runtime in order to deploy the API
Algorithm   AES  
Mode   CBC  

Supply encrypted text values in configs-LOCAL.yaml file
  1. Encrypt a text value

Please refer the section How to encrypt a string in Mule4 using Secure property tool

  1. Add encrypted values into the configs-LOCAL.yaml

You must provide the encrypted values in the following santax ![ENCTYPED_VALUE]

TEXT: "this is encrypted value"

ENCRYPTED: 9T5f/4hVrfREVPUjGg+ZK6lt/GCx1KcJDjjXUf8+w7A=

configs-LOCAL.yaml
local:
  enc-test: "![9T5f/4hVrfREVPUjGg+ZK6lt/GCx1KcJDjjXUf8+w7A=]"
  normal-test: "this is non encrypted value"
get-health-implementation.xml

We will need to read the secure property in our transformation to demostrate.

%dw 2.0
output application/json
---
{
  status: "Running",
  version: "r.master.9999",
  normal: p('local.normal-test'),
  normalUsingSecureModule: p('secure::local.normal-test'), 
  decrypted: p('secure::local.enc-test')
}

API Development

Please click here to refer RAML specification

Run the Secure Property API

We have completed the initial developent, now we can run the project and test it.

  1. Right click on the project, select Run As and Mule Application (configure) 

  2. Provide API_MASTER_KEY in the Arguments as a Program arguments, so Mule can use to decrypt the encryted values and click on Run button. 

  3. In the console tab, you might have noticed there were some information of Building and then starting Mule runtime will display. Once you will see the app secure-property is DEPLOYED which means our API is running now. 

  4. You can access this API on url “http://localhost:8081/secure-property-api/api/health” 

 

Congratulation your API is up and running. 🙂

151

Author

Suresh Dhaka

I have 6 years of experience in JAVA/J2EE and SOA development. I started my career with YMSLI as Software Engineer, where I worked on J2EE projects with Spring, Struts, Hibernate and Maven. I developed RESTful services that communicate over JSON also started my hands-on Docker (https://hub.docker.com/u/dhaks) and Puppet at the same time. Furthermore, when it comes to development with SOA based projects, I'm working on Mule4 (Onprim) with Anypoint Platform and Anypoint studio for API's management. Previously worked on WSO2 APIM/ESB/BPS/DSS and Identity Management (SAML2, OpenID Connect, OAuth2) which we used as a middleware component. I do have Azure DevOps experience to manage a Safe Agile framework (Dashboard, Features, User Stories and Task groups), key vault etc. Also, We use Azure DevOps for Continuous Integration and Continuous Deployment. I do have AWS developer training and Openshift hands-on experience, which we utilize to manage Mule APIs in a containerized env with API led design pattern.

Leave a comment

Your email address will not be published. Required fields are marked *