Contact Free trial Login

Gatekeeper Enhanced Security

When you deploy an application, there could be a lapse during which the tracked resources exposed by the application are accessible, but the policies specified for those tracked resources are not yet applied, so unwelcome traffic may reach the them. GateKeeper prevents this situation by blocking the tracked resource until all policies have been retrieved and applied without errors. During this period, the API returns a 503 HTTP status code.

How Gatekeeper Works

The Gatekeeper mechanism only applies when (re)starting the runtime or (re)deploying a tracked resource (ie one linked with an API instance through Autodiscovery).

When engaged, each tracked resource is blocked and a 503 - Service Unavailable HTTP status code is returned, until all policies that appear as applied in the API instance of API Manager are downloaded and applied without errors to the tracked resource.

Resources without an associated Autodiscovery will be ignored by Gatekeeper, but because Autodiscovery is not defined for them, no policy could be applied to them, neither analytics info generated.

If you loose connectivity once the runtime is (re)started and/or tracked Mule application is (re)deployed, you will use cached policies, configuration and contracts as well while connectivity is lost, but with a mechanism which is different from Gatekeeper. This mechanism is implemented in all versions of runtimes supporting API Gateway capabilities.
If a malformed or incorrectly defined policy is to be applied to a tracked resource and Gatekeeper is engaged, the tracked resource will be blocked with 503 HTTP status code until the offending policy is un-applied from API Manager.

The Runtime caches all policies, and active contracts locally.

Security Levels

To enable or disable Gatekeeper functionality, you can configure the following property with a specific security level:

anypoint.platform.gatekeeper

For example, for configure the flexible security level, you have to specify the following property:

anypoint.platform.gatekeeper=flexible
  • Valid Values for Mule 4 Security Levels

    • strict

    • flexible

    • disabled

  • Valid Values for Mule 3 Security Levels

    • true

    • false

    • strict

    • flexible

Security Level Definitions

False

When this value is set, no security is applied. Unwelcome traffic may reach the APIs during the policies application process. This value is available only for backward compatibility in Mule 3.x. Use ‘disabled’ instead. disabled is not available in all 3.x releases. false is not available in Mule 4.x.

Disabled

When this value is set, no security is applied. Unwelcome traffic may reach the APIs during the policies application process.

True

When this value is set, the default security level is Strict. This value is available only for backward compatibility in Mule 3.x. Use ‘strict’ or ‘flexible’ instead. true is unavailable in Mule 4.x

Strict

When this value is established, Gatekeeper security is set on its maximum security level.

When the Mule Runtime is (re)started, the API is blocked and returns a 503 HTTP status code, until policies for each tracked resource are correctly downloaded and applied. If connectivity with API Platform is lost when Gatekeeper is engaged, the tracked resource will be blocked at least, until connection is re-established.

Flexible

When this value is established, Gatekeeper security is set on its intermediate security level.

When the Mule Runtime is (re)started, the API is blocked and returns a 503 HTTP status code, until policies for each tracked resource are correctly downloaded and applied. If connectivity with API Platform is lost when Gatekeeper is engaged, a local cache is used to get policies while connectivity is lost. The tracked resource will be blocked at least, until connection is re-established, if no cached policy is stored locally.

Flexible mode is available in runtime versions v3.8.6 or later v3.8.x, v3.9.0 or later v3.9.x and v4.1.0 or later.

Default Gatekeeper Configuration

Runtime version

Default security level

3.8.5

Strict

3.8.6 and later on 3.8.x

Flexible

3.9.0

Strict

3.9.1 and later on 3.9.x

Flexible

4.0.0

Strict

4.1.0 and later

Flexible

See Also

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.