Mule Credential Vault

DZone 's Guide to

Mule Credential Vault

You can encrypt your property files in your Mule projects using the Mule Credential Vault feature, which you can learn to use in this tutorial.

· Integration Zone ·
Free Resource

1.0 Overview

Mule Credential Vault is a feature where users can encrypt the values of a property file. For instance, if Credential Vault is implemented in your Mule project, then you have a property file that looks like the following (Figure 1.0).

Image title

There are two ways to implement Mule Credential Vault. You can either use the out of the box method or you could implement a customized method.

Image title

The results of the implementation would be the same- that is, you will have an encrypted property file. The only difference is how the encrypted key is supplied for decryption of the property file during runtime.

Before you can use the mentioned feature, you need to install the Anypoint Enterprise Security Module.

If you are building Maven Mule projects, you will also need to include the following code snipped into your POM.xml file:





The Concept

The Mule Credential Vault consists of three things, as illustrated in Figure 1.1.

Image title

Figure 1.1.

There are three possible ways to implement the mentioned constituent components, and they are as illustrated in figure 1.2 (the diagrams are a reference from MuleSoft’s documentation of the Credential Vault).

Image title

Figure 1.2.

2.0 Use Case of OOTB Credential Vault

Here in this article I will be talking about the OOTB way to encrypt your property files; as with all the articles I write, it is easier for me to illustrate the use case of a particular design/feature by ­­enacting a hypothetical scenario.

Let’s say that you are tasked with developing a façade/proxy web API, where you relay requests to the underlying real API. The underlying API that you have been asked to façade requires a “client id” and a “client secret” in order to authorize its usage. The following picture shows a high-level summary of this requirement.

Image title

Figure 2.0.

2.1 The Actual API

For the sake of illustrating the usage of the Credential Vault, we will be storing the client id and client secret required by the actual API illustrated in Figure 2.0.

This section will illustrate briefly how this back end API works. I have reused the MuleSoft Cloudhub tutorial API that allows users to query for fictitious flight schedules. Here is the link to the API.

In order to test the availability of this API, you need to launch Postman and key in the following parameters, select GET as the HTTP operation, and click send. This API will give you a JSON array of flight schedules.

Image title

The following are the HTTP parameters to be keyed into the parameter fields:

  • "client_id":"d1374b15c6864c3682ddbed2a247a826"

  • "client_secret":"4a87fe7e2e43488c927372AEF981F066"

3.0 Locking Your Property Files in the Credential Vault

The following Figure 3.0 depicts how your final solution will look. The Mule flow looks exactly like the requirements illustration at Figure 2.0.

Image title

Figure 3.0.

3.1 Creating the Global Security Placeholder

You will also need to create the following global Mule configuration element, as per the following diagram, Figure 3.0.a.

Image title

Figure 3.0.a.

I have set a global secure placeholder to decrypt my encrypted property file. The first field (1) is the encryption algorithm that you will use to encrypt your property file. The second field (2) is the additional encryption parameter that you have used to encrypt your file.

Parameter number (3) is the actual key that you are using to encrypt the values of your property, and lastly, number (4) is the file that you are encrypting, notice the ${env} is configured so that it gives me the flexibility of switching configurations between environments.

3.2 Encrypting the Property Files

The following illustration depicts the different keys I have used to encrypt different environment files (Figure 3.0.b).

Image title

Figure 3.0.b.

The following steps will walk you through encrypting the property values.

1) Navigate to the property file that you want to encrypt, then right click, select open with > Mule Properties Editor.

Image title

2) Click on the green cross as per the following depiction:

Image title

3) When prompted with the “Add a new property” dialog, key in the client_id.

Image title

4) Now click on the encrypt button and you will be prompted with a “Setup encryption information” dialog; in the first Algorithm drop-down, select “Blowfish” and then key in “mule123dev,” this value from now on will be your encryption and decryption key.

Image title

5) Right after you click on the OK button, you will see that your property value is encrypted.

Image title

6) When you click OK again, you will see that you value is populated in the property editor window.

Image title

7) At the bottom of the property editor console, you will be able to see two tabs, the “Table editor” tab and the “Text editor” tab. You can click on the text editor tab to get a plain text view of your property file, but you must only use the table editor to encrypt your values.

Image title

3.3 Testing Your Encrypted Property Files

Now that you have successfully configured your application to have encrypted property files, it is time to test it. In an actual production scenario, you would need to configure the following to the “mule-app.properties” file.

Image title

Figure 3.3.a.

This is so that your Mule application will ask for the following parameters during runtime.

  • “env” – specifies the environment that you want to run your Mule application in; this is really handy as the property place holder (Figure 3.0.a parameter number 4) that you have specified previously will select the correct property file based on what you have entered into this parameter

  • “cre.vault.key” – this is to specify the key that you have used to encrypt your property values, so that your mule application’s secure property place holder (Figure 3.0.a parameter number 3) would use it to decrypt the key values during run time.

Figure 3.3.a depicts the values you will set to force your Mule application to request a command line parameter when you try to start it; if the key value is not specified, your application will fail to run, but if you want to test run your application in Anypoint Studio, then your “mule-app.properties” file would need to look like the following:

Image title

Figure 3.3.b.

Once you start your application via Anypoint Studio, head over to Postman.

Image title

Figure 3.3.c.

In Postman, browse to local host port 8081, as depicted by figure 3.3.d. Without the need to key in any client_id and client_secret parameter, you have successfully queried for flight schedules; you have successfully façade the back end API.

Image title

Figure 3.3.d.

4.0 Things to Look Out for When Implementing Credential Vault

If you are reading this article and you also happen to be developing Mule applications for a while, you would already have a pre-existing property place holder, as depicted in Figure 4.0.a below.

Image title

Figure 4.0.a.

Configurations like this will trip you up. Let’s see what happens when you have both the normal property place holder and the security place holder pointing to the same file- let’s test it. In order to demonstrate what I mean, you have to add the normal property place holder, save the Mule configuration file, and restart the Mule application.

If you test it with Postman, you will get a 403 error.

Image title

Figure 4.0.b.

If you look under the hood of the Anypoint Studio console log, you will see the following log.

Image title

Figure 4.0.c.

Figure 4.0.c shows that your Mule application does not know how to decrypt the client_id and client_secret value. The normal property place holder has higher precedence compared to the secure property place holder. This issue really did trip me up- it took me half a day to sort this out.

If you have a few property files and need a property place holder for them, you could use the created secure property place holder; you just need to add all the property file names as comma separated list (as per depicted in Figure 4.0.d).

Image title

Figure 4.0.d.

5.0 Conclusion

  • There can only be one – In section 4.0, I have demonstrated the issue if you use both the secure property place holder and the normal property place holder in your Mule application. It is best to use just one, and it doesn’t really matter if you have values that do not need to be encrypted- the secure property place holder is capable of reading unencrypted value during run time as well.

  • “mule-app.properties” settings – This file would need to be set up differently if you are testing/running your mule application in Anypoint Studio versus testing/running your mule application in an actual mule EE runtime.

  • The source code is available in this Github repository. Clone it and play with it, the only way to learn and internalize something is to play with it.

credential vault, credentials, integration, mule studio, mulesoft, property management, tutorial

Published at DZone with permission of Kian Ting , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}