Providing an interface between Mule and external secure property vaults is essential in today’s environment. This is why and how we did it.
One of the most consistent challenges that companies face with today’s security-conscious environment is
how to store sensitive application data outside of a source control repository, while still enabling a smooth, automated process for deploying applications. Products like CyberArk’s EPV and Microsoft’s Key Vault help companies manage application data like passwords and secrets, but how can we get Mule to interface with those products.
Our original objective was to create an interface between CyberArk’s EPV and Mule that would allow any application developer manager a set of sensitive properties, outside of standard Java property files, while still continuing to utilize Java property files for plain-text properties. Over time, we realized that this interface could be constructed as a template for other third-party products.
The EPV solution was developed in Mule 3 with the combination of a Spring configuration and a Java class that interacts with the underlying EPV agent. The EPV agent is installed on each Mule server as a daemon on the operating system and communicates, securely, with the EPV server that manages the sensitive properties.
When Mule starts, the Spring configuration is loaded and the initialization of the Java class that interacts with the agent is started. As Mule continues its initialization process, the Java class builds a separate set of properties from a developer-defined list via the EPV agent.
<!-- Mule 4 configuration -->
With the introduction of Mule 4, the solution needed a redesign. Mule 4 utilizes custom modules built with the Mule SDK instead of loading configurations via Spring. While vastly different from the Mule 3 implementation, the Mule 4 solution is very elegant and more easily consumed by developers.
While MuleSoft has a few ways to implement a solution for securing sensitive application properties, there are other products that are much more suited to manage this data properly. By implementing custom modules that connect to third-party products like EPV and Key Vault, companies can manage application data securely and effectively.