Mule – Credentials – Vault
There is an age old question that people often ask; what is the single most valuable thing to society? Some of the top responses may be things like gold, silver, and money. Personally I believe that in the 21st century the correct answer is information. Just as the gold in Fort Knox is protected and secured we must do the same with our sensitive data to keep it from falling into the wrong hands. The next question becomes how do we protect and store our sensitive data? The answer is encryption and MULE offers us a great way of encrypting and storing our data securely by using the MULE-Credentials-Vault. The MULE-Credentials-Vault is very flexible and offers us 19 different encryption algorithms by default!
To correctly secure a .properties file using MULE the following requirements must be meet:
- The Use Of A MULE-Credentials-Vault (an encrypted .properties files)
- A Global Security Property Placeholder Element
- An Encryption Key For Opening The Vault
HOW IT WORKS
When implementing the use of the MULE-Credentials-Vault our sensitive data such as user names and passwords are stored as key value pairs inside of a .properties file. Once a .properties file becomes encrypted the file is then referred to as a Credentials Vault. After a Credentials Vault has been implemented MULE uses a Secure Properties Placeholder (Global Element) to point to our Credentials Vault, decrypt the stored data, and return the stored data (only if it has the correct key to the vault). This process can be thought about in the same way as using a key to open your front door to your house to allow entry. The KEY to a MULE-Credentials-Vault gets stored in a user’s runtime memory (it is never written or stored to disk). KEY credentials are prompted and gathered when a MULE application starts. The KEY is then stored in memory for the complete lifecycle of the application. Once the applications session has ended the KEY is then cleared from memory and is thus forgotten.
Before we can begin to utilize the MULE-Credentials-Vault we first must have installed Anypoint Enterprise Security for Anypoint Studio. Start by opening your project application in Anypoint Studio.
- From the file menu bar select:
- Help > Install New Software…
- Install the software shown above
- The latest version and update site can be found at https://docs.mulesoft.com/release-notes/anypoint-enterprise-security-release-notes
- Anypoint Enterprise Security for Anypoint Studio will then begin to install.
- After the Anypoint Enterprise Security for Anypoint Studio process completes restart Anypoint Studio
- Next we must create a .properties file that will later become our Credentials Vault by:
- (R-Click) src/main/resources > New > File from the Package Explorer
- Open the newly created .properties file with the Mule Properties Editor
- After opening the Mule Properties Editor :
- Your value will then be encrypted
- Next we must create our Secure Property Placeholder Global Element
- The Secure Property Placeholder Global Element is configured as show in the image above
FORCE MULE RUNTIME KEY
Once ready to move your application into production configure MULE to demand that a user enter a password key at runtime, you need to include the following in the system properties (the mule-app.properties file in the src/main/app folder)
- M-Dprod.key=uniquepassword -M-Denv=prod
- For development purposes the src/main/app/mule-app.properties file can be configured as shown above
As previously stated there are 3 requirements that must be meeting to properly secure our sensitive data. There are many varieties these key ingredients based upon the use case of your application can be structured. Typically an application will use one of three ways. The structure can be thought about in the exact same as a MySQL database table relationship. The relationships are as followed:
- ONE to ONE to ONE Relationship
- ONE to ONE to MANY Relationship
- (MANY) ONE to ONE to ONE Relationship