Deep Dive into Mutual TLS Authentication in MuleSoft

This article is the extension of my previous article (Introduction and Deep Dive to One-Way SSL Authentication in MuleSoft). It is recommended to go through previous article, in case you need a quick understanding on -

• How TLS protocol works.
• What is symmetric and asymmetric encryption and how it works.
• What is Digital Certificate, Keystore and Truststore.
• How Data Protection Over TLS Protocol works
• What is one-way SSL authentication and how that can be achieved in MuleSoft.

In this article we will be focusing on how to configure the Mutual TLS authentication in MuleSoft.

Mutual TLS (MTLS) Authentication (Two-Way SSL Handshake)

Two-way authentication, the client application verifies the identity of the server application, and then the server application verifies the identity of the client application. Two-way SSL is also known as Mutual TLS Authentication.

• At the server end, there will be a Keystore which will hold the private and public certificate of the server and truststore which will hold the public certificate of client.
• At the client end, there will be a Keystore which will hold the private and public certificate of client whereas truststore which will hold the public key of the server.

CA-Signed Certificate

High-Level Diagram: — Two-Way SSL Handshaking with CA-Signed Certificate

As we can see in above diagram the client and server public certificate are CA-Signed Certificate so custom truststore at client and server side are not required.

Self-Signed Certificate

High-Level Diagram: — Two-Way SSL Handshaking with Self-Signed Certificate

As we can see in above diagram the client and server public certificate are Self-Signed Certificate so custom truststore at client and server side are required.

Steps To Generate Self-Signed Certificate

It follows the same steps as One-Way SSL, in One-Way SSL we have created Server Keystore, Imported Server Public Certificate and Client Truststore

• Generate Client Keystore with private and public keys.

keytool -genkey -alias client -keysize 2048 -keyalg RSA -keystore client-keystore.jks
 
keytool -importkeystore -srckeystore client-keystore.jks -destkeystore client-keystore.jks -srcstoretype PKCS12 -deststoretype jks

• Get Client public Certificate.

keytool -export -alias client -keystore client-keystore.jks -file client-publickey.crt

• Generate Server truststore

keytool -genkey -alias serverts -keysize 2048 -keyalg RSA -keystore server-truststore.ts
 
keytool -importkeystore -srckeystore server-truststore.ts -destkeystore server-truststore.ts -srcstoretype PKCS12 -deststoretype jks

• Import Client Certificate to Server truststore

keytool -import -alias client-publickey -keystore server-truststore.ts -file client-publickey.crt

In previous article we have seen, how to

 
- Generated the server keystore.
- Exported the server public certificate.
- Created client truststore
- Imported server certificate to client certificate
- Configure the client http requester and server http listener to enable the one-way SSL authentication.

Configure the keystore and truststore in MuleSoft.

Server Configuration

• Configure turststore in HTTPS listener configuration along with existing Keystore.

Client Configuration

• Configure keystore in HTTPS requester configuration along with existing truststore.

Configure postman to test the MTLS Authentication

As we have a self-signed certificate configured in both Client side and Server side, in postman, we are trying to configure the Client private and public key so that we will be able to make a call to server. While calling the Server from postman, it will be passing the Client’s public certificate which Server will validate against its custom truststore.

Below are the steps to configure Client certificate details to postman.

• Command to create a PFX file from keystore.

keytool -importkeystore -srckeystore client-keystore.jks -srcstoretype JKS -destkeystore client-keystore.pfx -deststoretype PKCS12

• Go to postman and click on the setting icon.

• Go to Certificates Tab and click on add certificate button.

• Add client certificate required details and click on Add button.

• Test your application.

If the Client certificate is not configured while calling the Server API (in case of self-signed certificate) then we will see below error in the postman.

If the configuration is not correctly configured, we will see error in postman like below where we have given the incorrect password of the pfx file while configuring the certificate in postman.

Conclusion

We saw that how two-way SSL work’s and how that can be configured in the MuleSoft. Also, how to configure the Client certificates details in postman so that we can test our connection with Server.