Skip to main content
MuleSoft

Search

Mulesoft Integration Steps: Passive

© 2024 Cequence Security. All Rights Reserved.

Mulesoft Integration Steps: Passive

  • Updated on
  • ~ minute read
Download PDF

The Cequence Unified API Protection (UAP) platform natively integrates with the MuleSoft Anypoint API Manager by deploying a Cequence-provided custom MuleSoft policy through the MuleSoft Anypoint API Manager.

In a passive integration, a copy of each API transaction is sent asynchronously to the Cequence UAP platform.

Screen_Shot_2022-05-31_at_4.09.12_PM.png

Passive data flow:

  1. MuleSoft Runtime receives a request from downstream.
  2. The Cequence policy sits inline and captures all requests and responses that flow through the Gateway runtime (when the policy is enabled globally).
  3. The policy packages the incoming requests and responses and asynchronously sends them to a Cequence API Proxy.
  4. The Cequence API Proxy collates and processes the API request and response payload and sends the formatted transaction to the Cequence UAP platform.

Integration prerequisites

Before you integrate the Cequence UAP platform with MuleSoft, verify that your environment meets the following prerequisites:

  • MuleSoft Runtime version 4.1.1 or newer
  • Java version 8, 11, or 17
  • Maven version 3.9.6
  • Cequence UAP platform version 7.7.x or newer
  • MuleSoft HTTP Connector version 1.10.1
  • Generated client ID and secret
  • Access to the authentication and API edge endpoints from the Cequence UAP platform
  • Download the compressed file bundle that contains the required Cequence artifacts: a MuleSoft policy file, a Cequence API Proxy JAR file, and the settings.xml configuration file.
  • Cequence API Proxy deployed on CloudHub 2.0 or 1.0.

Notes:

  1. The Cequence policy must be able to communicate with the Cequence API Proxy on the auto-generated URL provided by the CloudHub runtime. When the Cequence API Proxy cannot be reached publicly, you must formulate the internal domain name and base path specific to your environment for the Cequence API Proxy.
  2. When a dedicated load balancer (DLB) distributes incoming requests to multiple CloudHub workers, the domain name and base path must be formulated accordingly for the deployed Cequence API Proxy. DLB is only available in CloudHub (not CloudHub 2.0 or on-premises).

Generating a client ID and client secret

Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.

  1. Log in to the UAP management portal UI.
    The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name.
  2. Select General Settings > User Management.
    The User Management pane appears.
  3. Click the Clients tab.
  4. Click Add New Client.
    The new client dialog box appears.
  5. Type the client name in the Client Name field.
    This name is the client ID. Note the client ID for later use.
  6. Enable the Traffic Management toggle.
  7. (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
  8. Click Save.
    A dialog box with the client secret appears.
  9. Click the blue Copy icon to copy the secret to the clipboard, then click Close.
    The client is now set up. Note the client name for future use.
    The client list appears.
  10. Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.

Deploying the Cequence API Proxy

  1. Download the Cequence bundle as outlined in the prerequisites.

  2. Unarchive the bundle:

    tar xvzf <bundle-name>

    The MULESOFT_BUNDLE directory contains all required Cequence artifacts: cequence-api-proxy-x.x.x-mule-application.jar, a sample settings.xml, and a main-policy-plugin directory that includes a sample pom.xml.

  3. Log in to the MuleSoft Anypoint Platform.
  4. Go to the Runtime Manager.
  5. Click Applications > Deploy Application > Deployment Target (CloudHub 2.0).
  6. Enter a name for the application, such as cequence-api-proxy, and select the Cequence API Proxy JAR file to upload to the MuleSoft Runtime.

  7. In Properties, switch to Text View and paste the following:

    cequence_transactions_endpoint_url=https://<dataplane-fqdn>/api-transactions
cequence_client_id=<Client ID>
cequence_client_secret=<Client Secret>
cequence_auth_endpoint_url=https://<auth-fqdn>/auth/realms/cequence/protocol/openid-connect/token
send_to_uap=true
cequence_log_level=WARN
cequence_listener_port=8081
cequence_pool_id=null

    Make the following substitutions:

    • <dataplane-fqdn>: The fully qualified domain name for the edge endpoint in your Cequence UAP deployment, or the FQDN for Cequence Bridge in your deployment. If the edge or Bridge endpoint is not listening on the standard HTTPS port (443), append the port number to the FQDN (for example, bridge.myinternaldomain.com:9443).
    • <auth-fqdn>: The fully qualified domain name of the auth endpoint in your Cequence UAP deployment.
    • <Client ID>: The client ID generated earlier.
    • <Client Secret>: The client secret generated earlier.

    Note: cequence_pool_id typically populates with the region or data center where the API is deployed or running. This value is null by default. When the APIs are deployed on MuleSoft CloudHub 2.0, the plugin automatically populates this field. When the plugin cannot successfully populate cequence_pool_id, it uses the value default-pool-id instead.

  8. Set the following log levels for production deployments to minimize logging to errors only:
    • Cequence Proxy API log level: WARN
    • MainPolicy log level: WARN
  9. (Optional) To enable debug logging, use the following settings. Revert to production levels after debugging is complete.
    • Cequence Proxy API log level: DEBUG
    • MainPolicy log level: WARN
  10. After configuring the properties, click Deploy Application at the bottom right of the page.
    The JAR file uploads and the application deploys to the MuleSoft Runtime.
  11. The Application Status field on the cequence-api-proxy application page shows Running once the deployment is complete.
  12. From the left menu, select Logs to view deployment process logs.
  13. From the left menu, select Dashboard to return to the application overview. After the application is deployed, a public endpoint is automatically generated and displayed in the URL field. Copy and save this endpoint for future use. The public endpoint takes a form similar to https://cequence-api-proxy-1d9hpv.5sc6y6-4.usa-e2.cloudhub.io.

