Loading

Deployment Fails in Mule Runtime 4.10 with Error "KeyStore must be configured for server side SSL"

Publish Date: Nov 20, 2025
Description

SYMPTOMS:

When deploying an application to Mule Runtime 4.10 that contains a TLS configuration, the deployment fails.

The application log shows the following error message:

org.mule.runtime.deployment.model.api.DeploymentException: Failed to deploy artifact [app-name]
Caused by: org.mule.runtime.api.exception.MuleRuntimeException: org.mule.runtime.deployment.model.api.DeploymentInitException: InitialisationException: KeyStore must be configured for server side SSL in configuration 'HTTPS_Listener_config'.
Caused by: org.mule.runtime.deployment.model.api.DeploymentInitException: InitialisationException: KeyStore must be configured for server side SSL in configuration 'HTTPS_Listener_config'.
Caused by: org.mule.runtime.core.api.config.ConfigurationException: KeyStore must be configured for server side SSL in configuration 'HTTPS_Listener_config'.
 
This issue specifically affects applications that deploy successfully on Mule Runtime 4.9 or earlier but fail upon upgrading to Mule Runtime 4.10.
 
CAUSE:

This behaviour is expected in Mule Runtime 4.10 due to security enhancements regarding the updated TLS Configuration Behaviour. Link

In previous runtime versions (e.g., 4.9), it was possible to reference a KeyStore or TrustStore using an absolute path, such as ${app.home}/security/keystore.jks.

In Mule 4, and as security constraints and restrictions get stricter, it turns out that the current approach used by some customer may be accessing files from the filesystem, which in hosted environments (i.e., CloudHub) is a security risk. Therefore, the runtime no longer accepts absolute paths or references to external files (like ${app.home}) for certificate configurations in hosted infrastructure.

The same, however, is not necessarily an issue in on-premise environments since it is the customer's responsibility to manage the file system and the Mule runtime. Moreover, some customers may be placing KeyStore and TrustStore files in their servers to access them from the Mule apps deployed there.

Resolution

CloudHub 1.0/ CloudHub 2.0

To resolve this error, you must update your application configuration to use a relative path instead of an absolute path to reference the certificate.

  1. Open your project in Anypoint Studio.

  2. Locate your TLS/SSL configuration.

  3. Change the KeyStore path reference.

    • Incorrect (Mule 4.10+): ${app.home}/security/keystore.jks

    • Correct: security/keystore.jks (Ensure the file is located in src/main/resources).

  4. Redeploy the application to Mule Runtime 4.10.

On-premise/ RTF:

  1. You could either use the same step mentioned for CloudHub 1.0/ CloudHub 2.0 or add the system property mule.tlsStores.filesystemLookup.enable=true. Link
Knowledge Article Number

005228981

 
Loading
Salesforce Help | Article