Create SSL based service
SSL certificates are used for securing the transport layer and creating a secure communication between the service caller and the server. SSL channel authenticate the identity of the caller with server and encrypt the data exchanged between caller and server. In Organization it’s a standard to have only SSL based services.
Please go through https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/ to understand more about keystore generation.
To start with we have to first create the server side certificates using JAVA keytool.exe
Go to JDK bin directory and run below command
java-home/bin/keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
Here
- alias is server name
- keyalg is algorithm name
- keypass and storepass is the keystore password
- keystore is the keystore name
Let’s change it as per our organization need
java-home/bin/keytool -genkey -alias mulesy-server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
example –
D:\Softwares\jdk1.8.0_172\bin>keytool -genkey -alias mulesy-server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks What is your first and last name? [Unknown]: Mulesy Mulesy What is the name of your organizational unit? [Unknown]: Education What is the name of your organization? [Unknown]: Mulesy What is the name of your City or Locality? [Unknown]: Delhi What is the name of your State or Province? [Unknown]: Delhi What is the two-letter country code for this unit? [Unknown]: IN Is CN=Mulesy Mulesy, OU=Education, O=Mulesy, L=Delhi, ST=Delhi, C=IN correct? [no]: Yes Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12". D:\Softwares\jdk1.8.0_172\bin>keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12 Enter source keystore password: Entry for alias mulesy-server successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Warning: Migrated "keystore.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "keystore.jks.old".
This will create a keystore in bin directory
Same certificate can be signed by any CA for making it trusted certificate – more details
Mostly MuleSoft developers don’t have to do this key generation as this is provided by the network or server maintenance team. So please check with them first.
Let’s use the same keystore.jks for our SSL based api.
Create a mule application and add HTTP listener
Add keystore.jks in src\main\resources folder
Click on connector configuration
Change the HTTP to HTTPS and port to 443
We can now add the information in keystore configuration
Please note we have change the JKS keystore to pkcs12 format while generating the Keystore above
Click OK and run the application
Now if we call the API on chrome then we can see below error
https://localhost/ssl-service
Error is more because browser only adds the certificates signed by trusted CA, As we have created the certificates for our internal use (Still not signed by any CA) so this is expected.
Click on Advance – explicitly telling the browser that it’s safe to call this service.
Now we can see the response from our API
Click on Not secure and click on certificate
It will show the same information which we have used to generate the keystore
More details
Sample application – ssl-sample
Hi Mulesy,
I found your website it’s really awesome deep explanation and easy to understand.
i’m facing Generall SSL engine problem while calling ABC service system, and they have shared a .jks certificate and .pfx certificate and password i have followed the same steps which you have mentioned. bbut still it is general SSL engine and when i check the insecure failed bad certificate issue i’m getting can you please help on this issue.
Thanks & Regards,
Hi Nagesh,
Thanks for appreciating the efforts.
For calling SSL service you have to configure Trust Store and Not Key Store (refer the attached image). please follow the configuration as per – https://mulesy.com/consume-ssl-api-or-service/
Thanks,
Mulesy Team
Yes, i have configured Trust store only but and itried with both approaches like insecure check and without insecure check but still getting same issue and when i check the insecure it is saying that bad certificate and failed when i tried without insecure it is throwing Genaral SSL engine issue but, issue not resolved.
Hi! Thanks for your explanation!
I have a problem because I was working great with my API but suddenly started to failed. Giving me the following message:
ERROR 2021-05-23 18:52:43,446 [http.listener.02 SelectorRunner] org.mule.service.http.impl.service.server.grizzly.MuleSslFilter: SSL handshake error: Received fatal alert: certificate_unknown
Do you have any idea? Because I was developing some new stuffs and now it’s broke T-T
Hi Andre,
Looks like either you are making a call to HTTPS service whose certs are unknown. In this case, make the HTTPS configuration insecure and it will work.
Thanks,
Mulesy Team
Thanks for your response, it’s really weird this error. I “resolved” it creating a new project and configurating all again. Even I use the same keystore and at first works. But, it already happened 3 times more. :S
More information:
In TLS I don’t have any value in trust store but I use key store config.