Contact Us 1-800-596-4880

Build HTTPS API Proxies

API Manager 2.x enables you to use the secrets stored in your secret group to build an HTTPS-based API for your CloudHub or hybrid deployments. By configuring a TLS context for your inbound and outbound traffic, you can ensure your traffic’s security.

The secrets manager integration is only supported by API Proxies running Mule 4 on CloudHub, Hybrid, or standalone deployments. Supported keystores for the TLS context are JCEKS, PKCS12, and JKS.

To build an HTTPS Proxy in a Mule 3 or Runtime Fabric deployment target, see Build an HTTPS Service.

Before You Begin

To configure your HTTPS API Proxy using secrets stored in your secret group, ensure you have:

  • Requested the following permissions from your Anypoint Platform admin:

    • Secrets Manager permissions
      To configure an existing TLS context for the API Proxy, you need the Read secrets metadata permission. Review the Secrets Manager Permissions reference for more information.

    • API Manager permissions
      To apply a TLS context to an API proxy in API Manager, you need the Manage API Configuration role. See the API Manager section of the Permissions by Product page for more information.

  • Created a Secret Group
    Enable the Secret Group Downloadable checkbox.

  • Added a TLS Context
    Set TLS context’s target to Mule.

Configure your HTTPS API Proxy

Configure your HTTPS API Proxy by completing the following steps:

  1. Navigate to Anypoint Platform > API Manager.

  2. In API Administration, click Add API and select Add new API.

  3. Select Mule Gateway as your runtime.

  4. Select Deploy a proxy application for Proxy type.

  5. If you selected to deploy a proxy application, select the Target type from the following options:

    • CloudHub 2.0: Select this option if you want to use the Mule runtime hosted by MuleSoft in a container-based cloud infrastructure. The CloudHub 2.0 proxy includes a CPU with 0.1 vCores by default.

      1. Select a space.

        To learn more about spaces, see Shared Spaces and Private Spaces.

      2. In Runtime version:

        1. Select the Runtime Channel.

        2. Select the Version for Mule runtime.

        3. Select the Java version.

      3. Enter a Proxy app name.

    • CloudHub: Select this option if you want to use the Mule runtime hosted on the cloud by MuleSoft. The CloudHub proxy includes a CPU with 0.1 vCores and a memory of 500 MB, by default.

      1. In Runtime version:

        1. Select the Runtime Channel.

        2. Select the Version for Mule runtime.

        3. Select the Java version.

      2. Enter a Proxy app name.

    • Hybrid: Select Hybrid if you have a Mule runtime running on an on-premises server that you want to use. See Register a server in Runtime Manager for more information.

      If you are running an API with a self-managed server, use the classic API creation flows to manage your API.

      1. Select a target from the list or click Add server.

      2. Enter a Proxy app name.

    • Runtime Fabric: Select Runtime Fabric if you want to deploy API Proxies to a Mule runtime engine that is managed on Runtime Fabric. See Deploying API Proxies to Runtime Fabric for more information.

      1. Select a target from the list.

      2. In Runtime version:

        1. Select the Runtime Channel.

        2. Select the Version for Mule runtime.

        3. Select the Java version.

      3. Enter a Proxy app name.

  6. Select an API from the following options:

    • Click Select API from Exchange if you have an API shared with you through Exchange that you want to manage.

      1. Click the API from the list under Select API. You can search for a specific API if needed.

      2. Update the Asset type, API version, and Asset version if you are not using the latest version.

        For more information about versions in Exchange, see Asset Versions.

      3. If you chose a RAML/OAS asset type, view the Conformance Status of the API to ensure the API is conformant. If the Conformance Status is nonconformant, after deployment, view the Governance Report to find and fix the conformance issues. For more information about the Governance Report, see Governing API Instances.

    • Click Create new API:

      1. Enter a Name for the new API asset.

      2. Select the Asset type from the following options:

        • REST API: Select this option if you have a RAML or OAS API definition file you want to include for your asset.

          Upload either a RAML or OAS file for your REST API. Versions 2.0.0 and later are the recommended versions for OAS or RAML specs, because these versions add native OAS support. If you upload an OAS API specification to an API proxy version 1.0 or earlier, your API specification is translated to RAML.

        • HTTP API: Select this option if you do not have an API definition file you want to include for your asset.

        • SOAP API: Select this option if you have a WSDL API definition file or an external link to the file.

          Upload a WSDL file for your SOAP API or add the link to the file.
          This option is not available for Flex Gateway runtime at this time.

      3. Update the Asset type, API version, and Asset version if you are not using the latest version.

        For more information about versions in Exchange, see Asset Versions.

      4. If you chose a RAML/OAS asset type, view the Conformance Status of the API to ensure the API is conformant. If the Conformance Status is nonconformant, after deployment, view the Governance Report to find and fix the conformance issues. For more information about the Governance Report, see Governing API Instances.

  7. Click Next.

  8. Configure the downstream configuration settings:

    Expand for configuration settings.
    Field Name Description Required Notes

    Protocol

    Specifies whether to use HTTP or HTTPS for the validations.

    Yes

    If you select HTTPS, specify a TLS context for inbound traffic.

    Inbound TLS

    Specifies the TLS context to secure inbound traffic.

    No

    Only available on Mule 4+. If you can’t see a context, ensure that you have the correct permissions. To enable HTTPS in Mule 3 environment, see enable HTTPS in Mule 3x.

    Port

    Specifies the number to use if the displayed port is incorrect.

    Yes

    Base path

    Specifies the URL prefix for all API paths, relative to the host root. It must start with a leading slash /.

    Yes

    Instance label

    Specifies a label for the API.

    No

    If you have multiple managed instances of the same API, add a label to differentiate each instance from the others.

    Advanced Options

    Consumer endpoint

    Specifies a proxy application’s address for consumers to use for sending requests.

    No

    Client provider

    Specifies a client provider for the API.

    Yes

    Anypoint Platform acts as the client provider by default. To configure an external client provider, see Client Providers.

    Request timeout

    Specifies the duration after which a request times out.

    No

    Proxy Version

    Specifies the version of the proxy to use for the endpoint.

    No

    Service Name

    Name of your WSDL service.

    Yes

    Only avaliable for WSDL APIs.

    Service Port

    Port for your WSDL your service.

    Yes

    Only avaliable for WSDL APIs.

    Service Namespace

    Namespace of your WSDL service.

    Yes

    Only avaliable for WSDL APIs.

    Enable Console

    Specifies whether you can expose and test your API specification.

    No

    You can specify a different path in Console Path, for example, /spec/*. Only available if you have an attached API definition. Only available on Mule 3+.

    Validations

    Specifies whether to validate inbound requests against a provided specification.

    No

    Only available if you have an attached API definition. Only available on Mule 3+.

    Strict validations (optional)

    Specifies whether to validate inbound requests against query parameters.

    No

    Only available if you have an attached API definition. Only available on Mule 3+

    User Domain

    Specifies whether to use an API gateway domain.

    No

    If you chose Hybrid as the proxy deployment target previously in the configuration, ensure that you select this option. You must install the API gateway domain in Mule 3.8 and later.

    To configure an HTTPS Proxy, you must select HTTPS and configure an Inbound TLS context.
  9. Click Next.

  10. Configure the upstream configuration settings:

    Expand for configuration settings.
    Field Name Description Required Notes

    Upstream URL

    The URL to access for the proxy or the API.

    Yes

    For example, you can use the URL of your API asset in Exchange.

    Outbound TLS

    Specifies the TLS context to secure outbound traffic.

    No

    Only available on Mule 4+. If you can’t see a context, ensure that you have the correct permissions.

  11. Click Next.

  12. Review your selections and edit them if necessary.

  13. If you are ready to deploy, click Save & Deploy. Otherwise, you can select Save, to save the API instance and deploy it at a later time.

API Proxy Deployment

You can deploy your API proxy to CloudHub, hybrid, or standalone servers.

Deploy to CloudHub

After you configured your API Proxy and selected CloudHub as the Proxy deployment target, your API Proxy will be automatically deployed, with the secrets already configured.

Your secrets are configured as secure property placeholders under the SecureProperties in your mule-artifact.json.
The amount of properties supplied depends on your selected configuration:

inbound.keystore.keyPassword_281324
inbound.keystore.password_281324

inbound.truststore.password_281324

outbound.keystore.keyPassword_281324
outbound.keystore.password_281324

outbound.truststore.password_281324

The 281324 suffix in this case is API instance ID of your API Proxy.

If you inspect your API Proxy’s XML, you can see these properties being used in your trustore/keystore configurations:

<tls:trust-store path="outbound-truststore.jks" password="${outbound.truststore.password_281324}" type="JKS" insecure="true"  />

Deploy to Hybrid

After you configure your API Proxy and select Hybrid as the Proxy deployment target, your API Proxy is automatically deployed, with the secrets already configured.

Your secrets are configured as secure property placeholders under the SecureProperties in your mule-artifact.json.

+ The amount of properties supplied depends on your selected configuration:

inbound.keystore.keyPassword_281324
inbound.keystore.password_281324

inbound.truststore.password_281324

outbound.keystore.keyPassword_281324
outbound.keystore.password_281324

outbound.truststore.password_281324

The 281324 suffix in this case is API instance ID of your API Proxy.

If you inspect your API Proxy’s XML, you can see these properties being used in your trustore/keystore configurations:

<tls:trust-store path="outbound-truststore.jks" password="${outbound.truststore.password_281324}" type="JKS" insecure="true"  />

Deploy to Standalone Servers

To deploy your API Proxy to a standalone server, provide secured properties for each TLS Context.

  1. Download the API Proxy.

    1. In API Manager, select the version of the API proxy you want to download.

    2. Click the Actions button in the top-right corner of your screen and select Download Proxy.

  2. Take note of your API instance ID under API Instance ID.

  3. When running your standalone Mule instance, you need to provide the keystore and key passphrases as -D arguments, along with your API Proxy’s API instance ID.
    For example, if your API instance ID is 15464957, you need to pass the arguments:

    ./bin/mule \
    -M-Dinbound.keystore.keyPassword_15464957=pass123 \
    -M-Dinbound.keystore.password_15464957=pass123 \
    -M-Dinbound.truststore.password_15464957=pass123 \
    -M-Doutbound.keystore.keyPassword_15464957=pass123 \
    -M-Doutbound.keystore.password_15464957=pass123 \
    -M-Doutbound.truststore.password_15464957=pass123