-
Notifications
You must be signed in to change notification settings - Fork 53
W-14219104-Traffic-inspection-LDS #697
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: latest
Are you sure you want to change the base?
Changes from all commits
1ad60d6
1299a88
4c224b7
9332bf4
114ef81
7b010f0
8083fac
cc645b2
038b4d5
868b02c
d0509b0
4398f2f
035fcb0
a114d4a
49d9a50
9479a14
353ba57
e571e09
b4874ad
090ca85
b4c11d1
e6f9a52
ea5217c
cb0b57d
4bcaf3e
14b567a
541ac51
74bebab
33d51ea
7f2b735
b53c0bc
eb4ff84
095da9f
06f8a78
4b549bc
c1cfbe3
d9183df
7bf6bcf
a1a7c51
ed3f26a
9901cab
563c92b
f831d28
7738010
07d52a7
a34b538
e03791e
7efdacb
6ccbce1
c550aab
7b2fb75
4d2fe6a
7acf989
1df3302
4865eb3
503406b
517fc66
78249c6
e41972e
d134b47
c72dddb
043ab60
6d9c755
e1d7298
82ab10b
f4f33a7
e6e06c8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
= Traffic Inspection for Standalone Mule Instances | ||
ifndef::env-site,env-github[] | ||
include::_attributes.adoc[] | ||
endif::[] | ||
:keywords: agent, runtime manager, traffic inspection, standalone | ||
:page-deployment-options: hybrid | ||
|
||
The traffic inspection feature for standalone Mule instances adds support to the Runtime Manager agent for a forward proxy that is deployed in your environment. This proxy acts as a man-in-the-middle between Mule and the control plane, intercepting and inspecting all HTTPS traffic. | ||
|
||
To enable traffic inspection, you must install the Mule instance and the Runtime Manager agent from scratch using the following instructions. | ||
|
||
[NOTE] | ||
Upgrading from a standalone Mule deployed in a PCE environment is not supported. | ||
|
||
== Before You Begin | ||
|
||
* Build an HTTP proxy with support for TLS connections to the runtime client and mTLS connections to the control plane server. | ||
+ | ||
The inspection proxy server does not require the Runtime Manager agent to present a client certificate. Communication between the agent and the inspection proxy is TLS, not mTLS. | ||
|
||
* Provision this inspection proxy to send a customer-private certificate to the Runtime Manager agent. | ||
+ | ||
The agent uses a Certificate Authority from the Java Virtual Machine (JVM) keystore to validate the public certificate presented by the inspection proxy. | ||
+ | ||
The inspection proxy and the MuleSoft control plane communicate via mTLS. The two certificates involved are: | ||
+ | ||
** The control plane presents a MuleSoft public server certificate to the inspection proxy. The proxy must be provisioned with the correct Certificate Authority to validate the server certificate presented by the MuleSoft control plane. | ||
** The control plane requires a client certificate from the inspection proxy. The customer must provide this certificate to MuleSoft. | ||
+ | ||
[NOTE] | ||
Communication with the control plane fails if the certificate does not match the specified serial number and common name. | ||
|
||
== Provision the Truststore of the JVM with the Proxy Root CA | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Need some content between headings here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Our style is to not use self-referential language like "steps". Instead, reframe to be a task (with an imperative). == Install and Register Mule |
||
. Identify the folder location of the JVM. | ||
. Insert the root CA of the proxy in the truststore of the Mule JVM: | ||
+ | ||
In the terminal window, run the following command, replacing `$JAVA_HOME` with the actual path: | ||
+ | ||
[source,console,linenums] | ||
---- | ||
sudo keytool -import -alias testCert -keystore $JAVA_HOME/jre/lib/security/cacerts -file proxy_cacert.pem | ||
---- | ||
+ | ||
. Enter the provided password. | ||
. If you have multiple versions of Java, insert the certificate in the version of Java that the Mule instance uses. | ||
|
||
== Install Mule | ||
|
||
Install the latest available Mule version. You can skip this step if already installed. | ||
|
||
For instructions about how to install Mule, see xref:mule-runtime::runtime-installation-task.adoc[]. | ||
|
||
Using an earlier version might result in some functionalities not working as expected. To check the latest Mule version, see xref:release-notes::mule-runtime/mule-esb.adoc[]. | ||
|
||
[NOTE] | ||
The Mule runtime installation bundle includes both Mule runtime engine and the Runtime Manager agent. | ||
|
||
== Upgrade the Runtime Manager Agent | ||
|
||
Make sure that the version of Runtime Manager agent is 2.5.6 or later. For instructions about how to check your agent version, see xref:debugging-the-runtime-manager-agent.adoc#troubleshoot-connection-issues-between-the-agent-and-mule[Troubleshoot the Runtime Manager Agent]. | ||
|
||
If you have an earlier version, update the agent by following these steps: | ||
|
||
. Download the `agent-setup-2.5.6.zip` file. | ||
