Nav

HTTPS Reference

When deploying to the CloudHub, you can perform an automatic deployment only if you use an HTTP listener that doesn’t enable HTTPS. If you use HTTPS, add your HTTPS credentials and then perform a manual deployment to CloudHub (legacy API Gateway 2.x) or deploy on premises.

HTTPS can be applied in the following ways:

  • Between the proxy and the client app (1)

  • Between the proxy and the API (2)

proxyHTTPS-on-two-stages

The way you apply HTTPS and deploy the proxy determines the method you use for setting up the proxy. The following sections describe these methods.

HTTPS with the Client App - On Premises

In the Configure Endpoint menu, you select HTTPS as a scheme on the dropdown menu. The generated proxy has an inbound HTTP Listener connector that references an alternative HTTP Listener Configuration element in a domain, if you use a domain, that uses HTTPS. This configuration element exists in the default Domain file in the API Gateway, but it’s commented out. In the API Gateway folder, open the file domains/api-gateway/mule-domain-config.xml. It should look like this:

+


         
      
1
2
3
4
5
6
7
8
9
10
11
12
<mule-domain xmlns="http://www.mulesoft.org/schema/mule/ee/domain" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns:tls="http://www.mulesoft.org/schema/mule/tls" xsi:schemaLocation="http://www.mulesoft.org/schema/mule/ee/domain http://www.mulesoft.org/schema/mule/ee/domain/current/mule-domain-ee.xsd http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd http://www.mulesoft.org/schema/mule/tls http://www.mulesoft.org/schema/mule/tls/current/mule-tls.xsd">
 
   <http:listener-config name="http-lc-0.0.0.0-8081" host="0.0.0.0" port="8081" protocol="HTTP"/>
 
<!--
    <http:listener-config name="https-lc-0.0.0.0-8082" host="0.0.0.0" port="8082" protocol="HTTPS">
        <tls:context name="tls-context-config">
            <tls:key-store path="[replace_with_path_to_keystore_file]" password="[replace_with_store_password]" keyPassword="[replace_with_key_password]"/>
        </tls:context>
    </http:listener-config>
-->
</mule-domain>

Uncomment the HTTP http:listener-config element named https-lc-0.0.0.0-8082. Fill in the keystore fields in that element with your specific keystore data. Your proxy is ready to deploy.

HTTPS with the Client App - On CloudHub

In the Configure Endpoint dialog, you select HTTPS as a scheme on the dropdown menu. You download the proxy and modify the proxy to include an HTTPS Configuration element with HTTPS credentials. Include the following lines of code into your proxy’s proxy.xml file, include this outside any of the flows:


         
      
1
2
3
4
5
6
<http:listener-config name="https-lc-0.0.0.0-8082" host="0.0.0.0" port="8082" protocol="HTTPS">
    <tls:context name="tls-context-config">
       <tls:key-store path="[replace_with_path_to_keystore_file]" password="[replace_with_store_password]"
             keyPassword="[replace_with_key_password]"/>
    </tls:context>
</http:listener-config>

Replace the placeholders with the actual path and passwords of the keystore. Verify that the  http:listener element in the flow is correctly referencing this new configuration element you just added.

config-ref="https-lc-0.0.0.0-8082"

HTTPS with an API

In Configure Endpoint, provide an implementation URI to an HTTPS address. Specifying an HTTPS address modifies the proxy to support HTTPS. By default, the proxy signs requests using the default HTTPS credentials of the JVM.

If you want to include other HTTPS credentials, download the proxy and modify it accordingly. If you plan to import your proxy application into Studio 6.x or later, you can configure the endpoint to link the application to a domain or not. When importing your proxy application into Studio 5.x, your project is linked to a domain project named api-gateway, which is automatically created in studio if not already present. This domain project is identical to the domain that exists in CloudHub and in your default API Gateway On-Premises. It’s necessary for being able to deploy your app to the Anypoint Studio server under the same conditions as those present when you deploy the app to production. If you modify your domain on the On-Premises installation to include HTTPS credentials, replicate those changes on the domain that exists in Studio to match deployment conditions.

Modify the http:request-config element in the proxy.xml file of the proxy to include TLS configuration elements that point to the required truststore/keystore.