Configuring SSL
This section allows you to configure the SSL.
To enable the SSL functionality, you must configure SSL properties at the server and at the client side.
Create Key Store with Public and Private Key for encryption
Java provides a tool called keytool, which can be used to manage the key store and to create the private or public pair of keys. The example below creates a pair of 1024 bit keys using the RSA algorithm and adds them to the key store, server.keystore. You can use the key if you have an existing key.
keytool -genkey -alias t24 -keyalg RSA -keysize 1024 -keystore server.keystore -validity 365 -keypass 123456 -storepass 123456
Exporting and Importing the Public Key
Public key should be exported from the key pair that added to the server key store, so that it can be used at the client side.
keytool -export -keystore server.keystore -alias t24 -file server.cer -keypass 123456 -storepass 123456
Then, you should import the key to the client keystore.
keytool -import -trustcacerts -alias t24 -file server.cer -keystore client.keystore -keypass 123456 -storepass 123456
Sample screenshot for Keystore and truststore creation is given below:
After the above commands are executed, the following files are created.
Server Side Configuration
Keystore should be referenced in Jboss configuration. Keystore in the Jboss configuration directory and add server-identities element to the security realm configuration of the application realm are shown below:
Adding Key Store in Security Relam
<security-realm name="ApplicationRealm">
<authentication>
<!-- <local default-user="$local" allowed-users="*" skip-group-loading="true"/>-->
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="123456" alias="t24" key-password="123456"/>
</ssl>
</server-identities>
</security-realm>
Adding Https Remoting Configuration in Remoting Subsystem
<subsystem xmlns="urn:jboss:domain:remoting:3.0">
<endpoint/>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
<http-connector name="https-remoting-connector" connector-ref="default-https" security-realm="ApplicationRealm" sasl-protocol="remote"/>
</subsystem>
Adding Https and TLS Protocol in Undertow Subsystem
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" max-parameters="10000"/>
<https-listener name="default-https" enabled-protocols="TLSv1.2" security-realm="ApplicationRealm" socket-binding="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
Adding Https Remoting to EJB Subsystem
<subsystem xmlns="urn:jboss:domain:ejb3:4.0">
<remote connector-ref="https-remoting-connector" thread-pool-name="default"/>
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
</stateless>
<stateful default-access-timeout="5000" cache-ref="simple" passivation-disabled-cache-ref="simple"/>
<singleton default-access-timeout="5000"/>
</session-bean>
<mdb>
<resource-adapter-ref resource-adapter-name="${ejb.resource-adapter-name:activemq-ra.rar}"/>
<bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
</mdb>
<iiop enable-by-default="false" use-qualified-name="false"/>
<default-security-domain value="other"/>
<default-missing-method-permissions-deny-access value="true"/>
<log-system-exceptions value="true"/>
</subsystem>
Client Side Configuration
In the Security tab, Iocation of Key store, truststore type and the password must be entered.
You can configure the following fields:
- Enable SSL — Select or unselect the check box to enable or disable the SSL.
- Trust Store Path — Enter the path of the truststore file.
- Trust Store Password — Enter the trust store password.
- Protocol — Select the protocol that is used for TLS connection
Mule Side TLS Configuration
Select the TAFJ SSL field check box, in Security tab of Inbound and Outbound adapters, is used to enable or disable the SSL configuration.
You should change the port to either 8443 or the port that is configured for secure connector. Here, you can use 8443 port as it is configured in UTP.
You can configure the following VM augments to enable SSL logs.
-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager -Djava.security.debug=access:stack
Inbound Configuration
The below screenshot shows the SSL configuration for mule inbound adapter, where the secure port is configured as 8443:
In the Security tab,
- Trust Store path — Enter the location of the client.keystore file that generated.
- Trust Store Password — Enter the password that you provided while creating the key store. For example, 123456.
- Protocol — Enter the same protocol that configured in Temenos Transact. For example, TLSv1.2 is configured in the screenshot below:
<https-listener name="default-https" enabled-protocols="TLSv1.2" security-realm="ApplicationRealm" socket-binding="https"/>
Outbound Configuration
The below screenshot shows the SSL configuration for mule outbound adapter, where the secure port is configured as 8443:
In the Security tab,
- Trust Store path — Enter the location of the client.keystore file that generated.
