MiNiFi agent cannot connect to secure EFM

nur.majid — Mon, 23 May 2022 09:12:45 GMT

Hi, I've been successfully secure EFM to Keycloak server with oidc auth. But Minifi agent wont show up in EFM Dashboard. I've check both EFM and minifi log but not found any clues. Need your help.

Here my conf/efm.properties config:

# Web Server TLS Properties
efm.server.ssl.enabled=true
efm.server.ssl.keyStore=/home/efm/certs/keystore.jks
efm.server.ssl.keyStoreType=jks
efm.server.ssl.keyStorePassword=ksPasswd
efm.server.ssl.keyPassword=ksPasswd
efm.server.ssl.trustStore=/home/efm/certs/truststore.jks
efm.server.ssl.trustStoreType=jks
efm.server.ssl.trustStorePassword=changeit
efm.server.ssl.clientAuth=WANT

# User Authentication Properties
efm.security.user.auth.enabled=true
efm.security.user.auth.adminIdentities=admin
efm.security.user.auth.autoRegisterNewUsers=true
efm.security.user.auth.authTokenExpiration=12h

efm.security.user.certificate.enabled=true

efm.security.user.oidc.enabled=true
efm.security.user.oidc.issuerUri=https://keycloak.domain.com:8443/realms/efm
efm.security.user.oidc.clientId=efm
efm.security.user.oidc.clientSecret=gW23NlKxOfdsFmJMiarFNcXs454g1Zk4ZTew4
efm.security.user.oidc.scopes=profile,email
efm.security.user.oidc.usernameAttribute=email
efm.security.user.oidc.displayNameAttribute=name
efm.security.user.oidc.staticConfig.enabled=false
efm.security.user.oidc.staticConfig.authorizationUri=
efm.security.user.oidc.staticConfig.tokenUri=
efm.security.user.oidc.staticConfig.userInfoUri=
efm.security.user.oidc.staticConfig.jwkSetUri=

Minifi conf/bootstrap.conf:

# Security Properties #
# These properties take precedence over any equivalent properties specified in config.yml #
nifi.minifi.security.keystore=/home/minifi/certs/keystore.jks
nifi.minifi.security.keystoreType=jks
nifi.minifi.security.keystorePasswd=ksPasswd
nifi.minifi.security.keyPasswd=ksPasswd
nifi.minifi.security.truststore=/home/minifi/certs/truststore.jks
nifi.minifi.security.truststoreType=jks
nifi.minifi.security.truststorePasswd=changeit
nifi.minifi.security.ssl.protocol=TLSv1.2

nifi.minifi.sensitive.props.key=myEfmPassword123456
nifi.minifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.minifi.sensitive.props.provider=BC

# MiNiFi Command & Control Configuration
# C2 Properties
# Enabling C2 Uncomment each of the following options
# define those with missing options
nifi.c2.enable=true
## define protocol parameters
nifi.c2.rest.url=https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
nifi.c2.rest.url.ack=https://efm.domain.com:10090/efm/api/c2-protocol/acknowledge
## heartbeat in milliseconds. defaults to once a second
nifi.c2.agent.heartbeat.period=1000
## define parameters about your agent
nifi.c2.agent.class=java-linux
# Optional. Defaults to a hardware based unique identifier
nifi.c2.agent.identifier=ip221
## Define TLS security properties for C2 communications
nifi.c2.security.truststore.location=/home/minifi/certs/truststore.jks
nifi.c2.security.truststore.password=changeit
nifi.c2.security.truststore.type=JKS
nifi.c2.security.keystore.location=/home/minifi/certs/keystore.jks
nifi.c2.security.keystore.password=ksPasswd
nifi.c2.security.keystore.type=JKS
nifi.c2.security.need.client.auth=true

Minifi Logs:

$ tail -f logs/minifi-bootstrap.log
2022-05-23 15:15:24,241 INFO [MiNiFi Bootstrap Command Listener] o.apache.nifi.minifi.bootstrap.RunMiNiFi The thread to run Apache MiNiFi is now running and listening for Bootstrap requests on port 37443
2022-05-23 15:15:29,119 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:29,813 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:30,803 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:31,784 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:32,778 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:33,782 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:34,779 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:35,773 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:36,778 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:37,776 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat
2022-05-23 15:15:38,771 INFO [pool-2-thread-1] o.a.n.m.b.s.r.RestHeartbeatReporter Performing request to https://efm.domain.com:10090/efm/api/c2-protocol/heartbeat

EFM version efm-1.4.0.0-125

MiNiFi version minifi-0.6.0.1.3.1.0-68

References:

- Agent authentication (cloudera.com)

- https://nizan-shookroun.medium.com/install-and-configure-minifi-agents-f22a0cc09622

Re: MiNiFi agent cannot connect to secure EFM

nur.majid — Tue, 24 May 2022 03:05:47 GMT

I answer my own question. This is due to wrong user login format. It should be in email format.
Change this

efm.security.user.auth.adminIdentities=admin

efm.security.user.auth.adminIdentities=admin@domain.com

Thank you.

question Re: MiNiFi agent cannot connect to secure EFM in Support Questions

MiNiFi agent cannot connect to secure EFM

Re: MiNiFi agent cannot connect to secure EFM