Contact Us 1-800-596-4880

Gateway Startup Encryption in Mule 3

Gateway startup encryption allows you to encrypt sensitive information stored by the runtime such as policies, contracts, and the required credentials to configure the connection between your Mule application and Anypoint Platform.

Configuring the Runtime to Use Encryption

You can encrypt your Anypoint Platform credentials (client ID, client secret, and proxy password) using a 16-characters long encryption key, and pass this encryption key to your runtime during start-up through the anypoint.platform.encryption_key property so that the runtime can decrypt and use your encrypted credentials:

$MULE_HOME/bin/mule start -Danypoint.platform.encryption_key=MyEncryptionKey1

While the runtime is starting it checks for an encryption key. Then it gets the client ID and client secret values from its wrapper.conf file.

Encrypting Credentials using the Agent

To enable the runtime to use encryption you need to pass the argument encryption-key to the agent using your encryption key as value. The agent then encrypts the client ID and Secret.

When starting the runtime, you need to pass the encryption key using the anypoint.platform.encryption_key property as instructed above.

Gateway Encryption Tool

The gateway encryption tool provides a way to inspect the policy files that Mule runtime engine 3.9.3 and later encrypts. It also provides a way to encrypt offline policies, and pass encrypted client credentials to the runtime.

The tool has two modes, policy and property.

Policy

This mode encrypts and decrypts the policy XML files.

To encrypt a policy file:

java -jar gateway-encryption-tool.jar policy <encrypt|decrypt> <key> <input_policy_file> <output_policy_file>

This tool takes the policy passed in <input_policy_file> and encrypts it using the encryption key passed in <key> and stores the result in the file in <output_policy_file>.

This tool does not verify the validity of the policy.

You must first download the encryption tool jar file.

Property

This mode encrypts and decrypts the values of the properties set in the wrapper.conf file.

To encrypt a property of you configuration file:

java -jar gateway-encryption-tool.jar property <encrypt|decrypt> <key> <input_value>

This tool takes the key passed in <key> and use it to encrypt the value passed in <input_value>.

When using the decrypt option, it is possible that your terminal might interpret some of the characters of the encrypted value. To avoid this scenario, wrap the encrypted value in single quotation marks:

java -jar gateway-encryption-tool.jar property decrypt 1234567812345678 '![FefVUnvDJpbXnUvrGAEezg==]'

Policies Encryption

Some of your policies may contain sensitive data. If the runtime is configured to use an encryption key, the runtime encrypts all online policies before storing them in disk. The same applies to the policy cache that is generated for the same reason. When a policy that has been encrypted is open, instead of seeing a normal XML file, the file will look like this:

![khaR+9HOuJhCfC+pAQ7NZKjK1u3ZiW1kFnxBkGmMvh1ZUXZi3GMJbl9m7oFSU+ug0kJqaeDoR2iw
KhSrUihrR33t3LJzvb8+8wjOEZz+Wl7oBxx+JhYRaz1nZmXm+BtTZUbtreQ4dsqmNTLTI7TWszBq
lYe6KWUevUH23kQcbzMB2FGpULJQUoH/HDYm0dkdIQSsCrF8Yx8tGE4rz/NWLH4VnADu9/Y2QuhT
JcEjU8GlQu6Ha4YQq4NLljt6E9nE2RCibpfKVdwMh1gKNn1XKP8AuR7PXxVVkmS1NPO+fZNURB+z
RhAuYEE9D+u6ncO4qUJ0bjYUUU6Vn0t5BowIJcABZVk4T8lUJgSM70kd/pYTs9F+qh2NUaM4X8f7
XxhY49qyw/0/5PPY9DfieHoUMv8YBzInSz1FSKH0/E+Ouf4TraFaTFbfwRdOlOogYNgWEA+XCenu
YEzJH0eG27R5xjeo1WRxN3zHx2OigqJkqwSMn5K9VHIWA686pgGFahZHXpiUsXNXF3irIrhejJwy
h5GMv7Jj57zxtSiF5nGlb5HpjoGC0jdxaalD4mfTJv4Riv2MJHwWfSXZ8EO00OAL/sssvBJhBatz
8/kQuvII0E++nPdefzBjDcFD0bawJJpvXWInpqNmHntLg/KoMC9XmSDMn9Bp5NorkZuVxN+jc75k
me+nUwpbsIL03LSPCrIGZwIb4ZJJUws+t/CyDlG5NUAALpZL4dV6FJPDOtsGsLfy0/r3qzpgRp/1
a4vjxY5PWchQc4k2x/gKOVqsrH/i0dI2wTl7ggSYEgPG+Ra82jA5tTVfimQafyUfwN9i7J76o716
lZ64JFqm7KD4f4FT1G+mhS/wrJjSeUVOv6JZCdT5T+AK57cxTAb325PJeFm1m8RoDgKeONmYerTr
kR4s+s1ha02QVmalvJZIHbEU6fjCHDJMGXhLGdxCP/6QAtGqjpPanbppzssEaKSlPTpAdukbGw2W
ZuyhlwpuxbUy097f1d22NBZ1ey2+8X7kXobNabctv57U5Vmca294vkqCVW7yYtKRq/kZHnJD173v
HjV5BRBA++tjl7MksXS7cNrk1Fo0YQp7YGW0YnZUksXB1FFzG5VQR4hqaRAcvF8z6CevLjPWoD3s
TrSSF1qOw7ejsiF8x0b7QE9l0kpVwwhQoPWeg2rc2VwydMadM8jiBU+3BDXQTZNqNZhxRxtLh9HI
wfOHAym2VWceXAInH04w4R8VWlOE24bkdSOwuhRLqMvdnX1nfjztZaiIjEiGqUKMpGZ1rmWeB/M/
sOvyN8MutCi6HdxZBhFiDdYtGBPOu/ru86nx4QdK6OIpeSMNq7EWym9Azr6ixNYKSgvUU+eUhV6I
OlzQhLm4Xeu3L9i9R9QM39D3lgm4eoHqowa+7+nGCNznydhWj0exGle5MSIkCRMyTUjzybKT5a4k
4QnK/yOGdKJ9bYJT5WlEENfD9IPYyizsBZXQtw3LFl1apRHsGNF56uUKEfo7cBReV62Iz53HfVCd
C12nMoKRlwVQiCCwORdukDu1R/HrpeEdLvpZ0H5zoM91q3f7JuyMWyw2ZD/DSo/8J3gZsjP1bgni
Uh3KwbxmBVCtBwJRb67drTelcipBYZ8akHsjUEUB1X2H6yz9FQXld2I3lr79y7eapvSndLfaSc6o
fk86CdK2SqrqPGhd5/iFxEmv5J228YEkdCVVmhXLMj5oEdeqeB1Ik487pIcYVKXMMCNu8dyCOxti
akSjQN/pH5e45UPtepq2MfQTYAD+9YMPZwF7J+e7yDm5M+NHOMcau5l5eaf8GRmSba0slvUSdpX3
pJRiHFYYROqFkw3D+0tifUQ5jBHQB/ZM7pfwBQk4EO1Rm9FzYUqZsiwrwGscX4TeWCikqv/CEdCQ
YEtGurM5wHpW8ZrYDxZPZNXRc2pQluuQ09UneZnCv1LPE0FYbg332nJ98I8zwzASybpLKEw4HUi2
SU5+3/UJHVHaTFThb1mR3NKnMwwBZV2p/tquQVZoSPZ8X85F2Fn9NESqum8yq3mk6aa0WaOV09z3
O1q1lBrvkfOVK0druUcFWzLmcmXHWr3tFKuFqucze8mZ7QljItYaxF+iZlgIRzhCkd2q95u9zOif
wVmIJxk1kv4Dha5jQM15uKP/22fMrMkKljGEhApKlhBwevlb542TeXWETlaRU8sZpXLscrLPCHiU
XskWI+xK19uVgofmK88iyhWr3gdYY5Aefvdj6Lxr/MMVgve4kYpd7jJpYycS9GzObPIyaOEvL5DG
Hvw=]

If you need to debug or troubleshoot your policies configuration, you can use the policy mode of the gateway encryption tool to recover the non-encrypted XML.

The runtime does not automatically encrypt offline policies. However, if you provide the offline policy files already encrypted, the runtime is able to decrypt them and use them normally.

When running in clusters, offline policies remain encrypted in the node in which the policy was originally deployed, assuming you configured that node to use encryption. When propagating to other nodes, the policy will follow your node’s configuration. If the node is configured to use encryption, then the policy will propagate encrypted to that node. If the node is not configured to use encryption, the policy will propagate unencrypted to that node.