Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

MuleSoft Credentials Vault: Secure Your Data

DZone's Guide to

MuleSoft Credentials Vault: Secure Your Data

In this post, we go through the process of encrypting data in our MuleSoft application, so you can ensure your users' data is kept secure.

· Security Zone ·
Free Resource

Protect your applications against today's increasingly sophisticated threat landscape.

Why Do Applications Need Security?

Security is a very big concern in the IT world. We have always been asked how can we make sure customer information is not accessible or cannot be hacked. Mule provides out of the box features to handle security. Mule Credentials Vault can be used to encrypt customer data in a .properties file. The .properties file is used by developers to set up the properties for different environments (dev, stage, lt, prod) as a one-time activity. Mule applications use the data from the properties file during runtime, e.g. credentials for a secured database, credit card information for a customer, social security numbers, etc.

In IT, customer data is very private, sensitive data, and must be secured against unauthorized access, yet must still be accessible to authorized, legitimate users and systems in order to conduct business transactions. In this post, I will explain how can we protect this data in the properties file and at the same time make it available to the Mule application.

Anypoint Enterprise Security is a collection of security features that enforce secure access to information in Mule applications. This helps in applying security to Mule Service-Oriented Architecture (SOA) implementations and Web services.

Anypoint Enterprise Security suite helps application developers to develop security solutions as per security requirements, prevent security breaches and facilitate authorized access to data. The following security features bridge gaps between trust boundaries in applications:

  • Mule Secure Token Service (STS) OAuth 2.0 Provider
  • Mule Credentials Vault
  • Mule Message Encryption Processor
  • Mule Digital Signature Processor
  • Mule Filter Processor
  • Mule CRC32 Processor

Let's start with the installation of Anypoint Enterprise Security Suite.

Installation of Anypoint Enterprise Security Suite

Install the Anypoint Enterprise Security update in Anypoint Studio Enterprise Edition 3.3.2 or later.

1. Under the help menu, select Install New Software.

2. In the Install Wizard, click the Add.. button next to Work with field.

3. In the Add Repository panel, enter Name as Anypoint Enterprise Security, and, in the Location field, provide the following link: http://security-update-site-1.4.s3.amazonaws.com then click OK.

Image title

4. Select Premium and click Next.

5. Anypoint Enterprise Security suite should now be installed and Anypoint studio will ask for you to restart the application. This completes the installation of the security suite.

Let's learn how we can use AES to secure the information using the ingredients provided by Mulesoft. With Anypoint Enterprise Security you can secure your information using these 3 ingredients:

  1. Mule Credentials Vault.
  2. Global Secure Property Placeholder element.
  3. Key to unlock the vault.

Use Mule Credentials Vault

To use the Mule Credentials Vault, you must perform three tasks:

  1. Encrypt properties in a properties file.
  2. Create a global secure property placeholder in your Mule application to use the encryption key Mule collects at runtime.
  3. Configure Mule’s system properties file to demand the key at runtime.

How to Encrypt Properties

  1. In Studio, right-click the src/main/resources folder in your project, then select New > File.Image title
  2. Provide a Filename, that should include the .properties extension. For example, prod.properties.Image title
  3. Click Finish. Studio saves the new, blank file in your project.
  4. Go to project explorer, right-click the.properties file, then select Open With > Mule Properties Editor.Image title
  5. Click the green + icon in the Studio toolbar to open the Add a new property dialog.Image title
  6. Add the key-value pair (property) you want to add in the properties file. If no encryption is required, click OK to add the new property to the properties file. If you want to encrypt the properties file, click the Encrypt button. It will create a credentials vault.Image title
  7. It opens a Setup encryption information dialog, where you can select the type of algorithm and provide the key you want to use to encrypt the value. Do not forget the key as the key will be required when we have to decrypt the value. Image title
  8. After we click ok, the value will be encrypted as shown below.Image title
  9. Click OK to save this property.
  10. Repeat these steps to add the properties to your Credentials Vault. Please note that the first time you add an encrypted property to a properties file, Mule asks for the Key. Next time if you add an encrypted property to the same file, Mule uses the Key you have already entered and does not ask for it again. It saves it in an in-memory store for your Studio session. When you end the session, Mule forgets the key.
  11. We can also add unencrypted properties to the same file. Encrypted properties are indecipherable and they can be recognized by their wrapper.Image title

Set a Global Secure Property Placeholder

1. In Studio, create a global Secure Property Placeholder element.

Image title

2. Configure the following values in the property placeholder.

Image titleConfig: Location should be mapped to the properties file name. The encryption algorithm should remain the same as the one that was used to encrypt the properties during the encryption process above. The key should be the phrase to unlock the Credentials Vault according to the system property you define in this field. For example, ${production.property}instructs Mule to demand the key at runtime.

Now you have the data in a vault and a mechanism to request the data, but where is the key to unlock the vault (that is, to decrypt the data)? And how do you ensure that the key is not accessible by everyone with access to the application? If you simply hardcode the key into the configuration of the global Secure Property Placeholder, any colleague with access to the application can read the key and unlock the vault. Therefore, you need to configure the Secure Property Placeholder to use the key that Mule collects from the user at runtime. In this context, the key to decrypt the properties becomes a runtime password.

At runtime (on-premises or in the cloud), Mule demands that the user enters a key, which Mule stores in-memory. Recall that the key that Mule demands at runtime is the same key you use to encrypt the properties in the Credentials Vault. In this case, you had to have manually given the key to the person who is responsible for running the application, such as an Ops Admin. Whenever a Secure Property Placeholder within a Mule application needs to unlock the Credentials Vault to retrieve secured credentials, it uses the key that the Ops Admin entered at runtime.

Configure Mule to Demand the Key

It is recommended to never store the secret encryption key value to disk in any file. Instead, the Ops team should manually enter these secret properties into the command line when starting the Mule runtime on which the application is deployed. The Ops team should use the following command at runtime:

./mule -M-Dproduction.property=iamtheone -M-Denv=prod 

In CloudHub, an Ops admin can enter each environment name/value pair into the Properties tab of the application’s deployment configuration.

Image title

When you include the secret encryption key as a JVM argument, the value is stored in the $MULE_HOME/conf/wrapper-additional.conf file. Be sure to protect access to this file to avoid compromising your encrypted secure properties. If you use MMC, the secret encryption key value is also displayed in several places in the server’s Properties tab, so be sure to also secure access to this MMC view.

Local Setup

To test in your local environment, use the following steps:

  1. Open your project’s mule-app.properties file.
  2. Add the following properties to this file. Replace the production.property with your Key.
production.property=iamtheone
env=prod

Experiencing Security

Please use the below code for experiencing this in Studio. You need to follow the above steps to understand this.

<?xml version="1.0" encoding="UTF-8"?>

<mule xmlns:secure-property-placeholder="http://www.mulesoft.org/schema/mule/secure-property-placeholder" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:spring="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/secure-property-placeholder http://www.mulesoft.org/schema/mule/secure-property-placeholder/current/mule-secure-property-placeholder.xsd">
    <secure-property-placeholder:config name="Secure_Property_Placeholder" encryptionAlgorithm="Blowfish" key="${production.property}" location="prod.properties" doc:name="Secure Property Placeholder"/>
    <http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8095" doc:name="HTTP Listener Configuration"/>
    <flow name="security-anypointFlow">
        <http:listener config-ref="HTTP_Listener_Configuration" path="/" doc:name="HTTP"/>
        <logger message="log the salesforce username: ${salesforceusername}" level="INFO" doc:name="Logger"/>
    </flow>
</mule>

When we run this example, we will be able to see that the encrypted property is getting printed after decryption. The below image is from the Console logs.

<secure-property-placeholder:config key="${prod.key}" location="test.${env}.properties"/>

Image title

Thanks for reading this. Please let me know your feedback.

Rapidly detect security vulnerabilities in your web, mobile and desktop applications with IBM Application Security on Cloud. Register Now

Topics:
mulesoft ,security ,encryption ,data security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}