Configure Credentials Hashing for Mule 4
Enable hashing of your client credentials to add another layer of security for your APIs by hiding the client secrets from the Mule runtime engine (Mule) server. When you enable client hashing, API gateway stores the client credentials in memory, with only the client secret hashed.
Additionally, if you enabled both encryption and hashing in API gateway, the contract information in memory is hashed, but not encrypted. When client hashing (disabled by default) is enabled, it uses the SHA-256 hashing algorithm.
If you modify the configuration to enable or disable hashing in API gateway and then restart your Mule server to apply the updated configuration, your incoming requests are not affected and they continue to be processed normally.
With client credential hashing enabled, when a request is received, API gateway obtains the client secret from the client credentials of that request and hashes it. API gateway then compares and verifies the client ID and the hashed client secret from the request with the credentials stored in memory before passing the request to Mule.
To enable client hashing, start the Mule server with the
anypoint.platform.hash_clients property enabled. You can enable the property by either running the
start command or by configuring the property in the
wrapper.conf file in the
$MULE_HOME/bin/mule start -M-Danypoint.platform.hash_clients=true
If you add the
wrapper.java.additional.n entries to the configuration file, ensure that each instance of
<n> is a consecutive number. Otherwise, Java does not parse the properties correctly. For example:
To verify that API gateway started with client hashing enabled, add the following entry in the Log4j logger configuration:
<AsyncLogger name="com.mulesoft.mule.runtime.gw.deployment" level="DEBUG" />
The log4j file is present in
If hashing is enabled, the Mule environment displays the following message when deploying the first API:
API Gateway initializing with Client Hashing algorithm: SHA-256