Deploy the Cequence Passive Policy

  1. Edit the pom.xml file in the MULESOFT_BUNDLE/main-policy-plugin directory to update the MuleSoft Organization ID in the groupId and exchange.url elements:

    <groupId>26ff87f0-93cf-4353-811f-312cfc09fa02</groupId>
<exchange.url>https://maven.anypoint.MuleSoft.com/api/v1/organizations/26ff87f0-93cf-4353-811f-312cfc09fa02/maven</exchange.url>

    The groupId and exchange.url values are available from the Access Management dashboard. Consult your MuleSoft administrator if needed.

  2. Edit the settings.xml file in the MULESOFT_BUNDLE directory to update the credentials for your MuleSoft account. These credentials authenticate to MuleSoft to upload the Cequence policy to the MuleSoft Anypoint Exchange.

    <server>
  <id>exchange-server</id>
  <username>YOUR_USERNAME</username>
  <password>YOUR_PASSWORD</password>
</server>

  3. (Optional) When SSO is enabled in the organization, create an app called CequenceApp under Access Management > Connected Apps > Create App. After the app is created, copy the client ID and client secret and substitute them into settings.xml as shown below. Ensure the app has the appropriate scope to upload the policy to Exchange.

    <server>
  <id>exchange-server</id>
  <username>~~~Client~~~</username>
  <password>clientID~?~clientSecret</password>
</server>

  4. Run the following command from the MULESOFT_BUNDLE/main-policy-plugin directory:

    mvn clean package

    This command builds the Cequence Passive Policy JAR file in the MULESOFT_BUNDLE/main-policy-plugin/target directory. The resulting file is named cequence-passive-policy-<version>-mule-policy.jar.

  5. Run the following command from the MULESOFT_BUNDLE/main-policy-plugin directory:

    mvn clean deploy -s ../settings.xml

    This command uploads the Cequence Passive Policy JAR file to the MuleSoft Anypoint Exchange account. A BUILD SUCCESS message confirms the policy was uploaded.

  6. Confirm that the Cequence Passive Policy is available in the MuleSoft Anypoint Exchange portal. Log in to the portal, select the APIs drop-down at the top of the page, and click Exchange. On the All Assets page, search for cequence-passive-policy.

The Cequence policy is now available as an asset and is ready to be applied as either an automated policy that applies to all API proxies deployed under API Manager, or as an API-level policy applied individually to an API proxy under the API Manager.

Enable Cequence Policy Globally

To enable Cequence passive integration globally, add the policy to all APIs.

  1. Go to the API Manager section.
  2. Go to Automated Policies.
  3. Search for a custom policy, select the Cequence policy, and click Next.
  4. Click Advanced options.
  5. Paste the public API endpoint from the Deploying the Cequence API Proxy procedure, omitting the https:// prefix. Note: This field should contain only the domain name or FQDN. Do not include any base paths or URI paths; place any base path in the Cequence Proxy App URL Path field instead.
  6. Set Cequence Proxy App URL Protocol to HTTPS and Cequence Proxy App URL Port to 443 (or the port on which the Cequence API Proxy is exposed in your environment).
  7. Cequence Proxy App URL Path is optional.
  8. Set Cequence Proxy App Log level to WARN for production deployments.
  9. Enter the Cequence client secret generated earlier.
  10. In MuleSoft gateways, enter 4.1.1 in the From version field.
  11. Click Apply.

The policy is now applied.

Testing the Cequence Integration

Invoke any API endpoint to which the policy was applied. Policies applied as automated policies apply to all deployed APIs.

To view the MuleSoft logs, go to the Anypoint Platform and log in, then go to the Runtime Manager. In the Runtime Manager, choose the API, then select Logs from the left menu.

Disable the Cequence Passive Policy

To disable the Cequence policy, remove the policy from all APIs. In the API Manager section of the MuleSoft Anypoint Exchange portal, go to Automated Policies, click the three-dot menu on the right side of the policy, and select Remove Policy.

Uninstalling the Cequence Passive Policy

To uninstall the Cequence policy, first disable it by following the steps in Disable the Cequence Passive Policy.

After disabling the policy, go to the Exchange Assets section of the MuleSoft Anypoint Exchange portal and delete the Cequence Passive Policy. If multiple versions of the policy exist, ensure that all versions are deleted.

Uninstalling the Cequence API Proxy

To uninstall the Cequence API Proxy, go to the Runtime Manager section of the MuleSoft Anypoint Exchange portal. Select the Cequence API Proxy, then select Delete from the drop-down menu at the top right of the page.

Upgrading to a new version of the Cequence plugin

  1. Disable the existing Cequence policy by following the steps in Disable the Cequence Passive Policy.
  2. Remove the Cequence Passive Policy artifacts by following the steps in Uninstalling the Cequence Passive Policy.
  3. Remove the Cequence API Proxy by following the steps in Uninstalling the Cequence API Proxy.
  4. Set up the new Cequence plugin by following the steps in Deploying the Cequence API Proxy, Deploy the Cequence Passive Policy, and Enable Cequence Policy Globally.

Troubleshooting

To view the MuleSoft logs, go to the Anypoint Platform and log in, then go to the Runtime Manager. In the Runtime Manager, select cequence-api-proxy, then select Logs from the left menu.

Was this article helpful?
Japanese (Japan)