Build HTTPS API Proxies

API Manager 2.x enables you to use the secrets you stored in your secret group to build an HTTPS-based API for your CloudHub or hybrid deployments.
By configuring a TLS context for your inbound and outbound traffic, you can ensure your traffic’s security.

The secrets manager integration is only supported by API Proxies running Mule 4, and only for CloudHub, Hybrid, and standalone deployments.
Supported keystores for the TLS context are JCEKS, PKCS12, and JKS.

If you want to build an HTTPS Proxy in Mule 3 or Runtime Fabric deployment target, follow the Build an HTTPS Service tutorial.

Prerequisites

To configure your HTTPS API Proxy using secrets stored in your secret group, you need to meet the following requirements:

  • Secrets Manager Permissions enabled for your user.
    To configure an existing TLS context for the API Proxy, you need the Read secrets metadata permission. Review the Secrets Manager Permissions reference for more information.

  • Make sure your user has Manage API Configuration role.

  • A secret group along with a TLS context in Secrets Manager.
    Follow the Create a Secret Group instructions along with the Add a TLS Context task contained in that article if you need help creating a TLS context.
    Make sure that your TLS context’s target is of type "Mule", and that the Secret Group is marked as "downloadable".

    If you are not familiar with the secrets manager concepts, you should also review the Secrets Group Basic Concepts.

Configure your API

  1. In API Manager, navigate to Manage API > Manage API From Exchange.

  2. Configure your API proxy asset.

    For more information, see Managing an API from Exchange.

    While configuring your API Proxy, make sure you also select the following configurations:

    1. Select Endpoint with Proxy in the Managing Type fields

    2. If you want to manage the API using Mule 4 or later (recommended), accept the default selection.

      The parameters that you specify differ based on the Mule version you select.

  3. Click the Add TLS Context in the TLS Context for Outbound traffic field.

    65%
    1. Select the secret group where you hosted your TLS Context from the Secret Group drop-down list.

    2. Select your TLS Context for your HTTPS API Proxy from the TLS Context drop-down.

      35%
      If you can’t see any context, make sure you have the right permissions mentioned in the prerequisites above.

Additionally, if you want to enable SSL inbound traffic:

  1. Click Advanced Options.

  2. On the Scheme field, select HTTPS.
    This makes the TLS Context for Inbound Traffic field appear.

  3. Select Add TLS Context.

    1. Select the secret group where you hosted your TLS Context from the Secret Group drop-down.

    2. Select your TLS Context for your HTTPS API Proxy from the TLS Context drop-down.

  4. Click Save

API Proxy Deployment

You can deploy your API proxy to CloudHub, hybrid, or standalone servers.

Deploy to CloudHub

After you configured your API Proxy and selected CloudHub as the Proxy deployment target, your API Proxy will be automatically deployed, with the secrets already configured.

Your secrets are configured as secure property placeholders under the SecureProperties in your mule-artifact.json.
The amount of properties supplied depends on your selected configuration:

inbound.keystore.keyPassword_281324
inbound.keystore.password_281324

inbound.truststore.password_281324

outbound.keystore.keyPassword_281324
outbound.keystore.password_281324

outbound.truststore.password_281324

The 281324 suffix in this case is API Instance ID of your API Proxy.

If you inspect your API Proxy’s XML, you can see these properites being used in your trustore/keystore configurations:

<tls:trust-store path="outbound-truststore.jks" password="${outbound.truststore.password_281324}" type="JKS" insecure="true"  />

Deploy to Hybrid

After you configured your API Proxy and selected Hybrid as the Proxy deployment target, your API Proxy will be automatically deployed, with the secrets already configured.

Your secrets are configured as secure property placeholders under the SecureProperties in your mule-artifact.json.

+ The amount of properties supplied depends on your selected configuration:

inbound.keystore.keyPassword_281324
inbound.keystore.password_281324

inbound.truststore.password_281324

outbound.keystore.keyPassword_281324
outbound.keystore.password_281324

outbound.truststore.password_281324

The 281324 suffix in this case is API Instance ID of your API Proxy.

If you inspect your API Proxy’s XML, you can see these properties being used in your trustore/keystore configurations:

<tls:trust-store path="outbound-truststore.jks" password="${outbound.truststore.password_281324}" type="JKS" insecure="true"  />

Deploy to Standalone Servers

To deploy you API Proxy to a standalone server, you need to provide secured properties for each TLS Context.

  1. Download the API Proxy.

    1. In API Manager, select the version of the API proxy you want to download.

    2. Click the Actions button in the top-right corner of your screen and select Download Proxy.

      building https proxy 62dbf
  2. Take note of your API Instance ID under API Instance.

    building https proxy 541ec
  3. When running your standalone Mule instance, you need to provide the keystore and key passphrases as -D arguments, along with your API Proxy’s API Instance ID.
    For example, if your API instance ID is 15464957, you need to pass the arguments:

    ./bin/mule \
    -M-Dinbound.keystore.keyPassword_15464957=pass123 \
    -M-Dinbound.keystore.password_15464957=pass123 \
    -M-Dinbound.truststore.password_15464957=pass123 \
    -M-Doutbound.keystore.keyPassword_15464957=pass123 \
    -M-Doutbound.keystore.password_15464957=pass123 \
    -M-Doutbound.truststore.password_15464957=pass123

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub