Why Domain Project ?

Introduction

Mule has the concept of Domain Project to share common resources. But as per the documentation there are some limitations of using Domain Project to share resources. Here are the main limitations as per the documentation,

  • Defining flows, subflows, or any message processors as shared resources is not supported.
  • To share a WMQ connector as a shared resource, you need to remove the mule-transport-wmq-ee-.jar file from the $MULE_HOME/lib/mule/per-app/ directory and remove all the native jars for WMQ connectivity in your application’s $MULE_HOME/apps//lib/ directory. Place all these jars in the $MULE_HOME/domains//lib/ folder instead.
  • Adding properties in the configuration files of applications that use shared resources can result in issues, as these properties are shared with other apps in the domain and there may be conflicts. You can instead set environment variables.
  • Only the following connectors and related specifications can be specified as shared resources at this time:
    • HTTP/HTTPS (both endpoints and connectors)
    • VM
    • TLS Context elements
    • JMS
    • JMS Caching Connection Factory
    • Database
    • WMQ
    • JBoss Transaction Manager
    • Bitronix Transaction Manager

But why to use Domain Project ?

I am not totally sure what is the main purpose of this Domain Project concept if we can NOT share some important common flows. For example, suppose we have some exception strategy flows which are common among various projects. So as per the documentation Domain Project will not serve our purpose.

My Argument

On the other hand , Mule has this out of the box concept where every flow is treated as spring bean.

So my argument is why should not we create a project and put all the common flows, resources (HTTP,VM etc connections ) and export it as jar and use it as dependency in other projects and load the flows as spring bean.

Experiment

In this experiment , first I will create a project with shared resources. For simplicity I am creating the following shared resources.

  1. One HTTP listener.
  2. Common exception handling strategy.

And most importantly I am exporting this project as jar file instead of conventional zip . Here is the source code of the project. In this project, I have two flows only.

connections.xml

screen-shot-2017-01-03-at-5-16-22-pm
connections etc.

This is an empty flow without any flow elements. It only contains a HTTP Listener configuration.

my-common-flows.xml

This configuration file contains a single flow called  common-exception-handling.

common-flow
Common Exception Flow.

init-DEV.properties

Also I have a simple property file with a simple property as shown below.

init-dev-properties
init-DEV.properties

pom.xml

Most importantly I am not using the zip packaging format in the pom.xml file. Instead I am packaging it as jar. Please check this part of the pom.xml file as shown below,

pom
pom.xml

Using the common resources

Now we are going to use this common resource in a project. The source code is available here. So, first of all we will modify the pom.xml file of the project and insert dependency of the common resource project we have created above. Here is a part of the pom.xml,

maven-dependency
use shared resources.

And that’s it. Now we can use the shared resources. Here in this project we have a simple flow where I am using the following shared resources,

  1. HTTP Listener (declared in connections.xml of the common project).
  2. Common exception handling (declared in my-common-flows.xml of the common project)
  3. A shared property (declared in the init-DEV.properties of the common project).

Here is the simple flow diagram,

use-shared-resources
Use shared resources.

The most important part in the configuration file my-domain-test.xml is the following,

spring-import
Spring Bean Import

Conclusion

The example shown above eliminates the use of Domain Project. Whatever we can share in a Domain Project we can achieve the same thing using a common project or we can achieve even more (sharing common flows).

So, what exactly is the purpose of a Domain Project ? I would appreciate your opinions.

Thanks.

Troubleshoot

On importing the shared resources in other projects , sometimes Anypoint studio fails to load the resources. To solve it, just close and open the project.

Advertisements

Credential Vault

Introduction

When we define properties in .properties file in a project a lot of properties contain sensitive information for example Jdbc password etc. So the best way is to protect this information by encrypting it.

Mule provides its out of the box functionality called Credentials Vault to encrypt the individual properties in the .properties file. The dictionary meaning of Vault is “an arched structure of masonry usually forming a ceiling or roof”. So, in our case once the .properties file becomes encrypted it becomes the Vault.

Let’s start

First of all you need to have the Mule Security Modules installed in your Anypoint Studio. Do please read the installation part of Mule Security Module in this post. After installing the security modules the rest is very simple.

Project configuration

Do please find the source code of the project in the following link. In the project I have created a very simple flow called vault-example.xml. In the resource folder I have created a file called init.properties. Please right click on it and open with Mule Properties Editor as shown in the diagram below.

structure
Structure

Step 1

Now let’s create some properties. After opening the init.properties  file with Mule Properties Editor now please click the green button and add property (key & value) as shown below,

add-property
Add property.

Step 2

Now click the button Encrypt. A pop-up screen will be shown and you will be asked to choose Algorithm and Key for encryption. For simplicity I have chosen Blowfish as algorithm and “mule” as key. Please refer to the diagram,

encrypt
Encrypt

Step 3

You should see the screen after Step 2. You can click the button Encrypt/Decrypt to see the value (encrypted/decrypted) as shown below.

flip
Encrypt/Decrypt

You can add some more properties.

Step 4

Now the encrypted init.properties is our vault and we will use this vault in our flow vault-example.xml. So please open the Global Elements tab and let’s add a Property Placeholder element to refer to our init.properties file.

property-plaeholder
Property Placeholder.

And then in the Location field, point to the init.properties file.

location
Add location of our properties file.

Step 5

After that we have to add a global element called Secure Property Placeholder. It will contain the necessary information of our key that was used to encrypt/decrypt our properties. The key we used was mule. Here is a screenshot,

spp
Hardcode key

I am using the key hard coded. A better way is to put it in the mule-app.properties. I have put a property in this file and named it as

vault.key=mule

Now, please see the updated Secure Property Placeholder configuration. Check it out below,

spp1
Variable key

Testing

Now, in the flow , just put a logger and let’s check if we can have decrypted output of an encrypted property in our init.properties file. Here is a screenshot,

testing
Testing.

Note

Probably at this point when you run the application you are not able to see the decrypted output in the Anypoint Studio console. I don’t know why. The trick is that when context property placeholder configuration precedes the secure property placeholder configuration  it does not work. The work around is to put the it  after.

Just take a look at the .xml configuration file,

mule-config
Trick

So, that’s it. Now when you run the application and make a request to the end point http://localhost:8081/vault you will see the decrypted value in the console.

HTTPS-Mule

Introduction

Mule provides out of the box supports for HTTPS. Here in this post I am going to explain how to create a simple HTTPS server and access it.

Before we begin

Before we begin, let’s understand a little bit about Keystore and Truststore.

Keystore: In short Keystore is a server side asset which stores the private keys and the certificates with their public/private keys.

Truststore: Truststore is a client side asset which serves as a repository of certificates (CA or simple) that the client should trust.

To know more about Keystore and Truststore please read this article.

Creating Keystore and Truststore

Let’s get our hands dirty now. The process is as follows,

  1. Create the Keystore and generate a certificate.
  2. Export the certificate.
  3. Import the certificate to the Truststore.

step 1

We will use the keytool that comes with Java. Please create a temporary directory somewhere in your drive.Now please open a terminal and navigate to the directory and execute the following command,

keytool -genkey -alias mule -keyalg RSA -keystore keystore.jks

On execution, it will ask keystore password and some general information. And at the end it will ask for the password of the key.Points to be noted ,

key: mule

keystore:  keystore.jks

keystore password:  keystorepass

key password: keystorepass

(Please feel free to use different passwords for keystore and key. I used the same password for the sake of simplicity). Here is a simple screenshot,

keystore
Create Keystore.

Step 2

The process above creates a keystore as well as a certificate. Now we have to export the certificate so that it can be added to the truststore as the trusted certificate. Now please execute the following command in the terminal,

keytool -export -alias mule -file client.cer -keystore keystore.jks

The key points here is to specify the key (mule) and the keystore (keystore.jks) we have created in the previous step. You can use any file name. Here I am calling it as client.cer. On executing it will ask for the password of the keystore.In our case it is keystorepass. Here is a screenshot,

certi
Create certificate.

Step 3

After creation of the certificate (client.cer) we will populate our truststore with it. So, let’s create a truststore. Please execute the following command in the terminal,

keytool -import -v -trustcacerts -alias mule -file client.cer -keystore truststore.ts

Important points to be noted here is the key (in our case it’s mule) , the certificate file (client.cer) and the name of the truststore (truststore.ts). On execution of the command, it will ask for password for the truststore being created. You can choose anything you want. I have chosen truststorepass for simplicity. Here is a screenshot,

truststore
Generate Truststore.

Okay, you are done with creation of Keystore and Truststore. Congrats. Now let’s move on to next steps.

Create a simple Mule project.

Let’s create the simplest mule project and the simplest flow. The scenario is as follows, “We have a HTTP server running on port 8081. On sending request to the server on the http://localhost:8081/app/ uri, it will call an HTTPS server running on port 8082″. That’s it. Here is a screenshot,

flow
Flow

HTTPS Server Configuration

I have copied the keystore and truststore to the resource/keystore directory of the project. Please check the screenshot,

project-structure
Project Structure.

