Contact Free trial Login

Create a Secret Group (Anypoint Platform)

Prerequisites

  • Verify that you have the Write secrets permission enabled.

  • Verify that you are in the correct environment using the environment switcher at the top of the left navigation bar.

Create a Secret Group

  1. In Anypoint Platform, go to Management Center and select Secrets Manager.

  2. Click Create Secret Group.

  3. Type a name for the secret group and click Save.

    The name of your secret group must:

    • Be at least three characters long and no longer than 35 characters

    • Start with a letter

    • Contain only letters, numbers, and dashes (but cannot end with a dash)

The secret group appears in the Secret Groups list view. Click Edit to add the necessary secret types, for example, a keystore or a truststore.

Add a Certificate

Add a single PEM certificate to the secret group. This certificate is the "leaf" certificate (end-entity certificate).

  1. In the Secret Groups list view, select the secret group to which to add a certificate.

  2. Select Certificate in the menu on the left, and click Add Certificate.

  3. In the Add Certificate screen, add the required information.

    • Name - Enter a name for your certificate.

    • Type - Select the certificate type from the drop-down menu.

      Supported types are:

      • PEM

    • Certificate File - Click Choose File, and select the certificate file to upload.

    • Override Expiration Date (Optional) - Select the date to override the default expiration date of the certificate.

  4. Click Save.

Add a Truststore

Add a truststore for public certificates of trusted servers. The truststore is used to store certificates from the trusted CA, which are then used to verify certificates presented by the server in an SSL connection.

You can add a maximum of 15 certificates to the truststore.
  1. In the Secret Groups list view, select the secret group to receive a new truststore.

  2. Select Truststore in the menu on the left, and click Add Truststore.

  3. In the Add Truststore screen, add the required information.

    • Name - Enter a name for your keystore.

    • Type - Select the truststore type from the drop-down menu.
      Supported types are:

      • PEM

      • JKS

      • PKCS12

      • JCEKS

    • Truststore File - Click Choose File, and select the truststore file to upload.

    • Override Expiration Date (Optional) - Select the date to override the default expiration date of the certificate.

      If you are uploading a JKS, PKCS12, or JCEKS truststore file, you must also provide the passphrase for this truststore.
  4. Click Save.

Add a Keystore

Specify the type of keystore to add to the secret group. The keystore is the combination of the authorization certificate, its corresponding private keys, and the certification authority’s path.

  1. In the Secret Groups list view, select the secret group to which to add a keystore.

  2. Select Keystore in the menu on the left, and click Add Keystore.

  3. In the Name field, enter a name for your keystore.

  4. In the Type field, select the keystore type from the drop-down menu.

    Supported types include:

    • Privacy Enhanced Mail (PEM) - Base64 encoded ASCII file with a cer, crt, or pem extension.

    • Java Keystore (JKS) - Repository for authorization or public key certificates. The JKS keystore type does not store secret keys.

    • PKCS12 - Stores server and intermediate certificates in an archive file format. The PKCS12 keystore type does not store secret keys.

    • Java Cryptography Extension KeyStore (JCEKS) - Stores server and intermediate certificates as well as secret keys.

      1. To add a PEM type keystore, you must provide:

        • Certificate File - Click Choose File to locate and upload the PEM certificate file.

        • Key File - Click Choose File to locate and upload the PEM formatted file that contains the private key for the certificate.

        • Key Passphrase - Enter the word or phrase that protects the private key.

        • CA Path Certificate File (Optional) - Click Choose File to locate and upload the certificate signed by a certification authority (CA).
          The CA path contains the intermediary and root certificates that are related to the certificate file you want to use.

        • Override Expiration Date (Optional) - Select the date to override the default expiration date of the certificate.

      2. To add a JKS, PKCS12, or JCEKS type keystore, you must provide:

        • Keystore File - Click Choose File to locate and upload the keystore file to use.

        • Keystore Passphrase - Enter the word or phrase that protects the keystore.

        • Alias - The alias used to access the keystore entries (key and trusted certificate entries).

        • Key Passphrase - The word or phrase that protects the private key.

        • Algorithm (Optional) - The algorithm to use for encryption of keys.

        • Override Expiration Date (Optional) - Select the date to override the default expiration date of the certificate.

  5. Click Save.

Add a Certificate Pinset

Add a concatenated list of PEM certificates to the secret group.

  1. In the Secret Groups list view, select the secret group to which to add a certificate pinset.

  2. Select Certificate Pinset in the menu on the left, and click Add Certificate Pinset.

  3. In the Certificate Pinset screen, add the required information.

    • Name - Enter a name for the certificate pinset.

    • Certificate File - Click Choose File and select the PEM formatted CA certificate to upload.

    • Expiration Date (Optional) - Select the expiration date for the certificate.

Add a Shared Secret

Add a shared secret users can use for authentication.

  1. In the Secret Groups list view, select the secret group to which to add a shared secret.

  2. Select Shared Secret in the menu on the left, and click Add Shared Secret.

  3. In the Add Shared Secret screen, add the required information.

    • Name - Enter a name for your shared secret.

    • Type - Select the shared secret type from the drop-down menu.

      • Username Password - Provide a username and password.

      • Symmetric Key - Provide a Base64 string containing symmetric key.

      • S3 Credential - Provide the access key ID and the secret access key to an S3 bucket.

      • Blob - Provide a base64-encoded value.

  4. Click Save.

Add a List of Revoked Certificates

Add a list of certificates that were revoked by certificate authorities before their expiration dates. The server administrator (owner of Edge) may specify a CRL list and other algorithms to retrieve this list, or the server owner may point to an external public key infrastructure (PKI) or another vendor that maintains a list of revoked certificates.

  1. In the Secret Groups list view, select the secret group to which to add a Certificate List Distributor (CRL) configuration.

  2. In the menu on the left side, select CRL Distributor Config, and click Add CRL.

  3. In the Add Certificate Revocation List (CRL) Distributor Config screen, add the required information.

    • Name - Enter a name for your CRL distribution point.

    • Distributor Certificate - Select the CRL distributor from the drop-down list.

    • CA Certificate - select the CA certificate to query against the CRL distributor from the drop-down list.

    • Frequency (in minutes) - Determine the interval (in minutes) to query the CRL distributor.

    • Complete CRL Issuer URL - Add the URL for all of the revoked certificates.

    • Delta CRL Issuer URL (Optional) - Add the URL for the list of all certificates revoked since the last time a complete CRL was created.

    • Expiration Date (Optional) - Select the expiration date for the certificate.

  4. Click Save.

Add a TLS Context

To encrypt inbound traffic to Runtime Fabric or Mule 4 proxies, add a certificate-key pair to a TLS context and then enable the TLS context.

The TLS context you store in Secrets Manager can be used either when you configure an HTTPS API Proxy, or to validate the SSL handshake in the edge endpoint of Runtime Fabric.

  1. In the Secret Groups list view, select the secret group to which to add a TLS context.

  2. Select TLS Context in the menu on the left, and click Add TLS Context.

  3. In the Create TLS Context screen, add the required information.

    • Name - Enter a name for your TLS context.

    • TLS Version - Select the TLS version.

    • Target - Select the target for the TLS context from the drop-down list.

      • Anypoint Security - Validates the SSL handshake for Runtime Fabric.
        If you use the Anypoint Security target, you can select keystores and truststores that are either PEM or non-PEM types. Supported types include:

        • JKS

        • PKCS12

        • JCEKS

      • Mule - Uses the TLS context as the SSL validation for Mule 4 based API proxies.

    • Keystore - Select the keystore to store the TLS context in from the drop-down list.

    • Truststore (Optional) - Select a truststore to add the TLS context to from the drop-down list.

    • Expiration Date (Optional) - Select the expiration date for the certificate.

    • Enable Client Authentication - Select this option to enable client authentication.

      Secrets Manager also allows you to select custom ciphers.

      Supported ciphers include:

    • AES256 GCM SHA384

    • AES128 GCM SHA256

    • AES256 SHA256

    • AES128 SHA256

    • AES256 SHA1

    • AES128 SHA1

    • DES CBC3 SHA1

    • DHE RSA AES256 GCM SHA384

    • DHE RSA AES128 GCM SHA256

    • DHE RSA AES256 SHA256

    • DHE RSA AES128 SHA256

    • DHE RSA AES256 SHA

    • DHE RSA AES128 SHA

    • ECDHE RSA AES256 GCM SHA384

    • ECDHE RSA AES128 GCM SHA256

    • ECDHE RSA AES256 SHA384

    • ECDHE RSA AES128 SHA256

    • ECDHE RSA AES256 SHA

    • ECDHE RSA AES128 SHA

    • ECDHE RSA DES CBC3 SHA

    • EDH RSA DES CBC3 SHA

      If you are configuring ciphers to use by an HTTPS API Proxy, you can define additional ciphers used by your proxy instance.

      asm secret group creation task f012f
  4. Click Save.

Edit a Secret Group

When you edit a secret group, other users are locked out while you edit the necessary security objects.

  1. In Secrets Manager, click Edit for the secret group to update.

  2. Make your changes, and click Finish.
    The secret group is updated with the changes, and Secrets Manager will serve the updated secrets to all redeployed applications after this point.

  3. Click Cancel Edit to cancel an open edit session.
    You can use this to cancel another user’s editing session. For example, if a user leaves an edit session open (without clicking Finish), other users can’t open an edit session, and the Edit button is disabled. If the user who left the edit session open isn’t available to close it, you can click Cancel Edit to cancel that user’s edit session.
    This makes the Edit button available so you can make updates to the secret group.

    If you cancel a user’s edit, it deletes all that user’s changes.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub