Skip to content

W-14219104-Traffic-inspection-LDS #697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 67 commits into
base: latest
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
67 commits
Select commit Hold shift + click to select a range
1ad60d6
W-14219104-Traffic-inspection-LDS
luanamulesoft Oct 6, 2023
1299a88
fixed format
luanamulesoft Oct 6, 2023
4c224b7
fixed format2
luanamulesoft Oct 6, 2023
9332bf4
fixed format3
luanamulesoft Oct 6, 2023
114ef81
fixed format4
luanamulesoft Oct 6, 2023
7b010f0
fixed format5
luanamulesoft Oct 6, 2023
8083fac
added images
luanamulesoft Oct 6, 2023
cc645b2
added images2
luanamulesoft Oct 6, 2023
038b4d5
added images3
luanamulesoft Oct 6, 2023
868b02c
fixed images
luanamulesoft Oct 6, 2023
d0509b0
fixed images2
luanamulesoft Oct 6, 2023
4398f2f
fixed images3
luanamulesoft Oct 6, 2023
035fcb0
fixed images34
luanamulesoft Oct 6, 2023
a114d4a
fixed images5
luanamulesoft Oct 6, 2023
49d9a50
fixed images6
luanamulesoft Oct 6, 2023
9479a14
fixed vale problems
luanamulesoft Oct 6, 2023
353ba57
added page to nav
luanamulesoft Oct 6, 2023
e571e09
fixed nav
luanamulesoft Oct 6, 2023
b4874ad
fixed wrapper conf description
luanamulesoft Oct 6, 2023
090ca85
Merge branch 'latest' into W-14219104-Traffic-inspection-LDS
luanamulesoft Oct 9, 2023
b4c11d1
apply review
luanamulesoft Oct 9, 2023
e6f9a52
apply reviews2
luanamulesoft Oct 9, 2023
ea5217c
format test1
luanamulesoft Oct 9, 2023
cb0b57d
format test2
luanamulesoft Oct 9, 2023
4bcaf3e
format test3
luanamulesoft Oct 9, 2023
14b567a
format test4
luanamulesoft Oct 9, 2023
541ac51
applied SMEs reviews
luanamulesoft Oct 9, 2023
74bebab
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 9, 2023
33d51ea
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
7f2b735
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
b53c0bc
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
eb4ff84
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
095da9f
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
06f8a78
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
4b549bc
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
c1cfbe3
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
d9183df
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
7bf6bcf
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
a1a7c51
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 10, 2023
ed3f26a
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
9901cab
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
563c92b
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
f831d28
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
7738010
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
07d52a7
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
a34b538
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
e03791e
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
7efdacb
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
6ccbce1
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
c550aab
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
7b2fb75
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
4d2fe6a
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
7acf989
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
1df3302
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
4865eb3
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
503406b
format test5
luanamulesoft Oct 11, 2023
517fc66
structure1
luanamulesoft Oct 11, 2023
78249c6
structure2
luanamulesoft Oct 11, 2023
e41972e
added mule runtime xrefs
luanamulesoft Oct 11, 2023
d134b47
Merge branch 'latest' into W-14219104-Traffic-inspection-LDS
luanamulesoft Oct 11, 2023
c72dddb
Update rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
043ab60
structure4
luanamulesoft Oct 11, 2023
6d9c755
structure5
luanamulesoft Oct 11, 2023
e1d7298
structure6
luanamulesoft Oct 11, 2023
82ab10b
Update runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
luanamulesoft Oct 11, 2023
f4f33a7
Merge branch 'latest' into W-14219104-Traffic-inspection-LDS
luanamulesoft Jul 25, 2024
e6e06c8
added info to renew certificates via RTM.
luanamulesoft Jul 26, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .vscode/settings.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{}
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ add your proxy server information to the following properties:
* `wrapper.java.additional.<n>=-Danypoint.platform.proxy_password={password}`

[IMPORTANT]

These are additional parameters to pass to Java when it is launched. The <n> element refers to the number of additional parameters in the configuration. It is indicated with an integer number counting up from `1` and must follow a sequence without any gaps.

== Verify That the Proxy Server Does Not Modify the Runtime Manager Certificate
Expand Down
128 changes: 128 additions & 0 deletions runtime-manager/modules/ROOT/pages/rtm-traffic-inspection.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
= Traffic Inspection for Standalone Mule Instances
ifndef::env-site,env-github[]
include::_attributes.adoc[]
endif::[]
:keywords: agent, runtime manager, traffic inspection, standalone
:page-deployment-options: hybrid

The traffic inspection feature for standalone Mule instances adds support to the Runtime Manager agent for a forward proxy that is deployed in your environment. This proxy acts as a man-in-the-middle between Mule and the control plane, intercepting and inspecting all HTTPS traffic.

To enable traffic inspection, you must install the Mule instance and the Runtime Manager agent from scratch using the following instructions.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our style is to not have two headings in a row without content.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can remove the === Traffic Inspection Proxy heading because there's only one heading in the Prereqs - no need to distinguish.

Once you revise the bullet list to be more paragraphy, you can make it clear that the prereqs are for the Proxy.

[NOTE]
Upgrading from a standalone Mule deployed in a PCE environment is not supported.

== Before You Begin

* Build an HTTP proxy with support for TLS connections to the runtime client and mTLS connections to the control plane server.
+
The inspection proxy server does not require the Runtime Manager agent to present a client certificate. Communication between the agent and the inspection proxy is TLS, not mTLS.

* Provision this inspection proxy to send a customer-private certificate to the Runtime Manager agent.
+
The agent uses a Certificate Authority from the Java Virtual Machine (JVM) keystore to validate the public certificate presented by the inspection proxy.
+
The inspection proxy and the MuleSoft control plane communicate via mTLS. The two certificates involved are:
+
** The control plane presents a MuleSoft public server certificate to the inspection proxy. The proxy must be provisioned with the correct Certificate Authority to validate the server certificate presented by the MuleSoft control plane.
** The control plane requires a client certificate from the inspection proxy. The customer must provide this certificate to MuleSoft.
+
[NOTE]
Communication with the control plane fails if the certificate does not match the specified serial number and common name.

== Provision the Truststore of the JVM with the Proxy Root CA

Copy link
Contributor

@hannanelson hannanelson Oct 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need some content between headings here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our style is to not use self-referential language like "steps". Instead, reframe to be a task (with an imperative).

== Install and Register Mule

. Identify the folder location of the JVM.
. Insert the root CA of the proxy in the truststore of the Mule JVM:
+
In the terminal window, run the following command, replacing `$JAVA_HOME` with the actual path:
+
[source,console,linenums]
----
sudo keytool -import -alias testCert -keystore $JAVA_HOME/jre/lib/security/cacerts -file proxy_cacert.pem
----
+
. Enter the provided password.
. If you have multiple versions of Java, insert the certificate in the version of Java that the Mule instance uses.

== Install Mule

Install the latest available Mule version. You can skip this step if already installed.

For instructions about how to install Mule, see xref:mule-runtime::runtime-installation-task.adoc[].

Using an earlier version might result in some functionalities not working as expected. To check the latest Mule version, see xref:release-notes::mule-runtime/mule-esb.adoc[].

[NOTE]
The Mule runtime installation bundle includes both Mule runtime engine and the Runtime Manager agent.

== Upgrade the Runtime Manager Agent

Make sure that the version of Runtime Manager agent is 2.5.6 or later. For instructions about how to check your agent version, see xref:debugging-the-runtime-manager-agent.adoc#troubleshoot-connection-issues-between-the-agent-and-mule[Troubleshoot the Runtime Manager Agent].

If you have an earlier version, update the agent by following these steps:

. Download the `agent-setup-2.5.6.zip` file.
. Extract the downloaded ZIP file to `$MULE_HOME/bin`.
. If prompted, overwrite any conflicting files.
+
Do not run `amc_setup -U`.

== Check Your Server Certificates

Registering a Mule server requires a valid certificate to secure communication between Runtime Manager and the Runtime Manager agent.

Certificates are valid for two years. To check a certificate expiration date, follow the steps in xref:servers-cert-renewal.adoc#view-a-certificate-expiration-date[View a Certificate Expiration Date].

=== Renew Your Server Certificates

To renew your certificates from Runtime Manager, follow the instructions in xref:servers-cert-renewal.adoc#renew-a-certificate-from-runtime-manager[Renew a Certificate from Runtime Manager]. You need to update to the latest Mule agent to renew your certificates through Runtime Manager.

Alternatively, you can xref:servers-cert-renewal.adoc#renew-a-certificate-via-the-command-line[Renew a Certificate via the Command Line]. Use version 2.4.37 of the certificate renewal JAR file.

For agent version 2.5.6, you cannot renew your certificates from Runtime Manager. If you need to renew your certificates, follow the instructions in xref:servers-cert-renewal.adoc#renew-a-certificate-via-the-command-line[Renew a Certificate via the Command Line]. Use version 2.4.37 of the certificate renewal JAR file.

== Register Mule

. Update the `wrapper.conf` file with the IP and port of the traffic inspection proxy by following the instructions in xref:rtm-agent-proxy-config.adoc#set-up-proxy-server-configuration-in-the-wrapper-conf-file[Set Up Proxy Server Configuration in the wrapper.conf File].
. Log in to Anypoint Platform.
. From Anypoint Platform, select *Runtime Manager* > *Servers*.
. Click *Add Server*.
+
image::traffic-add-server.png[Add server]
+
. In a terminal window, change the `$MULE_HOME/bin` directory to the Mule instance that you're registering.
. Paste the command on the command line and append the proxy's IP address or domain name and port, and the `--enable-traffic-inspection` configuration flag.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems familiar. I feel like this procedure is covered elsewhere in the RTM (agent?) docs.
https://docs.mulesoft.com/runtime-manager/installing-and-configuring-runtime-manager-agent

Is there a way to link to a section there and point out the relevant configuration flags? Do you need to update the configuration flag table on that page with this (new?) --enable-traffic-inspection flag?

+
[source,console,linenums]
----
./amc_setup -H {registrationToken} {serverName} -P {proxy ip or hostname} {proxyPort} --enable-traffic-inspection
----
+
[NOTE]
Make sure to leave a space between the proxy's domain name and port number.
+
. Confirm that the Mule instance registered successfully by checking that the runtime appears as *Created* in the Anypoint Platform console:
+
image::mule-registered.png[The Mule instance appears as created]
+
. Edit the file `$MULE_HOME/conf/mule-agent.yml` and set the property `authenticationProxy.endpoint` to `null`.
. Start the Mule instance.
+
See xref:mule-runtime::starting-and-stopping-mule-esb.adoc[].

== Check that the Mule Instance is Connected to the Control Plane

If the connection is successful, the status of the Mule instance appears as *Running* in the Anypoint Platform console:

image::mule-running.png[The Mule instance appears as running]

If the connection is established, the agent terminal window displays the following message:

[source,console,linenums]
----
INFO 2023-04-19 17:27:41,307 [WebSocketInboundExecutor] [processor: ; event: ] com.mulesoft.agent.transport.handlers.GenericWebSocketHandler: Opening Mule Agent WebSocket
INFO 2023-04-19 17:27:41,316 [WebSocketInboundExecutor] [processor: ; event: ] com.mulesoft.agent.transport.handlers.GenericWebSocketHandler: Mule Agent WebSocket opened
INFO 2023-04-19 17:27:41,316 [pool-12-thread-1] [processor: ; event: ] com.mulesoft.agent.transport.connections.AsyncHttpWSConnectionThread: Mule Agent WebSocket connection was initialized after: 1 attempts
INFO 2023-04-19 17:27:42,179 [WebSocketInboundExecutor] [processor: ; event: ] com.mulesoft.agent.services.security.HandshakeAuthorizationService: WebSocket Client connection authorized
----