Intercept Mirth Connect Administrator with Charles Proxy

I recently had the need to see exactly what the Mirth Connect Administrator was communicating to the server. So I fired up my trusty Charles Proxy and turned on the http and socks proxies (https: is all that is actually needed)

I was able to see the web traffic going from the admin to the server however it was all SSL encrypted. Now in a browser or even a Java application this is easy to fix with these instructions

But there was a problem...

Mirth Connect Administrator runs as a JNLP so the version of Java that it runs is a little difficult to figure out. It is probably not one of the versions you have the JRE and JDK installed for local use.

The first thing you will need to do is figure out exactly which java installation is being used. The best way to do this is to open the Mirth Connect Administrator jnlp as you normally would and login.
Then open a console and inspect the process
ps -ax | grep 'Mirth Connect'
You should get something like this...

12791 ??         1:09.30 /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -classpath  
...
Mirth Connect Administrator 3.4.1.8057 -  
...

The key is that first part this tells you which java needs to be updated:

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java ` 

From this I was able to determine that the version of Java that Mirth was using was in

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

and therefore the cacerts file that needed to be updated was

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts

From this point I was able to follow the instructions for trusting charles certificates in java from the charlesproxy web site ....

Java Applications You can add your Charles Root Certificate to your root certificate trust store in Java, then all Java applications will trust the certificates that Charles issues. Note that you may need to do this each time you upgrade your Java installation.

In Charles go to the Help menu and choose "SSL Proxying > Save Charles Root Certificate". Save the root certificate (as a .crt) to your desktop, or somewhere where you can easily access it in the next step.

Now find the cacerts file, it should be in your $JAVAHOME/jre/lib/security/cacerts, where JAVAHOME is your java home directory for the JVM you’re using.

Then type (substituting for JAVAHOME and DESKTOP): keytool -import -alias charles -file DESKTOP/charles-ssl-proxying-certificate.crt -keystore JAVAHOME/jre/lib/security/cacerts -storepass changeit

(changeit is the default password on the cacerts file)

Then try: keytool -list -keystore JAVAHOME/jre/lib/security/cacerts -storepass changeit_

If you have multiple Java installations you may need to work out which ones you’re using to run your application and do this on the appropriate one. Or do it on all of your Java installations."

After this fix I restarted the Mirth Connect Administrator with a fresh jnlp file and was able to successfully see the decrypted SSL/TLS traffic in Charles.

2017-01-27 addendum

I left off one important step. In order to get the JVM to pass traffic through the Charles Proxy you may also need to update the system proxy configuration for Java.
On MacOS you do this in the Java Control Panel that you can access via the System Preferences.
In the Java Control Panel, select Network Settings and set "Use proxy server" and point it to Address: 127.0.0.1 Port: 8888
Note: You should be able to use the "Use browser settings" but I've found that this sometimes doesn't actually work for some unknown reason.