Salesforce and Mulesoft experience



Subscribe to YUCEL MORAN

Subscribe to our email newsletter to receive article notifications and regular updates. We don't spam and your email won't be shared with third-parties.



Mulesoft 4 (4.2.0) Basic template project application ( Securing YAML properties files)


This is an update from one of my previous posts (Mulesoft 3.9.1 basic template project application (Part 2 - Securing Place Holders). Basically I will try to explain how we would be able to encrypt sensitive information in our YAML properties files.

For this demo I will use a Salesforce developer instance where the password and security token will be encrypted. As before I will try to follow a step by step approach and hopefully you can get your project up and running quickly, also ant the end I will provide a GitHub repository to pull the project template.


We need to create a new project in Mulesoft 4, Basically File > New > New Project

Now, in the Canvas let's just add a new flow with an HTTP Listener and a logger (This will let us to execute the flow on demand and see the result in the console). The flow should looks like this

We need to create the properties file per every environment  (dev / test / production)

For now let's just add some information on dev.yaml file

  port: "8081"
environment: "[DEV]"

   username: "emoran@mulesoftdev.com"
   password: ""
   securityToken: ""

in here I just added information for the HTTP Listener port , the environment we are using and the salesforce required attributes to establish the connection.


  1. Select the Global Elements tab in your project, then click on the "Create" button and on the filter box select "Configuration properties"

On the file field just set ${env}.yaml which means dynamically will set the value based on the environment variable (for example if the environment variable is dev then the variable will be bind as dev.yaml, I will explain how to set the variable in a little bit)

Clic on Save, then again clic on Create and select Global Property

Name should be : env and value ${env}

INSTALLING Mule Secure Configuration Property Extension

From Anypoint Studio select the Exchange icon so the Anypoint Exchange screen appear, then you need to look for "Mule Secure Configuration Property Extension"

Clic on it and then add it to your project, then you should be able to see the extension on the Global Element tab, so go back to the Global Element tab and search for Secure Properties Config

For the secure properties configuration we need to set:

File: ${env}.yaml Basically you are telling mule what file contains the encrypted information

Key: mySuperSecureKey for now we can use this value, but in the ideal world we should be using a master key variable to bind the value for CI purposes, then you have Algorithm and  mode, we should leave the defaults for now

Encrypting sensitive information

In order to encrypt the data you want, we need to use the Secure Properties Tool, by the Mulesoft documentation:

Secure Properties Tool

You can download the JAR file for this tool so you can encrypt or decrypt single values, and complete files (both, YAML and Properties files). You can run it in the command line as follows:Using the Secure Properties Tool

java -jar secure-properties-tool.jar string <encrypt|decrypt> <algorithm> <mode> <key> <value>

Or you can use a command like this:

java -jar secure-properties-tool.jar file <encrypt|decrypt> <algorithm> <mode> <key> <input file> <output file>
java -jar secure-properties-tool.jar file-level <encrypt|decrypt> <algorithm> <mode> <key> <input file> <output file>

In the case of using the file mode, the output is a file with the same properties, but its values are encrypted. For example, assume that this is the input file:example_in.yaml

    value: "Muleman is here"
  example2: "Max the mule"

If you run java -jar secure-properties-tool.jar file encrypt Blowfish CBC mulesoft example_in.yaml example_out.yaml, the output file will be:example_out.yaml

    value: "![qCReIPK3jcqD7WR84ISSIQ==]"
  example2: "![En8lII21ZHrdIaINw0+mSA==]"

In file-level mode, the output is a file that is entirely encrypted. For the example above, the output is:


Note that key sizes might depend on the Java Cryptography Extension (JCE) version. For example, since version 1.8.0_161, the AES key size needs to be of at least 32 characters (256 bytes), instead of 16 for previous versions.


Basically we need to download the jar tool from the link Mulesoft provides, (I'm using Mac so I will put the file in a folder and access in my terminal to that location). Next we just need to use this command:

java -jar secure-properties-tool.jar string encrypt AES CBC mySuperSecureKey muleDeveloper2019

where mySuperSecureKey is the masterkey (decryption/ encryption) and muleDeveloper2019 is the value we want to encrypt, the output is:


so now we can just copy that value and set it in the dev.yaml file (this is the salesforce password). then the value in our property file should looks like this:


value is in in double quotes and something important is the encrypted value should be enclosed on "![]"

How the we decrypt the variable on the flow / configuration?

In order to read the decrypt the values from the properties files is so simple as add the secure::  portion where you need to use the attribute so if you want to read the salesforce password (which you need in the configuration of the Salesforce connector) you need to do it like this:


Before to test our configuration

The last step before test our application is to set the dev environment variable. so we just need to right clic on the project go to Debug as / Run as and select the Debug / Run Configuration, then in the argument tab you need to add an VM argument and it should looks like this:

-M-XX:-UseBiasedLocking -Denv=dev

That's it! we can now debug / run our project just go to http://localhost:8081/

and look in your console, it should print this text:

[mule4-secure-properties].mule4-secure-propertiesFlow.CPU_LITE @5d0bb416] [event: 30ccc800-8dfd-11e9-af51-784f436c4792] org.mule.runtime.core.internal.processor.LoggerMessageProcessor: This is the environment: [DEV] emoran@mulesoftdev.com muleDeveloper2019 

Nice so you know the value is deserialized, the only remaining part is when the master key need to be injected as variable as well, as we never store this for people able to watch those values.

Hope this helps and as promised here the repository with the working project in GitHub.




View Comments