question Re: Integrate NIFI , NIFI Registry in Support Questions

Integrate NIFI , NIFI Registry

DivyaKaki — Tue, 04 Aug 2020 16:52:31 GMT

Hello all,

I have HDF 3.4 cluster A with nifi and nifi registry integrated, cluster B with NIFI. both are tls/ssl secured. now I'm trying to use the cluster A NIFI registry for NIFI running on cluster B.

noticing below error when trying to version a flow from cluster B NIFI integrated with cluster A registry

I have added cluster B nifi node cert to registry users list but still same error

CN=its-nifi-node-dev-nifipoc1-01, OU=NIFI

@alim @MattWho @sunile_manjee please advice

Re: Integrate NIFI , NIFI Registry

sunile_manjee — Tue, 04 Aug 2020 17:31:45 GMT

Do you have the ssl context service setup properly?

Re: Integrate NIFI , NIFI Registry

DivyaKaki — Tue, 04 Aug 2020 21:44:11 GMT

Thanks @sunile_manjee

cluster A NIfi & Registry are managed by Ranger, working well.

hence I added cluster B nifi node cert to cluster A Ranger user and then added to Registry policy.

clusterB nifi user logs:

2020-08-04 21:40:37,824 INFO [NiFi Web Server-333] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for divya
2020-08-04 21:40:37,833 INFO [NiFi Web Server-333] o.a.n.w.a.config.NiFiCoreExceptionMapper org.apache.nifi.web.NiFiCoreException: Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors. Returning Conflict response.

NIFI GUI exception:

any advice

Re: Integrate NIFI , NIFI Registry

DivyaKaki — Wed, 05 Aug 2020 04:43:16 GMT

@sunile_manjee

i have generated certs for bothe cluster nifi, nifi registrty using below commands

do i need to add jks from cluster A nifi to cluster B registry

sh /usr/hdf/current/nifi-toolkit/bin/tls-toolkit.sh standalone -B myTokenTouse -C 'CN=nifiadmin, OU=NIFI' -n 'nifi-pb-amb-01.its-streaming,nifi-pb-nifi-01.its-streaming,nifi-pb-nifi-02.its-streaming,nifi-pb-nifi-03.its-streaming,nifi-pb-nreg-01.its-streaming' --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o /data/nifi_certs/ -K myTokenTouse -P myTokenTouse -S myTokenTouse

Re: Integrate NIFI , NIFI Registry

MattWho — Fri, 14 Aug 2020 13:37:52 GMT

@DivyaKaki

The exception implies that the complete trust chain does not exist to facilitate a successful mutual TLS handshake between this NiFI and the target NiFi-Registry.

NiFi uses the keystore and truststore configured in its nifi.properties and NiFi-Registry uses the keystore and truststore configured in its nifi-registry.properties files.

Openssl can be used to public certificates for the complete trust chain:

openssl s_client -connect <nifi-registry-hostname>:<port> -showcerts

openssl s_client -connect <nifi-hostname>:<port> -showcerts

for each public cert you will see:

Above is just example public cert from openssl command against google.com:443

You will need to make sure that every certificate in the chain when run agains NiFi UI is added to the truststore on NiFi-Registry and vice versa.

You'll need to restart NiFi and NiFi-Registry before changes to your keystore or truststore files will be read in.

Hope this helps,

Matt