MuleSoft Flex Gateway is a self-managed API gateway that organizations deploy in their own infrastructure while using Anypoint Platform for centralized management and monitoring. In connected mode, Flex Gateway maintains a persistent connection to Anypoint Platform, which synchronizes API configurations, policies, and runtime settings automatically.
The Cequence Unified API Protection (UAP) platform's passive integration for MuleSoft Flex Gateway captures API traffic from Flex Gateway without modifying request or response payloads. A WebAssembly (WASM) policy, deployed to Flex Gateway through Anypoint Exchange, intercepts each request-response pair and forwards the transaction data to the Cequence proxy application. The proxy application authenticates with the Cequence UAP platform using OAuth2 and delivers the transaction to the UAP platform for analysis.
Traffic flow
The following sequence describes how traffic moves through the integration.
- A client sends a request to an upstream service. Flex Gateway receives the request.
- Flex Gateway forwards the request to the upstream service.
- The upstream service returns a response. The WASM policy captures both the request and the response synchronously.
- The downstream client receives the response from the upstream service.
- The Cequence proxy application receives the captured payload, authenticates with the Cequence UAP platform using OAuth2, and forwards the transaction through Edge or Bridge.
- Cequence Edge or Bridge processes the transaction data and makes the data available in the Cequence UAP platform dashboards.
Known limitations
Before you begin, note the following limitations of the Cequence UAP platform's passive integration with MuleSoft Flex Gateway.
- Request and response bodies that exceed 32 KB are truncated to 32 KB. The header
cq-body-truncated: trueis added to truncated transactions. - Responses with HTTP status codes 500 and above are not captured. Only status codes 100 through 499 are forwarded to the Cequence UAP platform.
- Cequence passive policies compile into the WASM binary at deployment time. To change a policy configuration, you must rebuild and republish the policy to Anypoint Exchange.
- The Cequence proxy application must be deployed and running before you apply the WASM policy. The policy begins forwarding traffic immediately after the policy is applied.
- The gateway log level must be equal to or higher than the WASM policy log level. For example, when the WASM policy log level is set to
INFO, set the gateway log level toINFOas well. - When a payload uses content-encoding, Flex Gateway cannot log the payload. The Cequence proxy application receives a blank body when processing that transaction.
Before you start
Verify that your environment meets the following requirements before you begin the installation.
| Requirement | Details |
| MuleSoft Flex Gateway | Version 1.11.4 |
| Deployment target | Docker, Amazon EKS, or OpenShift (ROSA) |
| Cequence WASM Deploy Kit | Contains the pre-built WASM binary, publish scripts, and configuration templates. Download from the Cequence support portal. |
| Cequence client ID and client secret | Generated from the Cequence UAP management portal. See Generating a Cequence client ID and client secret. |
| Anypoint Connected App (Exchange Contributor) | Required for publishing the WASM policy to Anypoint Exchange. |
| Anypoint Connected App (API Manager Environment Administrator) | Required for the Cequence proxy application to retrieve logs from Anypoint Monitoring. |
| Anypoint client ID and client secret | From a Connected App with API Manager Environment Administrator scope. See Generating Anypoint credentials. |
| Anypoint organization ID and environment ID | See Finding your Anypoint organization ID and environment ID. |
| Perl | Available in your shell. Perl is included on Linux and macOS, and is available through Git Bash on Windows. Required by the configure-and-publish script. |
Generating a Cequence client ID and client secret
Several Cequence components must authenticate to the Cequence UAP platform to transmit and receive data. The following procedure creates the authentication credentials those components require.
- Log in to the Cequence UAP management portal. The URL has the form
https://ui.your-tenant-name.domain. - Navigate to General Settings > User Management. The User Management pane appears.
- Select the Clients tab.
- Select Add New Client. The new client dialog box appears.
- In the Client Name field, enter a name for the client. This value becomes the client ID. Record the client ID for later use.
- Enable the Traffic Management toggle.
- Optional: To change the token lifespan from the default 1800 seconds, enter a value in the Token Lifespan field.
- Select Save. A dialog box displays the client secret.
- Select the copy icon to copy the secret to the clipboard, then select Close. The client list appears.
Record the client secret. For security reasons, the Cequence UAP platform does not display this value again.
Generating Anypoint credentials
The Cequence proxy application requires a Connected App with API Manager Environment Administrator scope to retrieve logs from Anypoint Monitoring. The following procedure creates a Connected App with the required permissions and produces the anypoint_client_id and anypoint_client_secret values used later in the proxy application configuration.
- Log in to Anypoint Platform.
- From the top-right menu, select Access Management.
- In the left sidebar, select Connected Apps.
- In the Owned Apps list, select the name of your Connected App.
- On the Update App page, select App acts on its own behalf (client credentials).
- Scroll to the Scopes section and select Add Scopes.
- In the dialog, expand API Manager and select API Manager Environment Administrator.