- Trust Store Password — Enter the password that you provided while creating the key store. For example, 123456.
- Protocol — Enter the same protocol that configured in Temenos Transact. For example, TLSv1.2 is configured in the screenshot below:
<https-listener name="default-https" enabled-protocols="TLSv1.2" security-realm="ApplicationRealm" socket-binding="https"/>
Test for TLSv1.0, TLSv1.1, TLSv1.2 in T24
You can configure TLSv1.1, TLSv1.2, TLSv1.0 in standalone.xml in undertow subsystem. Test Mule settings with all the protocols (TLSv1, TLSv1.1, TLSv1.2,). By enabling the SSL logs, you can see the TLS version used by mule as shown below:
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" max-parameters="10000"/>
<https-listener name="default-https" enabled-protocols=" TLSv1,TLSv1.1, TLSv1.2" security-realm="ApplicationRealm" socket-binding="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
For TLS1.0
Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1 Application Data, length = 1 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1 Application Data, length = 280 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1 Application Data, length = 1 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1 Application Data, length = 11 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1 Application Data, length = 1 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1 Application Data, length = 10 INFO 2018-03-23 16:16:21,674 [[sample].sampleFlow.stage1.02] org.mule.modules.t24outbound.rmi.OutboundRequestExecutor: CleanUp executor in class org.mule.modules.t24outbound.rmi.OutboundRequestExecutor INFO 2018-03-23 16:16:21,674 [[sample].sampleFlow.stage1.02] org.mule.api.processor.LoggerMessageProcessor: 85022//1,CUSTOMER=100112:1:1,CATEGORY=1001:1:1,ACCOUNT.TITLE.1=Abn Amro Securities:1:1,SHORT.TITLE=Abn Amro Securities:1:1,POSITION.TYPE=TR:1:1,CURRENCY=USD:1:1,CURRENCY.MARKET=1:1:1,ACCOUNT.OFFICER=13:1:1,CONDITION.GROUP=2:1:1,PASSBOOK=NO:1:1,OPEN.CATEGORY=1001:1:1,CHARGE.CCY=USD:1:1,CHARGE.MKT=1:1:1,INTEREST.CCY=USD:1:1,INTEREST.MKT=1:1:1,ALT.ACCT.TYPE=LEGACY:1:1,ALT.ACCT.TYPE=T24.IBAN:2:1,ALT.ACCT.TYPE=PREV.IBAN:3:1,ALT.ACCT.ID=GB17DEMO60161300085022:2:1,ALLOW.NETTING=NO:1:1,SINGLE.LIMIT=Y:1:1,RECORD.STATUS=INAU:1:1,CURR.NO=1:1:1,INPUTTER=81515_INPUTTER__OFS_IFPAOFS:1:1,DATE.TIME=1803231616:1:1,CO.CODE=GB0010001:1:1,DEPT.CODE=1:1:1
For TLS1.1
Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.1 Application Data, length = 281 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.1 Application Data, length = 12 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.1 Application Data, length = 11 INFO 2018-03-23 16:18:17,276 [[sample].sampleFlow.stage1.02] org.mule.modules.t24outbound.rmi.OutboundRequestExecutor: CleanUp executor in class org.mule.modules.t24outbound.rmi.OutboundRequestExecutor INFO 2018-03-23 16:18:17,277 [[sample].sampleFlow.stage1.02] org.mule.api.processor.LoggerMessageProcessor: 85081//1,CUSTOMER=100112:1:1,CATEGORY=1001:1:1,ACCOUNT.TITLE.1=Abn Amro Securities:1:1,SHORT.TITLE=Abn Amro