One-Way SSL In MuleSoft
Introduction
What is One Way SSL?
One-way SSL (Secure Sockets Layer), also known as SSL/TLS authentication or server-side SSL authentication, is a security protocol used to establish an encrypted link between a client and a server. In one-way SSL, only the server is authenticated to the client.
How does One Way SSL work?
As previously discussed, in one-way SSL, the client verifies the server’s certificates. The server maintains a Keystore containing its private and public certificates, while the client utilizes a trust store containing the server’s public certificate for validation. This setup ensures that the client can authenticate the server’s identity during the SSL handshake process.
- Clients initiate communication by sending a request for resources over the secure HTTPS protocol.
- The server responds by providing its public certificate (.crt) and acknowledges the client’s request.
- The client validates the server’s public certificate using its trust store.
- The client generates a symmetric session key and encrypts it using the server’s public certificate.
The server decrypts the symmetric session key using its private certificate and returns an acknowledgment with the encrypted session key to establish a secure connection.
Implementation
Step-1:
Create a new mule application with the name “one-way-ssl-server”
Step-2:
Drag and drop an HTTP listener on the message flow
Step-3:
Now we need to generate the key store, trust store, and public key. To generate them we need a utility called Java key tool, the key tool comes along with JDK. Go to the file where JDK is present and go to “bin” folder you can see the keytool.exe is present.
Now open cmd from this location
Step 4:
To generate a server key store paste the below command in “cmd” and press enter
keytool -genkey -alias mule-server -keyalg RSA -keystore D:\SSLCertificate\Oneway-SSL\server-keystore.jks
(-genkey means to generate a key
-alias is given to give an alias
-keyalg is used to specify the algorithm it will use
-keystore is to mention that we are going to create a Keystore
Then there is the path where the key store will be generated and along with it we need to give the name and extension of the Keystore)
You need to give a password for the key store ex “mulesoft”
Re-enter the password “mulesoft”
You need to give the “first and last name” as localhost
Rest you can skip by pressing enter
Then give “yes” at last when it asking it is correct or not and press enter. It will ask you to re-enter your key store password. Re-enter the password and press enter it will generate the Keystore in the given location with the specified name in the command “D:\SSL-Certificate\Oneway-SSL\server-keystore.jks”
Now we can see a Keystore for the server is created with “.jks” extension. It contains both the server’s public key and the private key we need to extract the public key.
Step-5:
Now to extract the public key paste the below command in the “cmd” and press enter and give the password of the Keystore “mulesoft”
keytool -export -alias mule-server -keystore D:\SSL-Certificate\OnewaySSL\server-keystore.jks -file D:\SSL-Certificate\Oneway-SSL\serverpubcertificate.crt
(-export it specifying to export
-alias The alias should be the same as that given while generating the Keystore
Then the path of the key store is given and the public certificate path where it will be generated along with its name and extension)
Now we can see a server certificate “server-pubcertificate.crt” is generated. Now we need to generate a client Trust store and store this public certificate in it.
Step-6:
To generate a client Truststore with the server public certificate in it paste the below command in cmd and press enter.
keytool -import -alias mule-server -keystore D:\SSL-Certificate\OnewaySSL\client-truststore.jks -file D:\SSL-Certificate\Oneway-SSL\serverpubcertificate.crt
Give the password as “mulesoft”
Then give yes when asked, “Trust this Certificate?”
Now we can see client trust store is created “client-truststore.jks”. Now we have the server keystore, client trust store, and server public certificate. Now we are going to configure the HTTP listener
Step-7:
First copy and paste the server key store in the src/main/resources
Then in the HTTP listener click on the “+” button in the connector configuration choose HTTPS as the protocol and change the port number to 8082
Now we need to specify the key store for our server. To do that go to TLS and select edit in line
Now in the Keystore configuration give
Type as “jks”
Path as “server-keystore.jks”
Key password as “mulesoft”
Password is “mulesoft”
Then click on OK
Now give the path in the listener as “/server”
Step-8:
Now drag and drop a transform message in the process section of the flow and give the message below
Now save the project
Step-9:
Now we are going to create a client application.
Create a mule application with the name “one-way-ssl-client”
Now drag and drop an HTTP listener and configure its protocol as HTTP and path as “/client”
Now drag and drop a request component on the process section of the flow
Now copy and paste the client trust store in the src/main/resources folder
Now we need to add the configuration of the request component.
Click on the “+”
Then select the protocol as HTTPS
Give host as localhost
Port as 8082
In TLS Configuration select edit in line
Then in Trust Store Configuration give
Path as “client-truststore.jks”
Password as “mulesoft”
Select the type as “JKS”
Then click on OK
Step-10:
Now in The Request section of the Request component give the path as
“/server”
And save the project
Step-11:
Now we need to deploy both applications at once
To do that right-click on any one of the application
Then Go to run as
Then click on “3 mule application (configure)”
Now select the two applications we created and click on run
The applications will be successfully deployed
Step-12:
Now we need to send a request to our client’s application
The connection is successfully established with the client and server
