TLS Artefacts expiration reminders on Mule 4 Run Time Fabric and containers

474 views Asked by At

How do you do? We use Mulesoft Mule 4 deployed on the RTF fabric cluster (2 RTF instances) We would like to set up reminders in order to prevent administrators before the expiration of the date of the certificates used to establish outbound TLS connections and mutual authentication.

The straightforward way to set up TLS connections with Mule 4 is to use files with keystore/truststore in the configuration properties of the corresponding connector.

As described in https://dzone.com/articles/mule-4-using-ssltls-part-2 you have to generate the files and package them with the deliverable which will go inside the Docker like container running within of Mule RTF so it will be tricky to get inside on its filesystem and inspect these files in production using some routine scheduled task.

At the same time, there is a wizard-sounding Secrets manager menu on Anypoint GUI. This Secrets Manager looks like being able to hold these certificates and it even exposes an API to be able to check the expiration date and to do CRL (Certificate Revocation List) management. Despite that, the date is only metadata that is not enforced nor controlled in any way and may be changed breaking matching with the real cert's expiration date... I would like to figure out whether it will be possible to use in some way this infrastructure to keep TLS artefacts for the outbound backend calls for Nord-south traffic?

Should we call in unencrypted way the RTF controllers LB and then some Mule "proxies" that uses this Secrets manager in order to secure the connections afterwards? Maybe there is an easier approach to be able to master the state of the TLS artefacts and set up some alert about expiration in advance?

1

There are 1 answers

7
aled On

If the Secrets Manager REST API endpoint you need is documented, for example in the Anypoint Exchange portal at https://anypoint.mulesoft.com/exchange/portals/anypoint-platform/f1e97bc6-315a-4490-82a7-23abe036327a.anypoint-platform/secrets-manager/ , then it should not change suddenly and you can depend on it.