https://community.cloudera.com/t5/Support-Questions/How-should-I-use-the-SSLContext-controller-in-a-multi-tenant/m-p/212322#M174258 <P>David,</P><P>I would recommend you create an <CODE>SSLContextService</CODE> at root which only uses the truststore and ask your users to select that controller service when necessary. If they have requirements to connect to external services which require mutual authentication via TLS client certificates, you may have to create additional controller services with limited keystore access and provide those on a per-instance/user basis. If these are globally-accessible external services (aka not organizationally-signed), you could also provide a generic controller service which uses the Java CA truststore (something like <CODE>$JAVA_HOME/jre/lib/security/cacerts</CODE> with default password "changeit"). </P> Sat, 02 Jun 2018 09:35:34 GMT alopresto 2018-06-02T09:35:34Z https://community.cloudera.com/t5/Support-Questions/How-should-I-use-the-SSLContext-controller-in-a-multi-tenant/m-p/212321#M174257 <P>The Background:</P><P>I have multitenant clusters. My organization has delivered me a combined truststore and keystore jks file.</P><P>I will have users who need to hit various external-to-nifi services using SSL/TLS. It is tempting to create an sslcontext controller service at nifi root and let all my users use this service when they need SSL. One problem with this approach that I see is that if I let all my users use the hosts' certs, (keystore and truststore) they could just use a GetHTTP processor and talk to the nifi rest api with full priveleges (or at least whatever privs the node has) </P><P>So to prevent this I figure that I should get my root CA certs into a separate truststore that is not password protected, and only use this.</P><P>The question:</P><P>Should I create an sslcontext service at the root flow with only a truststore, and ask my users to all use the same controller service? Or should I just notify my users of the path to the truststore and have them create controllers within their process groups as needed, what are the pros and cons of each approach?</P> Wed, 30 May 2018 03:13:12 GMT https://community.cloudera.com/t5/Support-Questions/How-should-I-use-the-SSLContext-controller-in-a-multi-tenant/m-p/212321#M174257 david_miller 2018-05-30T03:13:12Z https://community.cloudera.com/t5/Support-Questions/How-should-I-use-the-SSLContext-controller-in-a-multi-tenant/m-p/212322#M174258 <P>David,</P><P>I would recommend you create an <CODE>SSLContextService</CODE> at root which only uses the truststore and ask your users to select that controller service when necessary. If they have requirements to connect to external services which require mutual authentication via TLS client certificates, you may have to create additional controller services with limited keystore access and provide those on a per-instance/user basis. If these are globally-accessible external services (aka not organizationally-signed), you could also provide a generic controller service which uses the Java CA truststore (something like <CODE>$JAVA_HOME/jre/lib/security/cacerts</CODE> with default password "changeit"). </P> Sat, 02 Jun 2018 09:35:34 GMT https://community.cloudera.com/t5/Support-Questions/How-should-I-use-the-SSLContext-controller-in-a-multi-tenant/m-p/212322#M174258 alopresto 2018-06-02T09:35:34Z