2. Anypoint Enterprise Security
Configuring Security
FIPS 140-2 Compliance Support
3. Anypoint Enterprise Security is a collection
of security features that enforce secure
access to information in Mule applications.
This suite of security features provides
various methods for applying security to Mule
Service-OrientedArchitecture (SOA)
implementations andWeb services.The
following security features bridge gaps
between trust boundaries in applications:
5. Businesses must ensure that the valuable information they
store and make available through software applications
andWeb services is secure. Locked away and protected
from unauthorized users and malicious attackers,
protected resources — such as credit card information or
Social Security numbers — must still be accessible to
authorized legitimate users and systems in order to
conduct business transactions.
To provide secure access to information, applications and
services can apply a variety of security measures.The suite
of security features inAnypoint Enterprise Security
enables developers to protect applications according to
security requirements, prevent security breaches and
facilitate authorized access to data.
6. Anypoint Enterprise Security adds new features on top of
of Mule ESB Enterprise’s existing security capabilities.
Mule ESB already provides the following security
features:
Mule Security Manager, client authentication and
authorization on inbound requests as well as credential
mapping for outbound calls
LDAP and third party identity management system
integration
Validation of inbound requests through the SAML 2.0
federated identity standard
Secure FTP (SFTP)Transport that enables Mule flows to
read and write to remote directories over the SSH
protocol.
7. Mule can encrypt properties in a .properties file.
The .properties file in Mule stores data as key-
value pairs. Mule flows may access this data —
usernames, first and last names, credit card
information — as the flow processes messages.
In the context ofAnypoint Enterprise Security,
Mule refers to the .properties file in which it
safely stores encrypted properties as the Mule
CredentialsVault.
Encrypt a properties file
8. Mule can encrypt an entire payload or several
fields of data within a message.Where sensitive
information must move between users, yet
remain hidden from them, a developer can
encrypt message content to prevent
unauthorized access.Typically, you may need to
encrypt data such as a password, credit card
number or social security number (SSN).
Encrypt a message payload
Decrypt a message payload
9. Mule uses digital signatures to ensure that messages
maintain integrity and authenticity. Mule can verify
that an incoming Web service request originates from
a valid source, and can sign an outgoingWeb service
response to ensure its contents. Digital signatures
ensure that a sender is valid, that a message is not
modified in transit betweenWeb services, and that no
unauthorized user has tampered with a message.
Add a digital signature to a message in Mule
Sign part of a message payload
Verify a digital signature in Mule
10. Mule can filter messages it receives to avoid
processing invalid ones.With a filter
processor in place, Mule discards any
message it receives that does not match the
filter’s parameters — a message from outside
a set range of IP addresses, for example.
Filter unsecure messages
11. Mule can apply a cyclic redundancy check (CRC) to messages to
ensure message integrity. CRC uses an algorithm to apply a check
value to a message when it enters a system, and verifies the value
when the message leaves the system. If the entry and exit values
do not match, CRC marks the message as changed. Generally,
CRC32 (32 indicates the 33-bit polynomial length in the algorithm)
detects unintentional changes to messages, such as the
accumulation of “noise” between transmission points, but it can
also detect unauthorized intentional changes – for instance,
flagging a message that has been tampered with during
transmission to change it into aTrojan horse.
Apply a CRC to a message
12. Mule ESB allows you to authenticate requests via
connectors using transport-specific or generic
authentication methods. It also allows you to control
method-level authorization on your components.The
Security Manager is responsible for authenticating
requests based on one or more security providers.
For information on the elements you can configure for
the Security Manager, seeSecurity Manager
Configuration Reference.The following sections
provide links to information on configuring different
types of security managers.
13. Spring Security is the next version of Acegi and
provides a number of authentication and
authorization providers such as JAAS, LDAP, CAS
(Yale Central Authentication service), and DAO.The
following topics will help you get started securing
your flows using Spring Security:
Configuring the Spring Security Manager
Component Authorization Using Spring Security
Setting up LDAP Provider for Spring Security
14. WS-Security is a standard protocol for applying security toWeb
services. It contains specifications on how integrity and
confidentiality in a SOAP message can be enforced via XML
signatures and binary security tokens such as X.509 certificates
and Kerberos tickets as well as encryption headers. It ensures end-
to-end security by working in the application layer as opposed to
the transport layer. Mule provides the following resources forWS-
Security:
EnablingWS-Security - Describes how to secure your
CXF connectors with WS-Security.
SAML Module - Mule now supports the SAML standard for
exchange of security information between systems.This module is
available in the enterprise edition of Mule as of version 2.2.3
15. Mule also supports the following security
technologies:
Encryption Strategies - Secure your messages
by encrypting them.
PGP Security - Secure your messages by
encrypting them with PGP.
Jaas Security
16. As of Mule 3.5.0, Mule ESB can be configured
to run in a FIPS 140-2 certified environment.
Note that Mule does not run in FIPS security
mode by default.There are two
requirements:
Have a certified cryptography module
installed in your Java environment
Adjust Mule ESB settings to run in FIPS
security mode