Consume SSL service
Consuming a HTTPS SSL service need a different HTTP requester configuration
Most of the time we have seen below error while calling the SSL service
org.mule.runtime.core.internal.message.ErrorBuilder$ErrorImplementation { description=HTTP GET on resource 'https://localhost:443/ssl-service' failed: General SSLEngine problem. detailedDescription=HTTP GET on resource 'https://localhost:443/ssl-service' failed: General SSLEngine problem. errorType=HTTP:CONNECTIVITY cause=org.mule.extension.http.api.error.HttpRequestFailedException errorMessage=- childErrors=[] }
This happen when we doesn’t add the endpoint’s SSL certificates to our MuleSoft trusted store
For this use case we will call our earlier SSL service
https://localhost/ssl-service – more on creating SSL service
We can see the SSL certificates which this API host is not valid or coming from valid CA and if we try to call such services then we will get General SSLEngine problem error.
To call such service/apis we need to add their certificates in our truststore
When we configure TLS option in our HTTP connector configuration then we can see two sections
Trust Store Configuration – we used this option when we have to call SSL based service or APIs. This Java truststore will hold all different certificates which we trust and want to use for call the SSL services. So it’s mainly used in HTTP Requester configuration (where we have to call an API)
Key Store Configuration – we use this option when we have to host or create SSL based API. This will have organizations certificate or any valid certificates which will used for SSL communication. More on this
As we have to call SSL based service then we have to use Trust Store configuration
To create certificate we can use Keytool command to generate the certificate
keytool -printcert -sslserver localhost:443 -rfc >localhost.cer
Generated file
Now we will add this certificate to our trusted store
Creating Trust Store through JAVA
Will use keytool command to generate one – more on this https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html
Go to JAVA jdk -> bin directory in command prompt
Copy the localhost.cer in same directory
Run below command
keytool -import -file localhost.cer -alias localhostCA -keystore myTrustStore.jks
Logs
D:\Softwares\jdk1.8.0_172\bin>keytool -import -file localhost.cer -alias localhostCA -keystore myTrustStore.jks Enter keystore password: Re-enter new password: Owner: CN=Mulesy Mulesy, OU=Education, O=Mulesy, L=Delhi, ST=Delhi, C=IN Issuer: CN=Mulesy Mulesy, OU=Education, O=Mulesy, L=Delhi, ST=Delhi, C=IN Serial number: 291c191e Valid from: Sun Apr 26 12:57:13 IST 2020 until: Sat Jul 25 12:57:13 IST 2020 Certificate fingerprints: MD5: A8:E0:30:D2:1D:07:C4:BB:83:30:91:C9:88:7C:8B:E8 SHA1: 7D:49:3F:BE:6F:A3:A7:31:B2:47:19:9C:85:E5:A6:17:29:84:EE:8E SHA256: 3F:23:3A:1E:5B:AF:B8:74:32:DA:F9:C0:8D:CA:4A:A0:3D:34:D2:67:D0:E4:5F:F1:73:0F:BE:B8:62:65:8E:ED Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: E4 6D EA CF 39 3D B6 FB F0 9D D9 D0 14 FB 9B A5 .m..9=.......... 0010: 7B FC 8C 1D .... ] ] Trust this certificate? [no]: Y Certificate was added to keystore
This will create the myTrustStore.jks in bin directory
Let’s copy this JKS to resource folder of MuleSoft application
Now open the HTTP request configuration and fill the trust store details
Run the application and test the API
Sometime we still get the same General SSLEngine problem error – this occur when we include Self signed certificates in our truststore and MuleSoft doesn’t allow us to use it as trusted certificate. In this case we have to use below option to make it work.
Insecure – true – this will accept all the certificates from the SSL endpoint without validating them.
Sample application – call-ssl-service
Hi Admin, I need one clarification, I have created a REST API which uses one way SSL authentication, the same service has to consume a SOAP API which is secured by two way SSL. So my question is, the keystore I’ve created for hosting the webservice, which I am using in HTTP Listener, can I use the same keystore and export it’s public certificate to provide it to Server to add in their truststore for the SOAP service which I have to consume? Or do I have to create a new keystore that I can use it with the HTTP… Read more »
Hi Craig, Below are the answers So my question is, the keystore I’ve created for hosting the webservice, which I am using in HTTP Listener, can I use the same keystore and export it’s public certificate to provide it to Server to add in their truststore for the SOAP service which I have to consume? Yes, you can provide the public certificates to your API consumer to call your service. but to consume SOAP service you have to create a truststore. Or do I have to create a new keystore that I can use it with the HTTP Request connector… Read more »
Thank You so much for the clarification 🙂
Hi Admin, I have another query, I am consuming a SOAP webservice which has two-way ssl implemented, for which I have configured Webservice Consumer and used HTTP Request configuration to utilize the TLS configuration. I have to use 3 operations from the SOAP webservice, out of which for the login operation everything is working fine, but the remaining two I keep getting internal server error 500, with this as a cause “Could not dispatch soap message using the [HTTP_Request_configuration_timeout] HTTP configuration” But when enabling wire logging and checking debug log, I can see the expected SOAP FAULT response in that… Read more »
Hi Craig, By Default Mule doesn’t set error payload in the Payload variable in case of error. You need to browse to #[error.muleMessage.payload] to get hold of the error payload or fault response set by the server.
Hello Admin,
How to configure ssl in consume connector?