$MULE_HOME/bin/amc_setup -H token server-name -P proxy-host proxy-port proxy-user proxy-password
Connect the Agent Through a Proxy Server
Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations. |
If your Mule runtime engine runs inside a firewall that restricts external communication through a proxy server, you can configure the Runtime Manager agent to route traffic through the proxy server to Runtime Manager.
The Runtime Manager agent supports the basic access and Kerberos v5 (via SPNEGO) authentication schemes for proxied communication.
Configure the Agent to Connect Through a Proxy Server
To configure the agent to connect through a proxy server, you must:
-
Run the
amc_setup
command to create the$MULE_HOME/conf/mule-agent.yml
file. -
Set up your proxy server configuration in the
$MULE_HOME/conf/wrapper.conf
file.
Run amc_setup to Create mule-agent.yml
If you have previously installed the Runtime Manager agent and want to change the configuration to use a proxy, you can add the proxy configuration to the mule-agent.yml
file.
To configure the proxy server connection:
-
If you want to encrypt passwords in the
mule-agent.yml
file, set theAGENT_VAR_master_password
environment variable to the main password:export AGENT_VAR_master_password=myPassword
-
Run this command:
For basic authentication, the -P parameter sets up the authenticated proxy.
For Kerberos authentication, use the new parameter to specify that this protocol will be used along with the configuration file paths.
$MULE_HOME/bin/amc_setup -H token server-name -P proxy-host proxy-port proxy-user proxy-password --use-kerberos-proxy krb5-configuration-path jaas-configuration-path
If the proxy server doesn’t require authentication, omit proxy-user and proxy-password. These options are required when using Kerberos authentication via --use-kerberos-proxy.
-
amc_setup -P parameters:
- proxy-host
-
Specifies the hostname of the desired proxy server: for example,
proxy.acme.com
. Do not includehttp://
orhttps://
in the hostname. - proxy-port
-
Specifies the port of the desired proxy server.
- proxy-user
-
Optionally specifies the user with which to authenticate against the proxy, if required.
- proxy-password
-
Optionally specifies the password for the authentication proxy-user, if required.
-
amc_setup --use-kerberos-proxy parameters:
- krb5-configuration-path
-
Specifies the file path to the
krb5.conf
file, which is required to communicate with the Kerberos KDC.This is Kerberos flavor-dependent. See the MIT Kerceros Documentation for reference on the MIT implementation, which is the standard in most UNIX and Windows systems.
- jaas-configuration-path
-
Specifies the file path to the JAAS login configuration file, which is required to login to the Kerberos KDC.
See JAAS Login Configuration File for a reference on this file format.
This example configures the agent to work with a proxy server (acme.proxy.com
) and specifies a Runtime Manager token:
amc_setup -H myToken myMuleServer -P acme.proxy.com 443
This example configures the agent to work with a proxy server that requires authentication:
amc_setup -H myToken myMuleServer -P acme.proxy.com 443 internalAdmin Ins1d3V0icePassword
Set Up Proxy Server Configuration in the wrapper.conf File
To specify proxy server configuration in the $MULE_HOME/conf/wrapper.conf
file,
add your proxy server information to the following properties:
-
wrapper.java.additional.<n>=-Danypoint.platform.proxy_host={hostname}
-
wrapper.java.additional.<n>=-Danypoint.platform.proxy_port={port}
-
wrapper.java.additional.<n>=-Danypoint.platform.proxy_username={username}
-
wrapper.java.additional.<n>=-Danypoint.platform.proxy_password={password}
These are additional parameters to pass to Java when it is launched. The <n> element refers to the number of additional parameters in the configuration. It is indicated with an integer number counting up from 1 and must follow a sequence without any gaps.
|
Verify That the Proxy Server Does Not Modify the Runtime Manager Certificate
To ensure that your firewall or proxy does not intercept or modify the Runtime Manager certificate, run one of the following commands, depending on the version of your Runtime Manager agent.
The commands run a probe to determine whether the firewall or proxy is tampering with the certificate.
-
Agent versions 1.12.0 and later, and 2.2.0 and later:
echo -e "GET / HTTP/1.0\r\n" | openssl s_client -connect runtime-manager.anypoint.mulesoft.com:443 -ign_eof
The output of this command should include the following information:
-----END CERTIFICATE----- subject=/C=US/ST=California/L=San Francisco/O=salesforce.com, inc./CN=runtime-manager.anypoint.mulesoft.com issuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
-
Agent versions earlier than 1.12.0 and 2.2.0:
echo -e "GET / HTTP/1.0\r\n" | openssl s_client -connect mule-manager.anypoint.mulesoft.com:443 -ign_eof
The output of this command should include the following information:
-----END CERTIFICATE----- subject=/C=US/ST=CA/L=San Francisco/O=Mulesoft/OU=Mulesoft/CN=mule-manager.anypoint.mulesoft.com/emailAddress=devops@mulesoft.com issuer=/C=US/ST=CA/L=San Francisco/O=Mulesoft/OU=Mulesoft/CN=Mulesoft/emailAddress=devops@mulesoft.com
If the expected information does not appear in the output,
contact your networking team with the openssl
command’s output.