Two-Way SSL In MuleSoft
Introduction
What is Two-Way SSL?
Two-Way SSL, also known as Mutual SSL or Bidirectional SSL, is a type of SSL (Secure Sockets Layer) communication where both the client and the server authenticate each other. This enhances security by ensuring that both parties in the communication can verify each other’s identity.
How does Two Way SSL work?
In Two Way SSL, the client verifies the server’s certificate, and the server verifies the client’s certificate. On the server side, a Keystore contains the server’s private and public certificates, while a Truststore holds the client’s public certificate. Similarly, on the client side, a Keystore stores the client’s private and public certificates, and a Truststore contains the server’s public certificate.
- The client initiates a connection and requests resources over the secure HTTPS protocol by sending a Hello message.
- The server responds with its public certificate (.crt) and a Hello message.
- The client verifies the server’s public certificate against its truststore.
- The client generates a symmetric session key, encrypts it using the server’s public certificate, and sends it back to the server.
- The server decrypts the symmetric session key using its private certificate and then requests the client’s certificate.
- The client sends its public certificate to the server, which then verifies it against the server’s truststore.
- The server generates a session key, encrypts it with the client’s public certificate, and sends it back to the client.
- The client decrypts the session key using its private certificate, completing the key exchange and establishing secure communication between the client and server.
Implementation
Step-1:
Create a mule application (two-way-ssl-server). This will act as a server.
Step-2:
Drag and drop an HTTP listener on the message flow
Step: 3
Now we need to generate the client key store, client trust store, server key store, and server trust store. To generate them we need a utility called Java key tool, the key tool comes along with JDK.
Go to the file where JDK is present and go to the “bin” folder you can see the keytool.exe is present.
Now open cmd from this location
Step-4:
Now we are going to generate a server key store. To do that paste the below command in cmd and press enter
“keytool -genkey -alias mule-server -keyalg RSA -keystore D:\SSL-Certificate\Twoway-SSL\server-keystore.jks”
[-genkey means to generate keystore
-alias is used to give an alias to the certificates
alias in the above command is used to search the certificate in the Keystore as there can be multiple certificates in the same Keystore and alias is useful in identifying the right certificate.
-keyalg is used to specify the algorithm to use to generate the Keystore
-keystore specifies that to generate keystore and the specify ]
It will ask for the keystore password, first and last name, and other details. The password and first and last name are mandatory. Example give the password as “mulesoft” You can give anything else also but give “locahost” in first and last name section or else it might create an error. Rest can be skipped. Then it asks if all the information is correct or not give yes and give a password for the key here I gave “mulesoft”.
A server key store will be created in the location
Step-5:
Now we need to extract the server public certificate from the keystore. To do that copy and paste the command below in cmd and press enter
“keytool -export -alias mule-server -keystore D:\SSL-Certificate\Twoway-SSL\server-keystore.jks -file D:\SSL-Certificate\Twoway-SSL\server-pubcertificate.crt”
The alias should be the same as that given while generating the server key store
[-export will extract the server public certificate from the key store
-alias will help us identify which certificate to export
-keystore here it is to specify from where to extract the public certificate
-file to place the public certificate in the given location]
It will ask for the keystore password give the keystore password you gave I have given the password as “mulesoft”
The public certificate will be extracted the name of the certificate is “server-pubcertificate.crt”
Step-6:
Now we are going to generate a client Truststore and have the server public certificate imported inside it. To do that copy and paste the below command in cmd.
“keytool -import -alias mule-server -keystore D:\SSL-Certificate\Twoway-SSL\client-truststore.jks -file D:\SSL-Certificate\Twoway-SSL\server-pubcertificate.crt”
[-import will import the server public certificate in the client Truststore
-alias will help us identify the certificate
-keystore here it will generate the client Truststore
-file helps us to specify the certificate we want to import into the Truststore]
It will ask for a Truststore password. I have given “mulesoft” to avoid confusion you can give anything.
Then give “yes” in trust this certificate section. It will add the certificate in the Truststore
A Trust store with the name “client-truststore.jks” will be created in the file location
Step-7:
Now we need to generate a client Keystore. To do that copy and paste the below command in cmd.
“keytool -genkey -alias mule-client -keyalg RSA -keystore D:\SSL-Certificate\Twoway-SSL\client-keystore.jks”
Here the command is the same as that we gave for creating the server Keystore only difference is that I gave a different alias.
The steps will be the same as that of server Keystore generation. Remember to give first and last name as localhost and here I have given the client trust store password as “mulesoft” and key password as also “mulesoft”. I am giving the same password to avoid confusion but it is recommended to give different passwords.
A client keystore with the name “client-keystore.jks” will be generated in the file location
Step-8:
Now we need to extract the client’s public certificate from the client key store. To do that copy and paste the command below in cmd.
“keytool -export -alias mule-client -keystore D:\SSL-Certificate\Twoway-SSL\client-keystore.jks -file D:\SSL-Certificate\Twoway-SSL\client-pubcertificate.crt”
Note: The alias name should be the same as given while creating the key store.
We need to give the keystore password In my case it is “mulesoft”
A client public certificate named “client-pubcertificate.crt” is created in the specified location.
Step-9:
Now we need to create a server truststore and import the client certificate in it. To do that copy the command below in cmd and press enter
“keytool -import -alias mule-client -keystore D:\SSL-Certificate\Twoway-SSL\server-truststore.jks -file D:\SSL-Certificate\Twoway-SSL\client-pubcertificate.crt”
It will ask to give a Keystore password in my case I have given “mulesoft”
And Give Yes when “Trust this certificate”
Step-10:
Now we need to place the server keystore and trust store in the src/main/resources folder of the two-way-ssl-server application.
Copy the server-truststore.jks and server-keystore.jks from the location where it is created.
And paste it into the src/main/resources folder of the mule project.
Step – 11
Now we need to configure the HTTP listener.
Click on the ‘+’ button and give
port as 8082
protocol as HTTPS
Now go to the TLS tab and select edit inline in TLS configuration.
Now we need to configure the keystore and trust store.
Give the following values in the section
Trust Store Configuration
Path: server-truststore.jks
Password: mulesoft
Type: JKS
Key Store Configuration
Type: JKS
Path: server-keystore.jks
Key Password: mulesoft
Password: mulesoft
After putting the values click on OK
Then give the path as /server
Then drag and drop a transform message on the flow and give a message like
%dw 2.0
output application/json
—
{
“message”:”Server running successfully”
}
Step – 12
Now we need to create a client application.
Create a client Application with the name “two-way-ssl-client” 
Step – 13
Now drag and drop an HTTP listener on the Message flow, click on the ‘+’ button to configure the connector, and click OK to keep everything default.
Port: 8081
Protocol: HTTP
Now give the path as /client
Step – 14
Now drag and drop an HTTP request component in the process section of the flow
Now copy and paste the client-keystore.jks and client-truststore.jks to the mule project’s src/main/resources folder.
Now we need to configure the HTTP request.
Click on the ‘+’ give
Protocol: HTTS
Host: localhost
Port: 8082
Now select edit in line in TLS configuration.
Give the following values.
Trust Store Configuration
Path: client-truststore.jks
Password: mulesoft
Type: JKS
Key Store Configuration
Type: JKS
Path: client-keystore.jks
Key Password: mulesoft
Password: mulesoft
After putting the values click on OK
Now give /server in the path
Step – 15
Now save the applications.
We need to deploy both server and client applications to do that click on any one of the two application and go to “Run” then “3 Mule Application (Configure)”
Here we have to select “two-way-ssl-client” and “two-way-ssl-server” and click on run.
After the Application is deployed Successfully hit the URL
you will get the response successfully
{
“message”: “Server running successfully”
}
