Mule Maven Plugin: Deploying Mule apps using stored encrypted credentials

maven deployment

A somewhat “hidden feature” of the Mule Maven Plugin is the ability to use stored encrypted Anypoint user credentials in deployments. Normally, when deploying an application using a deployment strategy, the user either sets plain text credentials in the application’s POM, or injects them into the plugin configuration through the command line, or sets them through a property.

As you may already know, however, storing plain text credentials is a security risk that can be exploited by attackers. In this blog, I am going to provide you with a safer approach to safely store your Anypoint credentials, by using Maven 3.3.3+ password encryption, then using the credentials when deploying with the Mule Maven Plugin 2.2+.

Let’s get started!

Create a master password

1. First, you need to generate a master password. In the terminal, type: mvn –encrypt-master-password

2. You will then be prompted to type a password. This is NOT your Anypoint password, as Maven just uses some encryption mechanisms and a random algorithm to generate an encrypted master key based on your input. After typing the password and pressing enter, Maven will generate something like this: {exr7tzh3cOwHV4qo+1tT2tusuZ8BTZB2yW9q95PmELI=}

3. Copy and paste the below code into a settings-security.xml file that can be either in the ~/.m2 folder or in a removable drive. Please note that we will cover how to use the removable drive at the end of this article.

Encrypt your Anypoint password

4. After you have generated a master password and saved it into the settings-security file, you can encrypt your Anypoint password. To do that, go back to the command line and execute: mvn –encrypt-password

5. Now you can type your Anypoint password and press enter. You will then get an encrypted version of that, it will look similar to the following code: {0Z6INBmQi8IHHp5OUv5IeuFixGB/F1KocYi6HqLeaqw=}

6. Copy this output and add it to this snippet to the “servers section” of your settings.xml file, as shown below:

7. You should replace “myAnypointUsername” with your Anypoint username, and replace the password with your encrypted Anypoint password. Make sure to also replace MY_ANYPOINT_SERVER_ID with something more relevant.

Now, let’s set up the plugin configuration to use these credentials.

Set the plugin configuration

8. Open the project POM you want to deploy and edit the plugin configuration:

9. In project root folder, run: mvn clean deploy -DmuleDeploy

Wait for your deployment to finish successfully, and that’s it!

Optional tip: Keep the master password in a removable drive

As you may already know, Maven’s password encryption allows you to keep the master password in a removable drive and redirect to it. So, here are the steps required in the event you want to do that then copy it to, for instance, a USB pen drive like /credentials/settings-security.xml.

If your removable drive mounts as /Volumes/myAnypointPenDrive, you should put the following snippet in your local ~/.m2/settings-security.xml:

Now, even if someone has physical access to the machine, it will not be possible to deploy, redeploy, or undeploy the application without having the USB pen drive. You’re safer now!

Conclusion

Keeping your Anypoint credentials encrypted is easy and can enhance the security of your system. In order to get more information on how to deploy using the Mule Maven Plugin, please visit our documentation page. For more tips, you can also check the Maven documentation as well.


 


We'd love to hear your opinion on this post