Configure Credentials Hashing for Mule 4

Enable hashing of your client credentials to add another layer of security for your APIs by hiding the client secrets from the Mule runtime engine (Mule) server. When you enable client hashing, API gateway stores the client credentials in memory, with only the client secret hashed.

Additionally, if you enabled both encryption and hashing in API gateway, the contract information in memory is hashed, but not encrypted. When client hashing (disabled by default) is enabled, it uses the SHA-256 hashing algorithm.

If you modify the configuration to enable or disable hashing in API gateway and then restart your Mule server to apply the updated configuration, your incoming requests are not affected and they continue to be processed normally.

How Client Credential Hashing Works

With client credential hashing enabled, when a request is received, API gateway obtains the client secret from the client credentials of that request and hashes it. API gateway then compares and verifies the client ID and the hashed client secret from the request with the credentials stored in memory before passing the request to Mule.

Configure Client Credential Hashing

To enable client hashing, start the Mule server with the anypoint.platform.hash_clients property enabled. You can enable the property by either running the start command or by configuring the property in the wrapper.conf file in the conf directory:

  • start command:

    $MULE_HOME/bin/mule start -M-Danypoint.platform.hash_clients=true

  • wrapper.conf property:

    wrapper.java.additional.<n>=-Danypoint.platform.hash_clients=true

If you add the wrapper.java.additional.n entries to the configuration file, ensure that each instance of <n> is a consecutive number. Otherwise, Java does not parse the properties correctly. For example:

  • Incorrect usage

wrapper.java.additional.300=-Danypoint.platform.hash_clients=true

wrapper.java.additional.300=-Dsome.other.property

  • Correct usage:

wrapper.java.additional.300=-Danypoint.platform.hash_clients=true

wrapper.java.additional.301=-Dsome.other.property

Verify Client Credential Hashing

To verify that API gateway started with client hashing enabled, add the following entry in the Log4j logger configuration:

<AsyncLogger name="com.mulesoft.mule.runtime.gw.deployment" level="DEBUG" />

The log4j file is present in $MULE_HOME/conf/log4j2.xml.

If hashing is enabled, the Mule environment displays the following message when deploying the first API:

API Gateway initializing with Client Hashing algorithm: SHA-256

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub