In the previous chapter, we have learned how to deploy a Mule application, what the different deployment environments are, and how to choose your deployment environment.
There are several factors that need to be considered while choosing a deployment model; hence, it’s an important decision while building your application network.
We are also aware that APIs are responsible for carrying data/metadata and communicating with several end systems and, hence, are at a potentially high risk of being attacked. It’s important to secure your API and thereby protect your integration ecosystem. In this chapter, we shall learn about API security and the need for securing your API and Mule application.
We shall also focus on how to implement API security using MuleSoft and study several techniques with which you can secure your APIs.
We will cover the following topics in this chapter:
The requirements in this chapter are:
As we’re aware, APIs are responsible for carrying data and critical information back and forth in an integrated system. Hence, it is essential for us to have control over the information being processed and transferred by the APIs.
Let’s now understand the need for API security:
We now know the need for and the importance of API security. Let’s now see how we can secure API and applications that, in turn, will secure our application network.
In this section, let’s simplify how we can achieve API security using MuleSoft.
In Figure 10.1, we can see that the application network is formed using reusable building blocks, such as Mule applications, end systems, and non-Mule applications. Here, the outer dotted line depicts the periphery of the Mule application, and the inner dotted line shows the integration between a Mule application and an external end system/non-Mule application.
Figure 10.1 – A snapshot of Anypoint Platform depicting application networks
In order to achieve total security, you can apply security regulations on any of the following:
You can implement the preceding security mechanism in any permutation and combination as per your organizational security needs. This is also called the layered security approach in MuleSoft. It helps us to achieve zero-trust security. It means trusting no one and verifying every incoming and outgoing request.
We’ve now understood how to achieve total security in MuleSoft. Let’s now learn about the prime component responsible for securing our APIs, API Manager.
In Chapter 5, All About Anypoint Platform, we saw a glimpse of API Manager. Let’s now understand the prime capabilities of API Manager.
API Manager is mainly responsible for API governance, which includes tasks such as managing, securing, and governing the API. It’s a place to manage all kinds of APIs and, in turn, our Mule applications under one roof. It is in sync with other Anypoint Platform components such as the Design Center, Exchange, Runtime Manager, and the Anypoint Studio.
Figure 10.2 represents the default dashboard of API Manager.
Figure 10.2 – Anypoint Platform depicting the API Manager dashboard
Let’s now understand the core capabilities of API Manager.
From Figure 10.2, we can see the navigation menu on the left-hand side of the dashboard. Let’s learn in brief about each component in the menu:
Now that we’ve understood the capabilities of API Manager, let’s move ahead and understand the underlying security architecture by learning about a secure API gateway.
An API gateway acts as a gatekeeper to keep a check on incoming and outgoing requests and responses.
Learning about the secure API gateway will give you an idea of how security mechanisms are enforced in MuleSoft.
We can see the architecture of the API gateway in Figure 10.3. Let’s look at the flow of activities involved.
Figure 10.3 – The security architecture of the API gateway
With reference to Figure 10.3, let’s understand the activities involved in implementing security with the help of the API gateway:
We have now learned about the API gateway and the steps involved in securing the APIs with the API gateway.
Now, let’s learn about the most fundamental and easiest approach to securing your APIs, which are policies in MuleSoft.
Policies help you to impose security regulations, control traffic, transform data, and improve the usability of an API. It’s important to know about policies, as they are quite easy and efficient to apply. They are predefined and can also be tailored as per your organizational needs.
Let’s now learn about the out-of-the-box policies in MuleSoft. The following policies are sorted as per their categories – that is, Security, Compliance, Transformation, Quality of Service, and Troubleshooting. We will also study in brief custom policies in MuleSoft.
In this category, the policies mainly emphasize securing the API by means of authentication and authorization. Security policies protect an API from various security threats and attacks. Let’s learn about them in brief:
We have now studied several security policies that will help us to enhance API security. Let’s now learn about the different policies in the compliance category.
In this category, we mainly focus on the API being compliant with an environment and obeying the regulations. Let’s learn about the policies in the compliance category:
We have now learned about compliance-based policies. In the next section, let’s learn about the transformation policies.
Transformation policies help in modifying or enhancing metadata information:
We now understand the transformation policies. In the next section, let’s learn about the Quality of Service.
As the name suggests, Quality of Service (QoS)-based policies help you to enhance the API experience. They also help with API performance optimization. Let’s check out a few of the QoS-based policies.
Apart from these out-of-the-box policies, if your organization has any other different security regulations, you can design your own custom policy.
Now, let’s learn in brief about custom policies in Mule.
As is quite evident from the name itself, you can customize a security policy to match your organizational security needs.
You can write your custom policy in Anypoint Studio, package it using Maven, and publish the policy on Anypoint Exchange. The following code snippet represents the structure of a custom policy:
<?xml version="1.0" encoding="UTF-8"?> <mule xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:http-policy="http://www.mulesoft.org/schema/mule /http-policy"> <http-policy:proxy name="custom-policy-template"> <http-policy:source> <http-policy:execute-next/> </http-policy:source> </http-policy:proxy> </mule>
Once published, you can apply the policy to your APIs using API Manager. Along with basic transformation logic, you can also add form elements such as a text box or radio button to get user input.
Apart from this, we can also combine our custom policy with the out-of-the-box Mule policies. Custom policies give you better control if you have any particular requirements.
We now understand the different policies that we can apply to our APIs to achieve security. Let’s learn how to implement these policies and secure our APIs.
We have learned about policies, types of policies, and categories of policies. Now, let’s understand how to achieve security by applying a policy.
In this walkthrough, we shall apply a simple basic authentication policy:
Figure 10.4 – Adding a new API instance on API Manager
Figure 10.5 – Configuring runtime while adding the API instance
Figure 10.6 – Configuring the API while adding the API instance
Figure 10.7 – Configuring the API from Exchange
Figure 10.8 – Configuring the endpoint while creating the API instance
Figure 10.9 – Reviewing the API instance
You will now see a new API instance created. You can monitor and review your API performance metrics on this dashboard (see Figure 10.10).
Figure 10.10 – The API instance dashboard
We have learned about how to create an API instance in API Manager. In Figure 10.10, we can see Autodiscovery and the API ID. Let’s learn more about API Autodiscovery.
API Autodiscovery binds the application deployed in Runtime Manager with the API instance created on API Manager.
The API Autodiscovery ID is a unique ID that helps you to connect the applications deployed on Runtime Manager to API instances on the API Manager. All the policies and other configurations that we apply on our API instance will be reflected on applications deployed in Runtime Manager.
Let’s now understand how to configure API Autodiscovery.
To configure API Autodiscovery, follow these simple steps:
Figure 10.11 – Creating a new API Autodiscovery component
Figure 10.12 – Configuring the API Autodiscovery component
Figure 10.13 – Deploying your application to CloudHub
You can see in Logs that your API key ID is being logged, which is the same as the Auto Discovery ID (see Figure 10.14).
Also, the status of your API instance in API Manager will be changed to Active.
Figure 10.14 – API Autodiscovery logs in Runtime Manager
In this section, we saw how to configure the API Autodiscovery ID. In the next section, let’s see how to configure a security policy.
In the previous sections, we saw how to create an API instance and configure API Autodiscovery. Let’s now configure a security policy using API Manager with the following simple steps:
Figure 10.15 – Adding a new policy
Figure 10.16 – Selecting the Basic authentication - Simple policy
Figure 10.17 – Policy configuration
You can apply the policies across all the methods and endpoints, or you can choose a particular endpoint over which you wish to apply the policy. Currently, we’re applying it across all the API methods and resources. Once done, click Apply.
Check the configuration in Figure 10.18.
Figure 10.18 – Advanced policy configuration options
You will see that your policy was successfully created (see Figure 10.19).
If you have multiple policies, you can rearrange the order of execution.
Figure 10.19 – The Policies dashboard
Figure 10.20 – Policy details in logs in Runtime Manager
Figure 10.21 – A snapshot of Postman depicting an authentication error
You’ll get a successful response, which means that the credentials have been validated successfully and you’re authenticated.
Figure 10.22 – A snapshot of Postman depicting a successful response
This is a simple demonstration of how we can leverage the security capabilities of MuleSoft by applying policies. We can further extend these capabilities to achieve zero-trust security.
Let’s now learn more about the security capabilities of MuleSoft.
MuleSoft has a wide range to offer when it comes to security. In order to leverage the security capabilities of MuleSoft, let’s learn about several security capabilities, starting with Anypoint Enterprise Security.
In order to achieve enterprise-level security at an application level, you can install the Anypoint Enterprise Security suite. It offers you the following features to secure your Mule apps:
You can install Anypoint Enterprise Security on your Anypoint Studio to apply these capabilities.
We have learned about Anypoint Enterprise Security for Mule applications. Let’s now learn about Anypoint Security, dedicated to applications deployed over Runtime Fabric (RTF).
Anypoint Security offers a layered security approach in order to protect your APIs. It comprises the following:
Anypoint Security helps us to secure apps deployed on RTF. Let’s now learn more about Anypoint Flex Gateway, which is a capability from MuleSoft to level up API security.
MuleSoft offers three types of gateway – namely, a Mule gateway, Anypoint Flex Gateway, and Anypoint Service Mesh. Anypoint Flex Gateway is an ultra-fast gateway for managing the security capabilities of Mule and non-Mule applications.
You can extend the security capabilities of MuleSoft beyond Anypoint Platform with the help of Anypoint Flex Gateway.
You can configure Flex Gateway in one of two ways:
In order to get started, you can create a free trial account with Anypoint Platform or you need to have an Anypoint Flex Gateway subscription. You can install Flex Gateway as a Linux service, in a Docker container, or as a Kubernetes Ingress controller. There is a predefined set of instructions that you can find in Runtime Manager that makes the installation and setup of Flex Gateway easy. For more information, see this article: https://developer.mulesoft.com/tutorials-and-howtos/understanding-anypoint-flex-gateway-overview-introduction/.
We have gone through several API security techniques. You can refer to the Assignments, Questions, and Answers sections at the end of this chapter to get more hands-on with API security.
In this chapter, we’ve learned about the security capabilities of MuleSoft. We have learned about different types of policies in MuleSoft and implemented a basic authentication policy.
We have also studied the API gateway, the security architecture of the API gateway, Enterprise Security, Anypoint Security, and Anypoint Flex Gateway.
In order to make your API network reliable and secure, it’s essential to have a fair understanding of API security. It is also essential to have an understanding of various ways to achieve zero-trust security, which we have learned in this chapter.
In the next chapter, we’ll learn how to test our Mule application and what the different testing tools are. We shall also study what MuleSoft has to offer when it comes to API testing.
Apply Header Injection and Message Logging policies on an API instance. Add header values as key = book and value = MuleSoft for Header Injection policy. Log header using Message Logging policy. Verify logs in application logs on Runtime Manager.
18.216.150.75