. Extract the downloaded ZIP file to `$MULE_HOME/bin`. | ||
. If prompted, overwrite any conflicting files. | ||
+ | ||
Do not run `amc_setup -U`. | ||
|
||
== Check Your Server Certificates | ||
|
||
Registering a Mule server requires a valid certificate to secure communication between Runtime Manager and the Runtime Manager agent. | ||
|
||
Certificates are valid for two years. To check a certificate expiration date, follow the steps in xref:servers-cert-renewal.adoc#view-a-certificate-expiration-date[View a Certificate Expiration Date]. | ||
|
||
=== Renew Your Server Certificates | ||
|
||
To renew your certificates from Runtime Manager, follow the instructions in xref:servers-cert-renewal.adoc#renew-a-certificate-from-runtime-manager[Renew a Certificate from Runtime Manager]. You need to update to the latest Mule agent to renew your certificates through Runtime Manager. | ||
|
||
Alternatively, you can xref:servers-cert-renewal.adoc#renew-a-certificate-via-the-command-line[Renew a Certificate via the Command Line]. Use version 2.4.37 of the certificate renewal JAR file. | ||
|
||
For agent version 2.5.6, you cannot renew your certificates from Runtime Manager. If you need to renew your certificates, follow the instructions in xref:servers-cert-renewal.adoc#renew-a-certificate-via-the-command-line[Renew a Certificate via the Command Line]. Use version 2.4.37 of the certificate renewal JAR file. | ||
|
||
== Register Mule | ||
|
||
. Update the `wrapper.conf` file with the IP and port of the traffic inspection proxy by following the instructions in xref:rtm-agent-proxy-config.adoc#set-up-proxy-server-configuration-in-the-wrapper-conf-file[Set Up Proxy Server Configuration in the wrapper.conf File]. | ||
. Log in to Anypoint Platform. | ||
. From Anypoint Platform, select *Runtime Manager* > *Servers*. | ||
. Click *Add Server*. | ||
+ | ||
image::traffic-add-server.png[Add server] | ||
+ | ||
. In a terminal window, change the `$MULE_HOME/bin` directory to the Mule instance that you're registering. | ||
. Paste the command on the command line and append the proxy's IP address or domain name and port, and the `--enable-traffic-inspection` configuration flag. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This seems familiar. I feel like this procedure is covered elsewhere in the RTM (agent?) docs. Is there a way to link to a section there and point out the relevant configuration flags? Do you need to update the configuration flag table on that page with this (new?) |
||
+ | ||
[source,console,linenums] | ||
---- | ||
./amc_setup -H {registrationToken} {serverName} -P {proxy ip or hostname} {proxyPort} --enable-traffic-inspection | ||
---- | ||
+ | ||
[NOTE] | ||
Make sure to leave a space between the proxy's domain name and port number. | ||
+ | ||
. Confirm that the Mule instance registered successfully by checking that the runtime appears as *Created* in the Anypoint Platform console: | ||
+ | ||
image::mule-registered.png[The Mule instance appears as created] | ||
+ | ||
. Edit the file `$MULE_HOME/conf/mule-agent.yml` and set the property `authenticationProxy.endpoint` to `null`. | ||
. Start the Mule instance. | ||
+ | ||
See xref:mule-runtime::starting-and-stopping-mule-esb.adoc[]. | ||
|
||
== Check that the Mule Instance is Connected to the Control Plane | ||
|
||
If the connection is successful, the status of the Mule instance appears as *Running* in the Anypoint Platform console: | ||
|
||
image::mule-running.png[The Mule instance appears as running] | ||
|
||
If the connection is established, the agent terminal window displays the following message: | ||
|
||
[source,console,linenums] | ||
---- | ||
INFO 2023-04-19 17:27:41,307 [WebSocketInboundExecutor] [processor: ; event: ] com.mulesoft.agent.transport.handlers.GenericWebSocketHandler: Opening Mule Agent WebSocket | ||
INFO 2023-04-19 17:27:41,316 [WebSocketInboundExecutor] [processor: ; event: ] com.mulesoft.agent.transport.handlers.GenericWebSocketHandler: Mule Agent WebSocket opened | ||
INFO 2023-04-19 17:27:41,316 [pool-12-thread-1] [processor: ; event: ] com.mulesoft.agent.transport.connections.AsyncHttpWSConnectionThread: Mule Agent WebSocket connection was initialized after: 1 attempts | ||
INFO 2023-04-19 17:27:42,179 [WebSocketInboundExecutor] [processor: ; event: ] com.mulesoft.agent.services.security.HandshakeAuthorizationService: WebSocket Client connection authorized | ||
---- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our style is to not have two headings in a row without content.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can remove the
=== Traffic Inspection Proxy
heading because there's only one heading in the Prereqs - no need to distinguish.Once you revise the bullet list to be more paragraphy, you can make it clear that the prereqs are for the Proxy.