- Select Next.
- Select your business group and the environment where your APIs are configured, then select Next.
- Review the summary, then select Add Scopes to apply.
- On the Update App page, select Save changes.
The client ID and client secret for this Connected App are the anypoint_client_id and anypoint_client_secret values used in the proxy application configuration.
Finding your Anypoint organization ID and environment ID
The proxy application configuration requires your Anypoint organization ID and environment ID. The following procedure retrieves both values from the Anypoint Platform URL.
- Log in to Anypoint Platform.
- From the top-right corner, select the gear icon, then select Access Management.
- In the right panel, select Business group, then select your organization.
- Select the Environments tab, then select your configured environment (for example, Sandbox, Prod, or Dev).
- Examine the URL in your browser's address bar. The URL has the following form:
https://anypoint.mulesoft.com/accounts/businessGroups/<organization-id>/environments/<environment-id>/edit
Record the organization ID and environment ID segments from the URL.
Integration installation
Installing the Cequence passive integration for MuleSoft Flex Gateway involves three steps: deploying the Cequence proxy application to Anypoint CloudHub, publishing the Cequence passive WASM policy to Anypoint Exchange, and applying the policy to your APIs.
Deploying the Cequence proxy application
The Cequence proxy application receives transaction data from the WASM policy, authenticates with the Cequence UAP platform, and forwards the data for analysis. Deploy the proxy application to Anypoint CloudHub before applying the WASM policy.
- Download the Cequence bundle as described in Before you start.
- Extract the bundle:
tar xvzf cequence-self-connected-flexgateway-passive.tar.gz
The extracted directory contains the proxy application JAR file (cequence-api-proxy-1.0.4-mule-application.jar), a scripts folder, and areadme.mdfile. - Log in to MuleSoft Anypoint Platform.
- From the menu bar, select Runtimes, then select Runtime Manager.
- Select Applications > Deploy Application > Deployment Target (CloudHub 2.0).
- Enter a name for the application, such as
cequence-api-proxy, and select the Cequence API Proxy JAR file to upload. -
In the Properties section, switch to Text View and enter the following properties, replacing the placeholder values with your own.
cequence_transactions_endpoint_url=https://<edge-or-bridge-fqdn>/api-transactions cequence_client_id=<your-cequence-client-id> cequence_client_secret=<your-cequence-client-secret> cequence_auth_endpoint_url=https://<auth-fqdn>/auth/realms/example/protocol/openid-connect/token cequence_enable_auth=true cequence_log_level=WARN send_to_uap=true apis_to_include=all anypoint_client_id=<your-anypoint-client-id> anypoint_client_secret=<your-anypoint-client-secret> environment=<your-environment-id> organization=<your-organization-id>
The following table describes each property.
Property Description cequence_transactions_endpoint_urlFully qualified URL of the Cequence Edge or Bridge transaction endpoint. cequence_client_idCequence client ID generated in Generating a Cequence client ID and client secret. cequence_client_secretCequence client secret generated in Generating a Cequence client ID and client secret. cequence_auth_endpoint_urlFully qualified domain name of the authentication endpoint in your Cequence UAP deployment. cequence_enable_authEnables authentication with the Cequence UAP platform. Set to truein all standard deployments.cequence_log_levelLog verbosity for the proxy application. Valid values: DEBUG,INFO,WARN. Recommended value for production:WARN.send_to_uapWhen true, forwards transactions to the Cequence UAP platform. Whenfalse, processes transactions locally only, which is useful for debugging.apis_to_includeWhen set to all, the proxy application captures traffic from all APIs. To capture specific APIs, enter a comma-separated list of API instance IDs.anypoint_client_idAnypoint Connected App client ID generated in Generating Anypoint credentials. anypoint_client_secretAnypoint Connected App client secret generated in Generating Anypoint credentials. environmentAnypoint environment ID from Finding your Anypoint organization ID and environment ID. organizationAnypoint organization ID from Finding your Anypoint organization ID and environment ID. - Select Deploy Application. The JAR file uploads and the application deploys to the MuleSoft Runtime.
- On the application page, verify that the Application Status field shows Running.
Publishing the Cequence passive policy to Anypoint Exchange
The Cequence WASM Deploy Kit includes a configure-and-publish script that patches your configuration values into the WASM binary and publishes the policy to Anypoint Exchange. Complete this step after the Cequence proxy application is running.
Step 1: Configure the deploy kit
From the extracted bundle, navigate to the deploy kit directory and create the configuration file from the provided template.
