Wallarm Connector for MuleSoft¶
MuleSoft is an integration platform that enables seamless connectivity and data integration between services with an API gateway serving as the entry point for client applications to access APIs. Wallarm can act as a connector to secure APIs running on MuleSoft.
To use Wallarm as a connector for MuleSoft, you need to deploy the Wallarm node externally and apply the Wallarm-provided policy in MuleSoft to route traffic to the Wallarm node for analysis.
The Wallarm connector for MuleSoft supports only in-line traffic analysis:
Use cases¶
Among all supported Wallarm deployment options, this solution is the recommended one for securing APIs deployed on the MuleSoft Anypoint platform with only one policy.
Limitations¶
-
Rate limiting by the Wallarm rule is not supported.
-
Multitenancy is not supported yet.
Requirements¶
To proceed with the deployment, ensure that you meet the following requirements:
-
Understanding of the Mulesoft platform.
-
Docker installed and running on your host system.
-
You have been assigned the Mulesoft Exchange contributor's role, enabling you to upload artifacts to your organization's Mulesoft Anypoint Platform account.
-
Your Mulesoft Exchange credentials (username and password) are specified in the
<MAVEN_DIRECTORY>/conf/settings.xml
file. -
Your application and API are linked and running on Mulesoft.
-
Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud.
Deployment¶
1. Deploy a Wallarm node¶
The Wallarm node is a core component of the Wallarm platform that you need to deploy. It inspects incoming traffic, detects malicious activities, and can be configured to mitigate threats.
You can deploy it either hosted by Wallarm or in your own infrastructure, depending on the level of control you require.
To deploy a Wallarm-hosted node for the connector, follow the instructions.
Choose an artifact for a self-hosted node deployment and follow the attached instructions:
- All-in-one installer for Linux infrastructures on bare metal or VMs
- Helm chart for infrastructures utilizing Kubernetes
2. Obtain and upload the Wallarm policy to Mulesoft Exchange¶
To acquire and upload the Wallarm policy to Mulesoft Exchange, follow these steps:
-
Proceed to Wallarm Console → Security Edge → Connectors → Download code bundle and download a code bundle for your platform.
If running a self-hosted node, contact sales@wallarm.com to get the code bundle.
-
Extract the policy archive.
-
Within the
pom.xml
file, specify the following:- Navigate to Mulesoft Anypoint Platform → Access Management → Business Groups → choose your organization → copy its ID.
- Specify the copied group ID in the
groupId
parameter of thepom.xml
file:
- Navigate to Mulesoft Anypoint Platform → Access Management → Business Groups → choose your organization → copy its ID.
- Specify the copied group ID in the
groupId
parameter of thepom.xml
file. - For Mulesoft instances hosted in specific regions, update the
pom.xml
file to use the corresponding regional URLs. For example, for a European instance of Mulesoft:
<?xml version="1.0" encoding="UTF-8"?> <groupId>BUSINESS_GROUP_ID</groupId> <artifactId>wallarm</artifactId> <properties> <mule.maven.plugin.version>4.1.2</mule.maven.plugin.version> <exchange.url>https://maven.eu1.anypoint.mulesoft.com/api/v1/organizations/${project.groupId}/maven</exchange.url> </properties> <distributionManagement> <repository> <id>anypoint-exchange-v3</id> <name>Anypoint Exchange</name> <url>https://maven.eu1.anypoint.mulesoft.com/api/v3/organizations/${project.groupId}/maven </url> <layout>default</layout> </repository> </distributionManagement> <repositories> <repository> <id>anypoint-exchange-v3</id> <name>Anypoint Exchange</name> <url>https://maven.eu1.anypoint.mulesoft.com/api/v3/maven</url> <layout>default</layout> </repository> </repositories>
-
Create the
conf
directory and asettings.xml
file inside it with the following content:Replace
username
andpassword
with your actual credentials:<?xml version="1.0" encoding="UTF-8"?> <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd"> <servers> <server> <id>anypoint-exchange-v3</id> <username>myusername</username> <password>mypassword</password> </server> </servers> </settings>
Generate and specify your token in the
password
parameter:<?xml version="1.0" encoding="UTF-8"?> <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd"> <servers> <server> <id>anypoint-exchange-v3</id> <username>~~~Token~~~</username> <password>01234567-89ab-cdef-0123-456789abcdef</password> </server> </servers> </settings>
-
Deploy the policy to Mulesoft using the following command:
Your custom policy is now available in your Mulesoft Anypoint Platform Exchange.
3. Attach the Wallarm policy to your API¶
You can attach the Wallarm policy to either all APIs or an individual API.
Attaching the policy to all APIs¶
To apply the Wallarm policy to all APIs using Mulesoft's Automated policy option, follow these steps:
-
In your Anypoint Platform, navigate to API Manager → Automated Policies.
-
Click Add automated policy and select the Wallarm policy from Exchange.
-
Specify an address of the Wallarm node instance including
http://
orhttps://
. -
If necessary, modify other parameters.
-
Apply the policy.
Attaching the policy to an individual API¶
To secure an individual API with the Wallarm policy, follow these steps:
-
In your Anypoint Platform, navigate to API Manager and select the desired API.
-
Navigate to Policies → Add policy and select the Wallarm policy.
-
Specify an address of the Wallarm node instance including
http://
orhttps://
. -
If necessary, modify other parameters.
-
Apply the policy.
Testing¶
To test the functionality of the deployed policy, follow these steps:
-
Send the request with the test Path Traversal attack to your API:
-
Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.
If the Wallarm node mode is set to blocking and the traffic flows in-line, the request will also be blocked.
Updating and uninstalling¶
To update the deployed Wallarm policy, follow these steps:
-
Remove the currently deployed Wallarm policy using the Remove policy option in either the automated policy list or the list of policies applied to an individual API.
-
Add the new policy following the steps 2-3 above.
-
Restart attached applications in the Runtime Manager to apply new policy.
To uninstall the policy, simply perform the first step of the update process.
Troubleshooting¶
If the solution does not perform as expected, refer to the logs of your API by accessing Mulesoft Anypoint Platform → Runtime Manager → your application → Logs.
You can also verify whether the policy is applied to the API by navigating to your API in the API Manager and reviewing the policies applied on the Policies tab. For automated policies, you can use the See covered APIs option to view the APIs covered and the reasons for any exclusions.