Create SSL based service

 

SSL certificates are used for securing the transport layer and creating a secure communication between the service caller and the server. SSL channel authenticate the identity of the caller with server and encrypt the data exchanged between caller and server. In Organization it’s a standard to have only SSL based services.

Please go through https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/ to understand more about keystore generation.

 

To start with we have to first create the server side certificates using JAVA keytool.exe

Go to JDK bin directory and run below command

java-home/bin/keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks

Here

  • alias is server name
  • keyalg is algorithm name
  • keypass and storepass is the keystore password
  • keystore is the keystore name

Let’s change it as per our organization need

java-home/bin/keytool -genkey -alias mulesy-server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks

example –

D:\Softwares\jdk1.8.0_172\bin>keytool -genkey -alias mulesy-server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
What is your first and last name?
  [Unknown]:  Mulesy Mulesy
What is the name of your organizational unit?
  [Unknown]:  Education
What is the name of your organization?
  [Unknown]:  Mulesy
What is the name of your City or Locality?
  [Unknown]:  Delhi
What is the name of your State or Province?
  [Unknown]:  Delhi
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Mulesy Mulesy, OU=Education, O=Mulesy, L=Delhi, ST=Delhi, C=IN correct?
  [no]:  Yes


Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

D:\Softwares\jdk1.8.0_172\bin>keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12
Enter source keystore password:
Entry for alias mulesy-server successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated "keystore.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "keystore.jks.old".

 

This will create a keystore in bin directory

 

Same certificate can be signed by any CA for making it trusted certificate – more details

Mostly MuleSoft developers don’t have to do this key generation as this is provided by the network or server maintenance team. So please check with them first.

Let’s use the same keystore.jks for our SSL based api.

Create a mule application and add HTTP listener

 

Add keystore.jks in src\main\resources folder

 

Click on connector configuration

Change the HTTP to HTTPS and port to 443

 

We can now add the information in keystore configuration

Please note we have change the JKS keystore to pkcs12 format while generating the Keystore above

Click OK and run the application

Now if we call the API on chrome then we can see below error

https://localhost/ssl-service

Error is more because browser only adds the certificates signed by trusted CA, As we have created the certificates for our internal use (Still not signed by any CA) so this is expected.

 

Click on Advance – explicitly telling the browser that it’s safe to call this service.

 

Now we can see the response from our API

Click on Not secure and click on certificate

 

It will show the same information which we have used to generate the keystore

 

More details

 

Sample application – ssl-sample

  
Thank you for taking out time to read the above post. Hope you found it useful. In case of any questions, feel free to comment below. Also, if you are keen on knowing about a specific topic, happy to explore your recommendations as well.
 
For any latest updates or posts on our website, you can follow us on LinkedIn. Look forward to connecting with you there.


Share this:
Subscribe
Notify of
guest
6 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Nagesh
Nagesh
11 months ago

Hi Mulesy,

I found your website it’s really awesome deep explanation and easy to understand.

i’m facing Generall SSL engine problem while calling ABC service system, and they have shared a .jks certificate and .pfx certificate and password i have followed the same steps which you have mentioned. bbut still it is general SSL engine and when i check the insecure failed bad certificate issue i’m getting can you please help on this issue.

Thanks & Regards,

Nagesh
Nagesh
11 months ago
Reply to  admin

Yes, i have configured Trust store only but and itried with both approaches like insecure check and without insecure check but still getting same issue and when i check the insecure it is saying that bad certificate and failed when i tried without insecure it is throwing Genaral SSL engine issue but, issue not resolved.

Andre
Andre
2 months ago

Hi! Thanks for your explanation!
I have a problem because I was working great with my API but suddenly started to failed. Giving me the following message:

ERROR 2021-05-23 18:52:43,446 [http.listener.02 SelectorRunner] org.mule.service.http.impl.service.server.grizzly.MuleSslFilter: SSL handshake error: Received fatal alert: certificate_unknown

Do you have any idea? Because I was developing some new stuffs and now it’s broke T-T

Andre
Andre
2 months ago
Reply to  admin

Thanks for your response, it’s really weird this error. I “resolved” it creating a new project and configurating all again. Even I use the same keystore and at first works. But, it already happened 3 times more. :S

More information:
In TLS I don’t have any value in trust store but I use key store config.