- From the extracted bundle directory, navigate to the deploy kit:
cd mulesoft_flexgateway_connected_mode_cequence_plugin/deploy-kit/ - Create the configuration file from the template:
cp env.template .env
Step 2: Edit the .env file
Open the .env file in a text editor and set the following values.
| Variable | Required | Description |
CEQUENCE_PROXY_APP_URL |
Yes | Full URL of the running Cequence proxy application deployed in Deploying the Cequence proxy application. Example: https://my-cequence-proxy.us-e2.cloudhub.io
|
CEQUENCE_CLIENT_SECRET |
Yes | Cequence client secret generated in Generating a Cequence client ID and client secret. This value is embedded in the WASM binary at publish time and must match the value set in the proxy application properties. |
CEQUENCE_LOG_LEVEL |
Yes | Controls WASM policy log verbosity. Valid values: DEBUG, INFO, WARN, ERROR. Default: INFO. This value is embedded in the binary at publish time. |
CLIENT_TAG |
No | An alphanumeric suffix appended to the policy version for Anypoint Exchange uniqueness. Exchange versions are immutable. Increment this value when you republish an updated policy. For example, after changing CEQUENCE_CLIENT_SECRET or CEQUENCE_PROXY_APP_URL, leave this field empty for the initial publish. |
anypoint_client_id |
Yes | Anypoint Connected App client ID. The Connected App must have Exchange Contributor permissions. |
anypoint_client_secret |
Yes | Anypoint Connected App client secret. |
anypoint_organization_id |
Yes | Anypoint organization ID from Finding your Anypoint organization ID and environment ID. |
anypoint_environment_id |
Yes | Anypoint environment ID from Finding your Anypoint organization ID and environment ID. |
Do not modify the POLICY_VERSION variable unless Cequence instructs you to do so.
Step 3: Run the configure-and-publish script
From the deploy-kit directory, run the following commands to make the script executable and publish the policy.
chmod +x configure-and-publish.sh ./configure-and-publish.sh
The script patches your configuration values into the WASM binary and publishes the policy to Anypoint Exchange in two steps: definition, then implementation. On success, the terminal displays output similar to the following:
=== Done === cequence-passive-policy v1.0.0 cequence-passive-policy-flex-impl v1.0.0
Step 4: Verify that the policy is on Exchange
From the deploy-kit directory, run the following command to verify that both policy artifacts are present on Anypoint Exchange.
./configure-and-publish.sh --check
On success, the terminal displays output similar to the following:
cequence-passive-policy v1.0.1-1 EXISTS cequence-passive-policy-flex-impl v1.0.0-1 EXISTS
Testing the integration
After deploying the proxy application and publishing the WASM policy, send test traffic through Flex Gateway and verify that transactions appear in the Cequence UAP platform. Because the WASM policy captures transactions synchronously, there may be a brief pipeline delay before events appear in the UAP dashboards.
- Send a request to Flex Gateway using the base path and port configured for your API. For example:
curl http://localhost:8081/<basepath>/<uri> - In the MuleSoft Anypoint portal, navigate to Runtime Manager and select the
cequence-api-proxyapplication. From the left menu, select Logs and verify that no errors appear. - In the Cequence UAP platform, open the API Discovery dashboard and verify that the endpoint appears.
Disabling the integration
To disable the Cequence passive integration, remove the WASM policy from all APIs. In the MuleSoft Anypoint portal, navigate to API Manager > Automated Policies. Locate the Cequence passive policy, select the three-dot menu, and select Remove Policy.
Removing the integration
To remove the Cequence proxy application entirely, navigate to Runtime Manager in the MuleSoft Anypoint portal. Select the cequence-api-proxy application, then select Delete from the drop-down menu at the top right of the page.
Log levels
Two separate log level settings are available in this integration: one for the WASM policy and one for the proxy application. Both settings use the same set of values.
| Value | Description |
WARN |
Logs failure events only. Recommended for production environments. |
INFO |
Logs informational events in addition to failures. |
DEBUG |
Logs detailed diagnostic output, including per-request detail. |
After setting cequence_log_level in the proxy application properties, enable the corresponding log level in the Anypoint dashboard to view the logs.
Troubleshooting
To monitor proxy application logs, navigate to the Anypoint Monitoring CloudHub settings page at https://anypoint.mulesoft.com/monitoring/#/settings/cloudhub. To gather detailed diagnostic output, set cequence_log_level to DEBUG in the proxy application properties.
Policy publish fails with HTTP 403
The Connected App used to publish the policy does not have Exchange Contributor permissions. Assign the Exchange Contributor role to the Connected App in Anypoint Platform, then run the configure-and-publish script again.
Transactions are not reaching the Cequence UAP platform
The Cequence client secret set in the proxy application properties and the client secret embedded in the WASM binary must match. If the values differ, the proxy application logs the message "Transaction was not processed." Republish the WASM policy with the correct CEQUENCE_CLIENT_SECRET value, and verify that the proxy application properties use the same value.
A policy update is not applied
Anypoint Exchange caches policy versions. Remove the existing policy from the API, then add the updated version. If the issue persists, verify that you incremented the CLIENT_TAG value in the .env file before republishing, because Exchange versions are immutable.