Anypoint Enterprise Security
*Enterprise Edition, CloudHub Version 1.2*
Anypoint Enterprise Security is a collection of security features that enforce secure access to information in Mule applications.
This suite of security features provides various methods for applying security to Mule Service-Oriented Architecture (SOA) implementations and Web services. The following security features bridge gaps between trust boundaries in applications:
Mule Secure Token Service (STS) Oauth 2.0 Provider
Mule Credentials Vault
Mule Message Encryption Processor
Mule Digital Signature Processor
Mule Filter Processor
Mule CRC32 Processor
Install the Anypoint Enterprise Security update on your instance of Anypoint Studio Enterprise Edition 3.3.2 or later.
Businesses must ensure that the valuable information they store and make available through software applications and Web services is secure. Locked away and protected from unauthorized users and malicious attackers, protected resources — such as credit card information or Social Security numbers — must still be accessible to authorized legitimate users and systems in order to conduct business transactions.
To provide secure access to information, applications and services can apply a variety of security measures. The suite of security features in Anypoint Enterprise Security enables developers to protect applications according to security requirements, prevent security breaches and facilitate authorized access to data.
Anypoint Enterprise Security adds new features on top of of Mule ESB Enterprise’s existing security capabilities. Mule ESB already provides the following security features:
Mule Security Manager, client authentication and authorization on inbound requests as well as credential mapping for outbound calls
LDAP and third party identity management system integration
Validation of inbound requests through the SAML 2.0 federated identity standard
Secure FTP (SFTP) Transport that enables Mule flows to read and write to remote directories over the SSH protocol.
In most cases the above features were accessible only to expert Mule developers who are very familiar with the Spring Security framework. Anypoint Enterprise Security expands the types of security available to apply to Mule applications and, through its accessibility in Studio, makes security features accessible to a broader range of skilled developers.
Compiled to form an easily-accessible, user-friendly collection, Anypoint Enterprise Security offers developers a clear, structured method for adding security to Mule ESB applications. Developers can easily drag-and-drop one or more security features into Mule flows in Studio, Mule ESB’s graphical user interface (GUI), and can find configuration support in Mule documentation.
Anypoint Enterprise Security offers developers six tools to ensure that authorized end users have secure access to protected data. Each tool plays a different role in securing a Mule application.
Mule can apply Oauth 2.0 security to a REST Web service provider or consumer. OAuth uses tokens to ensure that a resource owner never has to share credentials, such as a username or password, with a 3rd-party Web service.
For example, Facebook uses OAuth to connect to Gmail to collect a user’s Gmail contacts. When a user initiates the request to connect, Facebook opens a new browser window for the user to enter a Gmail address and password. If authenticated, Gmail provides all the user’s contacts to Facebook, but does not share the user’s Gmail login credentials. OAuth ensures that the 3rd-party Facebook application never has access to the user’s protected Gmail credentials.
Mule can encrypt properties in a .properties file. The .properties file in Mule stores data as key-value pairs. Mule flows may access this data — usernames, first and last names, credit card information — as the flow processes messages. In the context of Anypoint Enterprise Security, Mule refers to the .properties file in which it safely stores encrypted properties as the Mule Credentials Vault.
Mule can encrypt an entire payload or several fields of data within a message. Where sensitive information must move between users, yet remain hidden from them, a developer can encrypt message content to prevent unauthorized access. Typically, you may need to encrypt data such as a password, credit card number or social security number (SSN).
Mule uses digital signatures to ensure that messages maintain integrity and authenticity. Mule can verify that an incoming Web service request originates from a valid source, and can sign an outgoing Web service response to ensure its contents. Digital signatures ensure that a sender is valid, that a message is not modified in transit between Web services, and that no unauthorized user has tampered with a message.
Mule can filter messages it receives to avoid processing invalid ones. With a filter processor in place, Mule discards any message it receives that does not match the filter’s parameters — a message from outside a set range of IP addresses, for example.
Mule can apply a cyclic redundancy check (CRC) to messages to ensure message integrity. CRC uses an algorithm to apply a check value to a message when it enters a system, and verifies the value when the message leaves the system. If the entry and exit values do not match, CRC marks the message as changed. Generally, CRC32 (32 indicates the 33-bit polynomial length in the algorithm) detects unintentional changes to messages, such as the accumulation of “noise” between transmission points, but it can also detect unauthorized intentional changes – for instance, flagging a message that has been tampered with during transmission to change it into a Trojan horse.
Install the Anypoint Enterprise Security update on your instance of Anypoint Studio or Standalone Enterprise 3.3.2 or later.
Examine the details of above-listed features; use menu in left-nav bar to access feature-specific pages.
Explore two example applications that demonstrate Anypoint Enterprise Security features in action: