Consume SSL service

Consuming a HTTPS SSL service need a different HTTP requester configuration

Most of the time we have seen below error while calling the SSL service

org.mule.runtime.core.internal.message.ErrorBuilder$ErrorImplementation
{
  description=HTTP GET on resource 'https://localhost:443/ssl-service' failed: General SSLEngine problem.
  detailedDescription=HTTP GET on resource 'https://localhost:443/ssl-service' failed: General SSLEngine problem.
  errorType=HTTP:CONNECTIVITY
  cause=org.mule.extension.http.api.error.HttpRequestFailedException
  errorMessage=-
  childErrors=[]
}

This happen when we doesn’t add the endpoint’s SSL certificates to our MuleSoft trusted store

For this use case we will call our earlier SSL service

https://localhost/ssl-servicemore on creating SSL service

 

We can see the SSL certificates which this API host is not valid or coming from valid CA and if we try to call such services then we will get General SSLEngine problem error.

To call such service/apis we need to add their certificates in our truststore

When we configure TLS option in our HTTP connector configuration then we can see two sections

Trust Store Configuration – we used this option when we have to call SSL based service or APIs. This Java truststore will hold all different certificates which we trust and want to use for call the SSL services. So it’s mainly used in HTTP Requester configuration (where we have to call an API)

Key Store Configuration – we use this option when we have to host or create SSL based API. This will have organizations certificate or any valid certificates which will used for SSL communication. More on this

 

 

As we have to call SSL based service then we have to use Trust Store configuration

To create certificate we can use Keytool command to generate the certificate

keytool -printcert -sslserver localhost:443 -rfc >localhost.cer

Generated file

 

Now we will add this certificate to our trusted store

Creating Trust Store through JAVA

Will use keytool command to generate one – more on this https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html

Go to JAVA jdk -> bin directory in command prompt

Copy the localhost.cer in same directory

Run below command

keytool -import -file localhost.cer -alias localhostCA -keystore myTrustStore.jks

Logs

D:\Softwares\jdk1.8.0_172\bin>keytool -import -file localhost.cer -alias localhostCA -keystore myTrustStore.jks
Enter keystore password:
Re-enter new password:
Owner: CN=Mulesy Mulesy, OU=Education, O=Mulesy, L=Delhi, ST=Delhi, C=IN
Issuer: CN=Mulesy Mulesy, OU=Education, O=Mulesy, L=Delhi, ST=Delhi, C=IN
Serial number: 291c191e
Valid from: Sun Apr 26 12:57:13 IST 2020 until: Sat Jul 25 12:57:13 IST 2020
Certificate fingerprints:
         MD5:  A8:E0:30:D2:1D:07:C4:BB:83:30:91:C9:88:7C:8B:E8
         SHA1: 7D:49:3F:BE:6F:A3:A7:31:B2:47:19:9C:85:E5:A6:17:29:84:EE:8E
         SHA256: 3F:23:3A:1E:5B:AF:B8:74:32:DA:F9:C0:8D:CA:4A:A0:3D:34:D2:67:D0:E4:5F:F1:73:0F:BE:B8:62:65:8E:ED
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E4 6D EA CF 39 3D B6 FB   F0 9D D9 D0 14 FB 9B A5  .m..9=..........
0010: 7B FC 8C 1D                                        ....
]
]

Trust this certificate? [no]:  Y
Certificate was added to keystore

This will create the myTrustStore.jks in bin directory

 

Let’s copy this JKS to resource folder of MuleSoft application

 

Now open the HTTP request configuration and fill the trust store details

 

Run the application and test the API

Sometime we still get the same General SSLEngine problem error – this occur when we include Self signed certificates in our truststore and MuleSoft doesn’t allow us to use it as trusted certificate. In this case we have to use below option to make it work.

 

Insecure – true – this will accept all the certificates from the SSL endpoint without validating them.

Sample application – call-ssl-service

 

  
Thank you for taking out time to read the above post. Hope you found it useful. In case of any questions, feel free to comment below. Also, if you are keen on knowing about a specific topic, happy to explore your recommendations as well.
 
For any latest updates or posts on our website, you can follow us on LinkedIn. Look forward to connecting with you there.


Share this:
Subscribe
Notify of
guest
6 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Craig Can
Craig Can
4 years ago

Hi Admin, I need one clarification, I have created a REST API which uses one way SSL authentication, the same service has to consume a SOAP API which is secured by two way SSL. So my question is, the keystore I’ve created for hosting the webservice, which I am using in HTTP Listener, can I use the same keystore and export it’s public certificate to provide it to Server to add in their truststore for the SOAP service which I have to consume? Or do I have to create a new keystore that I can use it with the HTTP… Read more »

Craig Can
Craig Can
4 years ago
Reply to  admin

Thank You so much for the clarification 🙂

Craig Can
Craig Can
4 years ago

Hi Admin, I have another query, I am consuming a SOAP webservice which has two-way ssl implemented, for which I have configured Webservice Consumer and used HTTP Request configuration to utilize the TLS configuration. I have to use 3 operations from the SOAP webservice, out of which for the login operation everything is working fine, but the remaining two I keep getting internal server error 500, with this as a cause “Could not dispatch soap message using the [HTTP_Request_configuration_timeout] HTTP configuration” But when enabling wire logging and checking debug log, I can see the expected SOAP FAULT response in that… Read more »

prakruti
2 years ago

Hello Admin,

How to configure ssl in consume connector?