The traffic inspection feature for standalone Mule instances adds support to the Runtime Manager agent for a forward proxy that is deployed in your environment. This proxy acts as a man-in-the-middle between Mule and the control plane, intercepting and inspecting all HTTPS traffic.
To enable traffic inspection, you must install the Mule instance and the Runtime Manager agent from scratch using the following instructions.
|
Note
|
Upgrading from a standalone Mule deployed in a PCE environment is not supported. |
-
Build an HTTP proxy with support for TLS connections to the runtime client and mTLS connections to the control plane server.
The inspection proxy server does not require the Runtime Manager agent to present a client certificate. Communication between the agent and the inspection proxy is TLS, not mTLS.
-
Provision this inspection proxy to send a customer-private certificate to the Runtime Manager agent.
The agent uses a Certificate Authority from the Java Virtual Machine (JVM) keystore to validate the public certificate presented by the inspection proxy.
The inspection proxy and the MuleSoft control plane communicate via mTLS. The two certificates involved are:
-
The control plane presents a MuleSoft public server certificate to the inspection proxy. The proxy must be provisioned with the correct Certificate Authority to validate the server certificate presented by the MuleSoft control plane.
-
The control plane requires a client certificate from the inspection proxy. The customer must provide this certificate to MuleSoft.
NoteCommunication with the control plane fails if the certificate does not match the specified serial number and common name.
-
-
Identify the folder location of the JVM.
-
Insert the root CA of the proxy in the truststore of the Mule JVM:
In the terminal window, run the following command, replacing
$JAVA_HOMEwith the actual path:sudo keytool -import -alias testCert -keystore $JAVA_HOME/jre/lib/security/cacerts -file proxy_cacert.pem -
Enter the provided password.
-
If you have multiple versions of Java, insert the certificate in the version of Java that the Mule instance uses.
Install the latest available Mule version. You can skip this step if already installed.
For instructions about how to install Mule, see mule-runtime::runtime-installation-task.adoc.
Using an earlier version might result in some functionalities not working as expected. To check the latest Mule version, see release-notes::mule-runtime/mule-esb.adoc.
|
Note
|
The Mule runtime installation bundle includes both Mule runtime engine and the Runtime Manager agent. |
Make sure that the version of Runtime Manager agent is 2.5.6 or later. For instructions about how to check your agent version, see Troubleshoot the Runtime Manager Agent.
If you have an earlier version, update the agent by following these steps:
-
Download the
agent-setup-2.5.6.zipfile. -
Extract the downloaded ZIP file to
$MULE_HOME/bin. -
If prompted, overwrite any conflicting files.
Do not run
amc_setup -U.
Registering a Mule server requires a valid certificate to secure communication between Runtime Manager and the Runtime Manager agent.
Certificates are valid for two years. To check a certificate expiration date, follow the steps in View a Certificate Expiration Date.
For agent version 2.5.6, you cannot renew your certificates from Runtime Manager. If you need to renew your certificates, follow the instructions in Renew a Certificate via the Command Line. Use version 2.4.37 of the certificate renewal JAR file.
-
Update the
wrapper.conffile with the IP and port of the traffic inspection proxy by following the instructions in Set Up Proxy Server Configuration in the wrapper.conf File. -
Log in to Anypoint Platform.
-
From Anypoint Platform, select Runtime Manager > Servers.
-
Click Add Server.
-
In a terminal window, change the
$MULE_HOME/bindirectory to the Mule instance that you’re registering. -
Paste the command on the command line and append the proxy’s IP address or domain name and port, and the
--enable-traffic-inspectionconfiguration flag../amc_setup -H {registrationToken} {serverName} -P {proxy ip or hostname} {proxyPort} --enable-traffic-inspectionNoteMake sure to leave a space between the proxy’s domain name and port number. -
Confirm that the Mule instance registered successfully by checking that the runtime appears as Created in the Anypoint Platform console:
-
Edit the file
$MULE_HOME/conf/mule-agent.ymland set the propertyauthenticationProxy.endpointtonull. -
Start the Mule instance.
See mule-runtime::starting-and-stopping-mule-esb.adoc.
If the connection is successful, the status of the Mule instance appears as Running in the Anypoint Platform console:
If the connection is established, the agent terminal window displays the following message:
INFO 2023-04-19 17:27:41,307 [WebSocketInboundExecutor] [processor: ; event: ] com.mulesoft.agent.transport.handlers.GenericWebSocketHandler: Opening Mule Agent WebSocket
INFO 2023-04-19 17:27:41,316 [WebSocketInboundExecutor] [processor: ; event: ] com.mulesoft.agent.transport.handlers.GenericWebSocketHandler: Mule Agent WebSocket opened
INFO 2023-04-19 17:27:41,316 [pool-12-thread-1] [processor: ; event: ] com.mulesoft.agent.transport.connections.AsyncHttpWSConnectionThread: Mule Agent WebSocket connection was initialized after: 1 attempts
INFO 2023-04-19 17:27:42,179 [WebSocketInboundExecutor] [processor: ; event: ] com.mulesoft.agent.services.security.HandshakeAuthorizationService: WebSocket Client connection authorized