Now let’s configure the flow HTTPS_Server_OneWaySSL. Here is the screenshot,

https
HTTPS

Do remember that in the Server we are using the keystore.

HTTPS Client Configuration

Now let’s configure the flow HTTPS_Client_OneWaySSL. 

http_client_general
HTTP Client configuration (General)
http_client_ssl
Http Client Configuration (SSL)

 

Remember that here in the client configuration we are using the truststore created.

Now execute the flow and make a request in the uri http://localhost:8081/app/. You should get a response from the HTTPS server running on 8082.

 

That’s it. Please find the source code here.

 

 

Mule Message Encryption-JCE Keystore

Introduction

This is the second part of my previous post. In the previous post in the JCE Encrypter configuration I did not use Keystore. Here in this post I will create a Keystore and use it for encryption.

Let’s get dirty

First we will create a Keystore using Keytool that comes with JDK. After that we will create a simple project and use the generated keystore for message encryption.

Create Keystore

JDK comes with its inbuilt tool Keytool to create keystores. First let’s create a keystore using the native Keytool.

Let’s create a temporary directory. I have created a temporary directory named as encryption as shown below,

screenshot-at-2016-12-10-20-45-42
Temporary directory

Now let’s execute the following command.

keytool -genseckey -keystore aes-ackeystore.jck -storetype jceks -storepass acstorepass -keyalg AES -keysize 128 -alias ackey -keypass ackeypass
 

After execution of the command a keystore aes-ackeystore.jck is generated in the directory.Basic things to point out in the command are as follows,

Name of the keystore : aes-ackeystore.jck

Password of the keystore: acstorepass

Name of the key: ackey

Password of the key :  ackeypass

These are the principal information that we need to configure our JCE Encryptor using keystore.

Create a simple Mule Project

Please strongly refer to the post for Anypoint Enterprise Security module installation.Let’s create a simple Mule Maven project using Anypoint Studio. The most important point is to add the following repository in the pom.xml file.

<repository>
   <id>mulesoft-public</id>
   <name>MuleSoft Public Repository</name>
   <url>https://repository.mulesoft.org/nexus/content/repositories/public/</url>
   <layout>default</layout>
</repository>

Please note that I have copied the generated keystore (in the previous step) to the resource folder of the project. Here is a screenshot of the project structure.

Folder Structure.png

Creating a simple flow

Let’s create a simple flow. The scenario is as follows. We send some JSON data to an HTTP endpoint. Then the JSON data is encrypted using JCE Encryption Strategy and we log the encrypted data. After that we simply decrypt the encrypted data and log it. Here is diagram of the flow.

flow_jce_keystore
Flow Diagram

Digging into JCE Encryption

“The Java Cryptography Extension (JCE) is an officially released Standard Extension to the Java Platform and part of Java Cryptography Architecture. JCEprovides a framework and implementation for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms.”

Step 1

First let’s configure a global Encryption element.

global-element
Global Encryption Element configuration.

Do mind it to select the Default Encryptor dropdown as JCE_ENCRYPTER.  I have named the global element as JCE_Keystore.

Then select the JCE Encrypter tab and configure it as shown in the diagram,

jce-encrypter-config
JCE Encrypter Configuration

Step 2

Now after configuring the global Encryption element in step 1 let’s configure the Encryption component (labeled as Encrypt in the flow. This is a Encryption palette found under the Security category of Mule palettes). Here is the screen shot,

encryption-palette-config
Encryption Palette Configuration

In the Connector Configuration please select the global encryption element(JCE_Keystore) that we have defined in step 1. In the Operation dropdown select Encrypt. In the Input Reference field I am putting the whole payload (JSON data) for encryption. Do remember that you can use MEL expression here to encrypt some part of the payload too. And that’s it. No more configuration is needed and you are ready to go.

Step 3

In the step 2 we have encrypted the message. Now let’s decrypt the encrypted message. Here we are going to configure the component labelled as Decrypt. (It’s nothing but a Encryption  palette found under the Security category of Mule palettes. Here is the configuration,

decrypt-config
Decrypt Config.

The configuration is almost same as for encryption. The only difference is the

Operation: Decrypt

Testing

Now let us run the project. After running the project, send a POST request with JSON payload. I am using Postman for this operation. On observing in the Anypoint console you can see the encrypted message as well as decrypted message.

testting
Testing with Postman.

Sample log in Anypoint console,

INFO  2016-12-10 21:23:26,602 [[springbeanexample].HTTP_8081.worker.01] org.mule.api.processor.LoggerMessageProcessor: XjeegDtusFQSovOSxqZgr1j5oCUYypD4/7X6NjworIQ=
INFO  2016-12-10 21:23:26,613 [[springbeanexample].HTTP_8081.worker.01] org.mule.api.processor.LoggerMessageProcessor: {
	"name":"anupam"
}

Please find the source code here.

N.B: Use mvn eclipse:eclipse to import the maven dependencies.

Mule Encryption

Introduction

“Do not reinvent the wheel.” , that’s the principle Mule applies when it comes to Mule Message Security. Anypoint Enterprise Security is a suite that comes bundled with all the necessary modules/methods for applying security to Mule Service Oriented Architecture (SOA) implementations and Web services.

Objectives

My main concern regarding the security was Mule Message Encryption. Mule provides three extraordinary Encryption Strategies

  • JCE Encrypter: encrypts stream, byte[] or string.
  • XML Encrypter: encrypts string, encrypts individual fields using xpath expressions.
  • PGP Encrypter: encrypts stream, byte[] or string.

In this blog post I will try to explain how to configure Anypoint Studio for applying encryption strategies to mule messages using the JCE Encrypter.

Getting your hands dirty

Let’s get our hands dirty. I will try to explain everything starting from the installation of Anypoint Enterprise Security. Also I would like to point out the troubleshooting during the installation process.

Installation of Anypoint Enterprise Security

I am using Mule 3.8 EE for this experiment. Please do take a look at this link for the installation guide in detail. Here is a screenshot,

screen-shot-2016-12-09-at-4-38-55-pm

Please select the Premium bundle and proceed. In my case I could not install the software initially. If the same problem continues in your case please uncheck the “Contact all update sites during install to find required software” checkbox.

After successful installation restart your Anypoint studio. You should see the following components  under the security group palettes.

security_pallete
Security components

Now you are ready to go !

Create a Mule maven project

Let’s create a simple Mule Maven project using Anypoint Studio. The most important point is to add the following repository in the pom.xml file.

<repository>
   <id>mulesoft-public</id>
   <name>MuleSoft Public Repository</name>
   <url>https://repository.mulesoft.org/nexus/content/repositories/public/</url>
   <layout>default</layout>
</repository>

Creating a simple flow

Let’s create a simple flow. The scenario is as follows. We send some JSON data to an HTTP endpoint. Then the JSON data is encrypted using JCE Encryption Strategy and we log the encrypted data. After that we simply decrypt the encrypted data and log it. Here is diagram of the flow.

flow-diaram
Simple Flow Diagram

Digging into JCE Encryption

“The Java Cryptography Extension (JCE) is an officially released Standard Extension to the Java Platform and part of Java Cryptography Architecture. JCEprovides a framework and implementation for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms.”

Step 1

First let’s configure a global Encryption element.

encryption_global_elm
Encryption Global Element Configuration

Do mind it to select the Default Encryptor dropdown as JCE_ENCRYPTER.  I have named the global element as JCE.

Step 2

Now after configuring the global Encryption element in step 1 let’s configure the Encryption component (labeled as JCE Encryption in the flow. This is a Encryption palette found under the Security category of Mule palettes). Here is the screen shot,

configure_encryption_in_flow
Configure Encryption component in the flow.

In the Connector Configuration please select the global encryption element(JCE) that we have defined in step 1. In the Operation dropdown select Encrypt. In the Input Reference field I am putting the whole payload (JSON data) for encryption. Do remember that you can use MEL expression here to encrypt some part of the payload too. As we are using JCE_ENCRYPTER in this example, let us configure it. Select the Define attributes radio button in the JCE encrypter Strategy Configuration for operation category.

Key:  It must be a 16 digit phrase.

Key Password:  (whatever you wish)

Algorithm:  Choose an algorithm from the dropdown list.

Encryption Mode: Choose from the dropdown list.

That’s it. You are ready to go. There is another way to make it more secure  using Keystore. I will show you later in another post.

Step 3

In the step 2 we have encrypted the message. Now let’s decrypt the encrypted message. Here we are going to configure the component labelled as Decrypt payload. (It’s nothing but a Encryption  palette found under the Security category of Mule palettes. Here is the configuration,

Configuration for Decryption.

The configuration is almost same as for encryption. The only difference is the

Operation: Decrypt

Testing

Now let us run the project. After running the project, send a POST request with JSON payload. I am using Postman for this operation. On observing in the Anypoint console you can see the encrypted message as well as decrypted message.

postman
Testing with Postman.

Please find the source code here.

N.B: Use mvn eclipse:eclipse to import the maven dependencies.