Author: Shyam Kulkarni
In this blog, we will understand one-way ssl and how to configure it for mule applications (using self-signed certificates).
One Way SSL:
Execution steps are as follows:–
Step 1: The client application sends a “ClientHello” message and makes a secured HTTPS call to access the server application’s resource.
Step 2: Now, as the server application is configured with Keystore, it retrieves its public certificate(.crt) from the Keystore.
Step 3: The server application responds with a “ServerHello” message and sends its public certificate to the client. (the server application’s public certificate also contains the server’s public key along with some other information)
Step 4: The client application uses its trust store to verify the certificate received from the server.
Step 5: After the verification is successful, the client application generates a session key.
Step 6: The client application encrypts this session key with the help of the public key received from the server application and sends this encrypted session key to the server application.
Step 7: The server application receives this encrypted session key and decrypts it by using its private key.
Step 8: Now, both client and server applications have the same session key and hence an encrypted link is established.
So to summarize, during the SSL/TLS handshake process, the certificate is presented by the server application and verified by the client application and the session key is negotiated.
Now, after SSL/TLS handshake, the communication between client and server application is as follows:
1. The client application sends the data to the server application by encrypting this data with the session key and the server application decrypts the data using the same session key.
2. Similarly, when the server application wants to send data to the client application it encrypts the data using the session key, and when the client application receives the encrypted data, it decrypts it using the same session key.
Keystore: The Keystore stores the identity of the server, and it contains the certificate and the private key of the identity of the server.
Truststore: The truststore stores all the certificates which the server trusts.
Generation of Keys/Certificates:
Here, we will be generating private keys and self-signed certificates.
We will be using a keytool utility which is a part of JDK. [You can find this keytool utility under the path JAVA_HOME/bin]
Keytool is a utility to manage keys and certificates.
Step 1: Creating Server Keystore
Create the server’s private key and public key using -genkeypair command. The generated key and self-signed certificate will be stored in the server keystore.
Command:
| keytool -genkeypair -keyalg RSA -alias mule-server-demo -keystore server-keystore.jks -storetype jks -keypass pass1234 -storepass pass1234 |
In the above command, there are some options used followed by ‘-’ sign. Let’s have a look at them:
-alias:
– Private Key and certificate are stored together as a keystore entry.
– This entry is identified using a unique string known as ‘alias’.
– In this example, we have specified ‘mule–server-demo’ as the alias.
*Note: As there can be multiple certificates in the same keystore, so in order to identify the right certificate, an alias is used in the command which is used to search the certificate in the keystore.
-keyalg: Algorithm being used to generate key pairs. In this example, RSA algorithm is used.
-storetype: Types of keystore are – JKS, PKCS12,etc…. In this example, JKS type is used.
-keypass: specify key password
-storepass: specify keystore password
After the execution of this command, we need to answer some questions.
*Note: Keystore gets created after the execution of above command, if it doesn’t exists prior to this.
Now, we can see the server-keystore being created at the location where you executed the command in CMD.
Step 2: Exporting the server’s public certificate from the server keystore:
Server’s public certificate is required to be installed at the client’s truststore. By this we mean, extracting the public key from the server keystore.
So, In order to retrieve the certificate from the server keystore, we use the -exportcert command. We need to fetch the certificate with the same alias used in the previous command.
| keytool -exportcert -keystore server-keystore.jks -alias mule-server-demo -file server-certificate.cer -storepass pass1234 |
After the execution of the above command, we can see the server’s public certificate being exported from the server keystore.
-file: Name which you would like to specify for retrieving certificate.
Step 3: Importing Server’s Public Certificate into Client’s truststore:
In order to store the server’s public certificate into the client truststore, we need to use the -importcert command.
| keytool -importcert -keystore client-truststore.jks -storepass pass1234 -file server-certificate.cer -alias mule-server-demo |
After execution of the above command, we can see the client-truststore being created and the server’s public certificate being imported in it.
Configuring One Way SSL in MuleSoft Application:
Step 1: Start Anypoint Studio and create a new mule project named “one-way-ssl”.
Step 2: Copy the server-keystore.jks and client-truststore.jks which we have generated and paste into src/main/resources.
Step 3: Create a flow server-flow which will act as a server application in our POC.
Step 4: Configure the server-flow as follows:
- Add a Listener, set the Display Name as /server : 8082, set the Path to /server.
- Now, we will do the connector configuration – Click on the green plus icon and a dialog box will appear.
- Set the Protocol to HTTPS, and set the Port to 8082
- Now, head over to the TLS tab -> Under TLS Configuration, Select Edit Inline -> Enter the Key Store Configuration(see image for config)
- Add a Transform Message and enter the following dataweave script:
| %dw 2.0 output application/json — “Server” |
Following images depicts the same configuration that needs to be implemented:-
Step 5: Configure the client-flow as follows:
- Add a Listener, set Display Name as /client : 8081, set Path as /client.
- Now, we will do the connector configuration – Click on the green plus icon and a dialog box will appear
- Set the Protocol to HTTP, and set the Port to 8081
- Add a Request Component, set its Display Name as Call Server – : 8082/server and set the path to /server
- Now, we will do the configuration – Click on the green plus icon and a dialog box will appear.
- Set the Protocol to HTTPS, set Host to localhost and set Port to 8082.
- Now, head over to the TLS tab -> Under TLS Configuration, Select Edit Inline -> Enter the Truststore Configuration(see image for config)
- Add a Transform Message, and Enter the following Dataweave Script:
| %dw 2.0 output application/json — payload |
Step 6: Go to Run -> Run Configuration -> Add the following in the VM arguments
-M-Dcom.ning.http.client.AsyncHttpClientConfig.acceptAnyCertificate=true
And Run the application.
Step 7: Go to your browser and enter the following in the URL:
http://localhost:8081/client
You will be able to see the Output as “Server”
