MuleSoft Flex Gateway TLS configuration

By default, Flex Gateway uses HTTP, listening on the port 8080. That configuration is not adequate for Production environments, as it lacks security, because the data being transmitted is not encrypted. Thus, one of the first operations that are commonly done after the registration of a new Flex Gateway is to configure a TLS context.

Generate a private key and a certificate

To configure a TLS context in Flex Gateway is needed to obtain a private key and a certificate. Typically, the following steps are required:

• Generate a private key, which is a unique, secret key that is used to encrypt and decrypt data transmitted over the TLS connection. You can use a tool like OpenSSL to generate a private key.
• Generate a certificate signing request (CSR): Once you have a private key, you will need to generate a certificate signing request (CSR). This is a request to a certificate authority (CA) to issue a digital certificate that verifies the identity of your server.
• Obtain a certificate: The next step is to obtain a digital certificate from a

Alternatively, it is possible to use a self-signed certificate. This is a certificate that is signed by the same entity that created it, rather than by a trusted third-party certificate authority (CA). These certificates have several disadvantages, such as lack of trust and validation, but are very helpful for testing purposes and internal usage, as they are free to create, as opposed to certificates issued by a certificate authority (CA), which usually come with a fee.

Rakko Inc offers an online TLS certificate generator that creates a certificate signing request, a private key, and a self-signed SSL certificate. This is the URL of the generator: https://en.rakko.tools/tools/46/

The tool exposes a form that requests basic data required for the certificate such as country name, province name, locality, common name, etc.

Configure Flex Gateway

Once we have obtained the private key and the self-signed certificate, the next step is to configure Flex Gateway to use it. Flex Gateway can be installed as a Linux service, in a Docker container or as a Kubernetes Ingress controller. All those configurations support defining TLS contexts. In this article, we are using Docker.

To configure TLS contexts, we just need to create a folder named “app” exactly in the same directory where the file registration.yaml lies. In that folder “app” we are going to create a file named “tls.yml”, as shown in this screenshot:

You can find in this documentation page an example of a YAML file that can be used to configure a TLS context. The most important sections of that file are:

• Metadata.name. It has to contain the value “ingress-https-tls”
• Spec.config.certificate.key. It contains the value of the private key, in PEM format
• Spec.config.certificate.crt. It contains the value of the certificate, in PEM format
• Spec.config.ciphers. It contains the list of ciphers that will support Flex Gateway to do the TLS handshake with the consumer of the APIs.

This is an example of a YAML configured to enable a TLS context (the PEM sections have been trimmed for legibility purposes):

apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
  name: ingress-https-tls
spec:
  targetRef:
    kind: Selector
    selector:
      kind: ApiInstance
  policyRef:
    name: tls
  config:
    certificate:
      key: |
        -----BEGIN PRIVATE KEY-----
        MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwgg
        tIfxk01QXODdT+dWtXnOG8M++p7aHuXlaW0q9y
        tZFstmL0SKVGj7GxNmGPRBE=
        -----END PRIVATE KEY-----
      crt: |
        -----BEGIN CERTIFICATE-----
        MIIDnjCCAoagAwIBAgIEWfvkYjANBgkqhkiG9w
        NTQluG64q9cVVkq+PTtPbaR0KrUZxTKygVbmVZ
        MsT4OPXIVeETvIg1DFN/Gadw
        -----END CERTIFICATE-----
    alpn:
      - http/1.1
      - h2
    minversion: "1.1"
    maxversion: "1.3"
    ciphers:
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Once that we have created that file, it is required to restart Flex Gateway. As in the example we are using Docker, we need to use the flag “-p 443:443” to change the ports from 8080 to 443, which is the standard for TLS / SSL.

Finally, as we have changed the port in Docker it is required to modify in API Manager the scheme and the port of the APIs deployed to this Flex Gateway, to match to the same value, in this case 443:

Testing

Finally, we are going to test the TLS configuration applied to Flex Gateway using Postman. By default, Postman verifies the certificates exposed by the servers and produces errors if they are self-signed. That means that is we try to invoke to an API published on Flex Gateway, Postman is going to produce this error:

To ignore that error, we need to configure the settings of Postman to disable SSL certification validation:

Once that we have disabled it, if we repeat the same call, this time it will work:

Summary

HTTPS offers several advantages, including security, authentication, privacy, and trust. By configuring a TLS context in Flex Gateway we are going to be able to use HTTPS to invoke our APIs. In this tutorial, we have seen how to obtain a self-signed certificate, how to embed it into a YAML configuration, and how to configure API Manager to expose our APIs on port 443.