Contact Free trial Login

Building an HTTPS API Proxy

API Manager 2.x lets you use the secrets you stored in your secret group to build an HTTPS based API for your CloudHub or Hybrid deployments.
By configuring a TLS context for your inbound and outbound traffic, you can ensure your traffic’s security.

The secrets manager integration is only supported by API Proxies running Mule 4, and only for CloudHub, Hybrid, and standalone deployments.
Supported keystores for the TLS context are JCEKS, PKCS12, and JKS.

If you want to build an HTTPS Proxy in Mule 3 or Runtime Fabric deployment target, follow the Building an HTTPS Service tutorial.

Prerequisites

To configure your HTTPS API Proxy using secrets stored in your secret group, you need to meet the following requirements:

  • Secrets Manager Permissions enabled for your user.
    To configure an existing TLS context for the API Proxy, you need the Read secrets metadata permission. Review the Secrets Manager Permissions reference for more information.

  • Make sure your user has Manage API Configuration role.

  • A secret group along with a TLS context in Secrets Manager.
    Follow the Create a Secret Group instructions along with the Add a TLS Context task contained in that article if you need help creating a TLS context.
    Make sure that your TLS context’s target is of type "Mule", and that the Secret Group is marked as "downloadable".

    If you are not familiar with the secrets manager concepts, you should also review the Secrets Group Basic Concepts.

Configuring your API

  1. In API Manager, navigate to Manage API and Manage API From Exchange.

  2. Configure your API Proxy asset.
    Use the Managing an API from Exchange task if you need a complete reference on how to do this.
    While configuring your API Proxy, make sure you also select the following configurations:

    1. Select Endpoint with Proxy in the Managing Type fields

    2. Select the Check this box if you are managing this API in Mule 4 or above check mark.

  3. Click the Add TLS Context in the TLS Context for Outbound traffic field.

    building https proxy c7589
    1. Select the secret group where you hosted your TLS Context from the Secret Group drop-down.

    2. Select your TLS Context for your HTTPS API Proxy from the TLS Context drop-down.

      building https proxy 7543c
      If you can’t see any context, make sure you have the right permissions mentioned in the prerequisites above.

Additionally, if you want to enable SSL inbound traffic:

  1. Click Advanced Options.

  2. On the Scheme field, select HTTPS.
    This makes the TLS Context for Inbound Traffic field appear.

  3. Select Add TLS Context.

    1. Select the secret group where you hosted your TLS Context from the Secret Group drop-down.

    2. Select your TLS Context for your HTTPS API Proxy from the TLS Context drop-down.

      building https proxy 7543c
  4. Click Save

Deploying the API Proxy

CloudHub

After you configured your API Proxy and selected CloudHub as the Proxy deployment target, your API Proxy will be automatically deployed, with the secrets already configured.

Your secrets are configured as secure property placeholders under the SecureProperties in your mule-artifact.json.
The amount of properties supplied depends on your selected configuration:

inbound.keystore.keyPassword_281324
inbound.keystore.password_281324

inbound.truststore.password_281324

outbound.keystore.keyPassword_281324
outbound.keystore.password_281324

outbound.truststore.password_281324

The 281324 suffix in this case is API Instance ID of your API Proxy.

If you inspect your API Proxy’s XML, you can see these properites being used in your trustore/keystore configurations:

<tls:trust-store path="outbound-truststore.jks" password="${outbound.truststore.password_281324}" type="JKS" insecure="true"  />

Hybrid

After you configured your API Proxy and selected Hybrid as the Proxy deployment target, your API Proxy will be automatically deployed, with the secrets already configured.

Your secrets are configured as secure property placeholders under the SecureProperties in your mule-artifact.json.
The amount of properties supplied depends on your selected configuration:

inbound.keystore.keyPassword_281324
inbound.keystore.password_281324

inbound.truststore.password_281324

outbound.keystore.keyPassword_281324
outbound.keystore.password_281324

outbound.truststore.password_281324

The 281324 suffix in this case is API Instance ID of your API Proxy.

If you inspect your API Proxy’s XML, you can see these properites being used in your trustore/keystore configurations:

<tls:trust-store path="outbound-truststore.jks" password="${outbound.truststore.password_281324}" type="JKS" insecure="true"  />

Standalone

To deploy you API Proxy to a standalone server, you need to provide secured properties for each TLS Context.

  1. Download the API Proxy.

    1. In API Manager, select the version of the API proxy you want to download.

    2. Click the Actions button in the top right side of your screen and select Download Proxy.

      building https proxy 62dbf
  2. Take note of your API Instance ID under API Instance.

    building https proxy 541ec
  3. When running your standalone Mule instance, you need to provide the keystore and key passphrases as -D arguments, along with your API Proxy’s API Instance ID.
    For example, if your API instance ID is 15464957, you need to pass the arguments:

    ./bin/mule \
    -M-Dinbound.keystore.keyPassword_15464957=pass123 \
    -M-Dinbound.keystore.password_15464957=pass123 \
    -M-Dinbound.truststore.password_15464957=pass123 \
    -M-Doutbound.keystore.keyPassword_15464957=pass123 \
    -M-Doutbound.keystore.password_15464957=pass123 \
    -M-Doutbound.truststore.password_15464957=pass123

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub