0

How do you do? We use Mulesoft Mule 4 deployed on the RTF fabric cluster (2 RTF instances) We would like to set up reminders in order to prevent administrators before the expiration of the date of the certificates used to establish outbound TLS connections and mutual authentication.

The straightforward way to set up TLS connections with Mule 4 is to use files with keystore/truststore in the configuration properties of the corresponding connector.

As described in https://dzone.com/articles/mule-4-using-ssltls-part-2 you have to generate the files and package them with the deliverable which will go inside the Docker like container running within of Mule RTF so it will be tricky to get inside on its filesystem and inspect these files in production using some routine scheduled task.

At the same time, there is a wizard-sounding Secrets manager menu on Anypoint GUI. This Secrets Manager looks like being able to hold these certificates and it even exposes an API to be able to check the expiration date and to do CRL (Certificate Revocation List) management. Despite that, the date is only metadata that is not enforced nor controlled in any way and may be changed breaking matching with the real cert's expiration date... I would like to figure out whether it will be possible to use in some way this infrastructure to keep TLS artefacts for the outbound backend calls for Nord-south traffic?

Should we call in unencrypted way the RTF controllers LB and then some Mule "proxies" that uses this Secrets manager in order to secure the connections afterwards? Maybe there is an easier approach to be able to master the state of the TLS artefacts and set up some alert about expiration in advance?

aled
  • 21,330
  • 3
  • 27
  • 34
abtimo
  • 1
  • 1

1 Answers1

0

If the Secrets Manager REST API endpoint you need is documented, for example in the Anypoint Exchange portal at https://anypoint.mulesoft.com/exchange/portals/anypoint-platform/f1e97bc6-315a-4490-82a7-23abe036327a.anypoint-platform/secrets-manager/ , then it should not change suddenly and you can depend on it.

aled
  • 21,330
  • 3
  • 27
  • 34
  • Thank you. I do believe in lasting quality of the API I wanted just to confirm that's the right way to do and there is no more practical, largely accepted solution of the problem of the reminders setup for certificate expiration. – abtimo Feb 22 '21 at 06:17
  • I'm not sure there is a universally accepted answer to this problem. There might be several answers and you have to evaluate the pros/cons of each one for your specific context. – aled Feb 22 '21 at 13:23
  • easy answers are easy to answer without posting on stackoverflow indeed. The issue for me is to be unable to test myself the possibilities offerd on RTF. The test acces is available only for cloud hub deployment. The RTF test setup is available only after expensive purchase of Platinum plan. That's prevent me to design something that uses complex functionality of Mule RTF returning to the barebone easy local file based trust store and keystore and validation using scheduler and call from dw to java method – abtimo Feb 23 '21 at 10:43
  • Secrets manager doesn't support replacing generically truststores/keystores in applications. The docs mention the two use cases it supports directly: RTF ingress and API Manager in CloudHub: https://docs.mulesoft.com/anypoint-security/index-secrets-manager. Certificate expiration check is something useful but as far as I know it is not a feature of the product. Probably you need to implement that check by yourself in any case. An alternative method if only dealing with HTTPS services is to query the certificate with an HTTPS request, instead of reading the keystore. – aled Feb 23 '21 at 12:13
  • >> An alternative method if only dealing with HTTPS services is to query the certificate with an HTTPS request, instead of reading the keystore – abtimo Feb 26 '21 at 09:26
  • Thank you for the clarification aled, this is useful. Yes i do not see the normal way to reuse TLS artifacts from Secrets Manager by Mule Apps. I wanted just to imagine an architecture where we reuse them by adding proxies that use availability of Sercrts Manager to RTF ingress. Simply creating proxies for outbound connectoions and run outbound tls connections systematically by sending over these proxies – abtimo Feb 26 '21 at 09:34
  • thank you this is very useful comment but it can not be applied to outbound https traffic only for inbound connections wjhich rtf and secrets manager are supposed to manage as well... So the solutionis to implement scheduler in every mule app that loads trust stores ans keystores and checks the expiration date periodically, then sends a message about it in the log that generates an alert from mule consequently... It requires saving password in 2 places one is tls context other is this scheduled java checker – abtimo Feb 26 '21 at 09:35