Securities:1:1,POSITION.TYPE=TR:1:1,CURRENCY=USD:1:1,CURRENCY.MARKET=1:1:1,ACCOUNT.OFFICER=13:1:1,CONDITION.GROUP=2:1:1,PASSBOOK=NO:1:1,OPEN.CATEGORY=1001:1:1,CHARGE.CCY=USD:1:1,CHARGE.MKT=1:1:1,INTEREST.CCY=USD:1:1,INTEREST.MKT=1:1:1,ALT.ACCT.TYPE=LEGACY:1:1,ALT.ACCT.TYPE=T24.IBAN:2:1,ALT.ACCT.TYPE=PREV.IBAN:3:1,ALT.ACCT.ID=GB73DEMO60161300085081:2:1,ALLOW.NETTING=NO:1:1,SINGLE.LIMIT=Y:1:1,RECORD.STATUS=INAU:1:1,CURR.NO=1:1:1,INPUTTER=81515_INPUTTER__OFS_IFPAOFS:1:1,DATE.TIME=1803231618:1:1,CO.CODE=GB0010001:1:1,DEPT.CODE=1:1:1
For TLS1.2
Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.2 Application Data, length = 281 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.2 Application Data, length = 12 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.2 Application Data, length = 11 INFO 2018-03-23 16:19:54,989 [[sample].sampleFlow.stage1.03] org.mule.modules.t24outbound.rmi.OutboundRequestExecutor: CleanUp executor in class org.mule.modules.t24outbound.rmi.OutboundRequestExecutor INFO 2018-03-23 16:19:54,989 [[sample].sampleFlow.stage1.03] org.mule.api.processor.LoggerMessageProcessor: 85154//1,CUSTOMER=100112:1:1,CATEGORY=1001:1:1,ACCOUNT.TITLE.1=Abn Amro Securities:1:1,SHORT.TITLE=Abn Amro Securities:1:1,POSITION.TYPE=TR:1:1,CURRENCY=USD:1:1,CURRENCY.MARKET=1:1:1,ACCOUNT.OFFICER=13:1:1,CONDITION.GROUP=2:1:1,PASSBOOK=NO:1:1,OPEN.CATEGORY=1001:1:1,CHARGE.CCY=USD:1:1,CHARGE.MKT=1:1:1,INTEREST.CCY=USD:1:1,INTEREST.MKT=1:1:1,ALT.ACCT.TYPE=LEGACY:1:1,ALT.ACCT.TYPE=T24.IBAN:2:1,ALT.ACCT.TYPE=PREV.IBAN:3:1,ALT.ACCT.ID=GB42DEMO60161300085154:2:1,ALLOW.NETTING=NO:1:1,SINGLE.LIMIT=Y:1:1,RECORD.STATUS=INAU:1:1,CURR.NO=1:1:1,INPUTTER=61832_INPUTTER__OFS_IFPAOFS:1:1,DATE.TIME=1803231619:1:1,CO.CODE=GB0010001:1:1,DEPT.CODE=1:1:1
For TLSv1.0
Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.0 Application Data, length = 281 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.0 Application Data, length = 12 Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.0 Application Data, length = 11 INFO 2018-03-23 16:19:54,989 [[sample].sampleFlow.stage1.03] org.mule.modules.t24outbound.rmi.OutboundRequestExecutor: CleanUp executor in class org.mule.modules.t24outbound.rmi.OutboundRequestExecutor INFO 2018-03-23 16:19:54,989 [[sample].sampleFlow.stage1.03] org.mule.api.processor.LoggerMessageProcessor: 85154//1,CUSTOMER=100112:1:1,CATEGORY=1001:1:1,ACCOUNT.TITLE.1=Abn Amro Securities:1:1,SHORT.TITLE=Abn Amro Securities:1:1,POSITION.TYPE=TR:1:1,CURRENCY=USD:1:1,CURRENCY.MARKET=1:1:1,ACCOUNT.OFFICER=13:1:1,CONDITION.GROUP=2:1:1,PASSBOOK=NO:1:1,OPEN.CATEGORY=1001:1:1,CHARGE.CCY=USD:1:1,CHARGE.MKT=1:1:1,INTEREST.CCY=USD:1:1,INTEREST.MKT=1:1:1,ALT.ACCT.TYPE=LEGACY:1:1,ALT.ACCT.TYPE=T24.IBAN:2:1,ALT.ACCT.TYPE=PREV.IBAN:3:1,ALT.ACCT.ID=GB42DEMO60161300085154:2:1,ALLOW.NETTING=NO:1:1,SINGLE.LIMIT=Y:1:1,RECORD.STATUS=INAU:1:1,CURR.NO=1:1:1,INPUTTER=61832_INPUTTER__OFS_IFPAOFS:1:1,DATE.TIME=1803231619:1:1,CO.CODE=GB0010001:1:1,DEPT.CODE=1:1:1
Log configuration
To see the SSL logs, enter the VM arguments as shown below:
-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager -Djava.security.debug=access:stack
In this topic
