Yucel Moran

Yucel Moran


Salesforce and Mulesoft experience

Edgar Moran
Author

Share


Tags


Yucel Moran

Mulesoft 4 Securing YAML properties files

Starting a new application using Anypoint Studio is really easy. It gives you all the application structure we need to start working, but there are many things we need to keep in mind in order to have a really nice structured project.

One of those points is to keep security in place and by default Anypoint Studio doesn't provide a default way to implement it (it's maybe just because there's many use cases and many scenarios that just can't be standard).

In this post I will try to explain step by step how we can setup our project to be able to encrypt and decrypt our YAML properties files (attached to each environment - dev | production) so we should be able to hide the sensitive data we use in the project such as passwords or any additional information.

So let's try to go step by step and see how we can start securing our files.

1. First, let's create a new project on Anypoint Studio, in this case I will call it "mule4-secure-properties".

2. Let's add two .yaml files under /src/main/resources one called "dev.yaml" and the second one called "test.yaml". In this case every environment should have their own properties file unless your infrastructure has a shared path to your properties values. For now let's keep them empty

3. Moving on, we need to set a Global Property, this one will tell the application what file we need to pick depending of the environment we are running it. For this will set this property as env and should look like this

4. Next step, would be to setup a Configuration Properties value. This allows the application to specify the YAML file we are working depending of the Global Property we set on step 3.

5. Let's add a Secure Properties Config configuration, this component basically will ask for three values:

File: YAML file we want to read, the value here should be ${env}.yaml where env is the parameter we will inject later on the JVM in order to pass the environment (dev / test ) value and make it dynamic.

Key: A string key that should be the master encrypt / decrypt value. This keys shouldn't live on the project, the value is injected as argument in the JVM or from an environment variable in a server o CI management tool like Jenkins or Circle CI (just to mention a couple). The value here can be ${secret}

Algorithm: In Mule4 we have more options than before, we can select from a big list depending our needs and model:

Now so far we have just setup the configuration to support security in our files, now let's move on and start working in the next steps to encrypt a few sample values.

Let's open our dev.yaml file and let's write a few values like this:

http:
  port: "8081"
environment: "[DEV]"

sfdc:
   username: "yucelmoran@mulesoftdemos.com "
   password: ""
   token: ""

For this snippet I'm setting the HTTP Listener port, the environment to make reference to the file we are picking and sfdc corresponding to Salesforce credentials we might use during an integration where the password and token should be encrypted.

So now what? Now let's encrypt those couple values to include them in our file. For this we need to download Secure Properties Tool Jar file. This will allow to encrypt the values using our terminal.

The command looks like this to encrypt specific Strings

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool string encrypt <Algorithm> <method> <secret> "<string_value>"   

So in this case if my password is Mulesoft2020 and my secret key is mySuperSecureKey, then our command will look like this

java -cp secure-properties-tool.jar com.mulesoft.tools.SecurePropertiesTool string encrypt Blowfish CBC mySuperSecureKey "Mulesoft2020"


$output% dxx+GJyGL9z82zPsGLE6kg==

Now we can write the output in our YAML file. Is important to mention that this values should be enclosed by "![ <Here_the_encrypted_key> ]" for example:          "![dxx+GJyGL9z82zPsGLE6kg==]" and our file with both values (password and token should be)

http:
  port: "8081"
environment: "[DEV]"

sfdc:
   username: "yucelmoran@mulesoftdemos.com "
   password: "![dxx+GJyGL9z82zPsGLE6kg==]"
   token: "![SS9n5xZb3yjf1l4xLr1Mr1R7cuLXP16tHNWZS+NbolM=]"

Our file is ready and actually is very good idea to validate this is working now. So now, let's create a flow in our project and let's add a HTTP Listener.

And now let's add a simple logger where we will print the values that come from the YAML file

I know, is't pretty simple right?, but in the end the idea is to demonstrate how this works.

Important Note: In order to print the decrypted value we need to use this format: ${secure::sfdc.password}. The important piece is: secure::

Ok, one last step before run our project, we need to add the JVM arguments (imagine that this step will take place in you server or the variables are going to be taken from an environment variable).

In this case we do a right clic on our project > Run As > Run Configurations

We select the Arguments tab and we add this values

-Denv=dev -Dsecret=mySuperSecureKey

Now, let's run the project!, Everything is ok when we see:

So we hit http://localhost:8081/ and then

We can see our values decrypted and now we are able to use them as we need.

You can find more option on how to use secure properties on https://docs.mulesoft.com/mule-runtime/4.3/secure-configuration-properties as well.

Also you can download this application version from GitHub here

Next step following this project can be wither use it on CloudHub or deploying this to an linux server, let me know what you want to see next.

Hope this is helpful!

Edgar Moran
Author

Edgar Moran

View Comments