Secure Configuration Properties Secure Properties jar

Author: Kishori Patil

Content:

• While developing Mule applications, we use sensitive information like Client id, Secret, tokens, etc, and instead of hardcoding it into the configuration, we store them in configuration files( .yaml or .properties file).
• There is a need to secure the sensitive data stored in the app. For this, secure properties come into the picture.
• There are different ways to encrypt these properties

1. Using Premium Security Connector in AnyPoint Studio with .properties file
2. Using Command prompt with Secure Properties jar.

• Here we will encrypt these properties using the Secure Properties jar. It’s a tool to encrypt or decrypt the properties.

SETUP :

1. Download the secure-properties-tool.jar from the below link:

https://docs.mulesoft.com/downloads/mule-runtime/4.2/secure-properties-tool.jar

1. Once it’s downloaded, you can paste this jar into one separate folder. Go to that particular folder where this jar is pasted.

1. To encrypt / Decrypt the properties we need to run commands in command prompt which have following syntax :
2. To encrypt/decrypt String:

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool string <operation><algorithm><mode><key><input property>

1. To encrypt/decrypt file:

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool file <operation><algorithm><mode><key><input file><output file>

1. You can Specify the other parameters as per your requirement..
2. <operation>
3. encrypt : used for encrypting value.
4. decrypt : used for decrypting value.
5. <algorithm>

You can use all algorithms mentioned in the below link https://docs.mulesoft.com/mule-runtime/4.3/secure-configuration-properties#supported_algorithms

1. <mode>

Different modes this jar supports are mentioned in below link https://docs.mulesoft.com/mule-runtime/4.3/secure-configuration-properties#supported_modes

1. <key>

It is a secret key used to encrypt or decrypt the data. This is commonly called an encryption key or decryption key.

1. <input property>

Specify strings that need to be encrypted/decrypted in string operation.

1. <input file>

Property file name, which needs to be encrypted/decrypted in a file operation.

1. <output file>

Name of the file which is generated after encryption/decryption in a file operation.

1. Examples:
2. Create a new project as follows and create a secure-local. yaml file in src/main/resources with values mentioned in the below screenshot. We will encrypt the below values mentioned in this secure-local.yaml file.

1. Open the command prompt and go to this folder where the secure property tool jar is pasted.

1. Encrypt/decrypt for string “mule@Client” and “ggdhb98rgf7g6”
2. Encrypt:
3. Type the following command in CMD:

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool string encrypt Blowfish CBC Apisero mule@Client

1. In the above command operation = string, encrypt shows that we will encrypt the given string. algorithm = Blowfish, Mode= CBC, Key= Apisero, and String that must be encrypted is “mule@Client.”
2. Encrypted value for client_id is “b9cO+cGP0fEv6IMgmgAyMA==”
3. To use it in the config file you need to enclose this encrypted value in ! And [] as follow:

![b9cO+cGP0fEv6IMgmgAyMA==]

1. Similarly for client_secret value will be ![sHfd+xBLk6BZhoxpz4tXeQ==]

1. Copy-paste these values insecure-local.yaml as follows

1. Decrypt:(for above encrypted values without ! and [])
2. Type the following command in CMD where algorithm, mode, the key will remain the same with which we have encrypted the value. If we change any one of them, it will result in the wrong decrypted value. therefore always use the same mode, algo, key to decrypt the value.

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool string decrypt Blowfish CBC Apisero b9cO+cGP0fEv6IMgmgAyMA==

1. In above command operation = string, decrypt shows that we will decrypt the given encrypted value. algorithm = Blowfish , Mode= CBC ,Key= Apisero and String which need to be decrypted is b9cO+cGP0fEv6IMgmgAyMA==.
2. Decrypted value for b9cO+cGP0fEv6IMgmgAyMA== is “mule@Client”
3. Similarly for client_secret sHfd+xBLk6BZhoxpz4tXeQ== value can be decrypted like below:

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool string decrypt Blowfish CBC Apisero sHfd+xBLk6BZhoxpz4tXeQ==

1. Encrypt/decrypt for File secure-local.yaml
2. Encrypt:
3. First, go to that file location in the system as shown below:

1. Copy that secure-local.yaml file and paste it to the location where your secure property tool jar is present.

1. Type the following command in CMD:

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool file encrypt Blowfish CBC Apisero secure-local.yaml secure-local1.yaml

1. In the above command operation = string, encrypt shows that we will encrypt the given file. algorithm = Blowfish , Mode= CBC ,Key= Apisero, the input file name (secure-local.yaml ) which needs to be encrypted and the output file name (secure-local1.yaml ) in which encrypted values will be stored.
2. Encrypted file secure-local1.yaml will be created at the same location as follow.

1. Once it’s done, you can copy-paste the content of secure-local1.yaml in your original secure-local.yaml file as follow:

1. Decrypt:
2. Type the following command in CMD where algorithm, mode, the key will remain the same with which we have encrypted the file. If we change any one of them, it will result in wrong decrypted values. Therefore always use the same mode, algo, key to decrypt the file.

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool file decrypt Blowfish CBC Apisero secure-local1.yaml secure-local2.yaml

1. In the above command operation = string, decrypt shows that we will decrypt the given encrypted file. algorithm = Blowfish , Mode= CBC ,Key= Apisero , the input file name (secure-local1.yaml ) which is encrypted and the output file name (secure-local2.yaml ) in which decrypted values will be stored..
2. Decrypted file secure-local2.yaml will be created at the same location as follow.

1. After this, select mule Secure configuration. For that, click on search in exchange in mule palette and finish.

1. Create a global.xml configuration file. Go to the global and create a secure property configuration.

1. In that file will be a file name where you have encrypted properties. In our case secure-local.yaml. As it is recommended to declare a global property for the environment, therefore, writing mule.env. Value for mule.env = local will be passed on runtime. In key write encryption key used for encryption. Mode and algorithm selected with which you have encrypted those configuration properties in secure-local.yaml.

1. You can pass a value for the environment that is local and encryption key= Apisero in vm arguments. For that, go to Run>Run configuration and add value for properties by adding -D to them as follows.

1. Deploy this application and send a request from the postman as follows.

1. Values for client_id and client_secret are encrypted in the config file. You will still get decrypted values for client_id and client_secret as follows. Similarly, even if we are storing encrypted credentials, it will decrypt those credentials at runtime and use them. The file containing these encrypted values is mentioned in the secure properties config. It will take an encrypted value, and by using the mode, algo, encryption key mentioned in the same config, it will decrypt and use it.

.

1. To access these secure properties in mule flow following 2 methods are used:
2. In normal mode:
3. Use ${} and in curly brackets, write the name of the property with the prefix “secure::”
4. Eg: ${secure::client_id}
5. In Fx mode:
6. Use p(‘ ’) and in a single quotation mark, write the name of the property with the prefix “secure::”
7. Eg: p(‘secure::client_id’)
8. MuleSoft recommends it:
9. to keep separate properties file for each environment (eg. dev.yaml,sit.yaml prod.yaml).
10. to use the YAML file instead of .properties file.