question Re: add Certificates Facebook to apache nifi in Support Questions

add Certificates Facebook to apache nifi

nejmhadjmbarek — Tue, 01 Mar 2016 17:24:33 GMT

i try to use the plain HTTP endpoint of api open graph of facebook, but it support HTTPS endpoint ( authentication with access_token) , so i obliged to add certificate facebook to nifi and create a ssl context, i upload the different certificates (file PEM) that facebook use but i don't know how to configure nifi to know it( how i add to keystore and trustore), any help is appreciate.

Re: add Certificates Facebook to apache nifi

Shelton — Tue, 01 Mar 2016 21:01:34 GMT

@nejm hadj

Here is good doc surely it will help you Nifi

Let me know if it worked

Re: add Certificates Facebook to apache nifi

alopresto — Wed, 02 Mar 2016 02:49:32 GMT

@Geoffrey Shelton Ogot, that article describes how to configure certificates, a keystore, and a truststore in order to provide NiFi as an HTTPS server, and how to configure certificates for individual users to provide client authentication. It will not assist @nejm hadj in this case.

Re: add Certificates Facebook to apache nifi

alopresto — Wed, 02 Mar 2016 03:25:37 GMT

@nejm hadj, as I answered to your comment on the other question, it sounds like you need to complete the following steps:

Download the Facebook server certificate (via the browser or using openssl). $ openssl s_client -showcerts -connect graph.facebook.com:443 </dev/null
Import that certificate as a trusted certificate into a truststore file (not required in this case as explained below, but would be required if using an internal or custom organizational CA not pre-loaded in the JRE/JDK cacerts).
1. As you can see in the output of the above openssl command, the Facebook server certificate (identified by subject /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com) is issued by the DigiCert certificate (/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3), and that intermediate CA is in turn issued by the DigiCert Root CA (/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA). The Root CA is already present in the default Java cacerts truststore, located at $JAVA_HOME/jre/lib/security/cacerts. You can verify this by running the following command: $ keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -alias digicerthighassuranceevrootca and comparing the SHA-1 fingerprints (also available at DigiCert's website).
Configure the PostHTTP processor to use an SSLContext which references that truststore file.
1. The truststore type is JKS.
2. The truststore location is $JAVA_HOME/jre/lib/security/cacerts.
3. The truststore password is changeit.

Re: add Certificates Facebook to apache nifi

Shelton — Wed, 02 Mar 2016 03:29:30 GMT

If I understood well that's exactly the process nejm is trying to implement import and add the facebook certificate to a keystore and truststore to nifi !

Re: add Certificates Facebook to apache nifi

alopresto — Wed, 02 Mar 2016 04:23:06 GMT

@Geoffrey Shelton Ogot My response is too long to fit here. I've posted it as a GitHub gist.

Re: add Certificates Facebook to apache nifi

Shelton — Wed, 02 Mar 2016 13:50:07 GMT

@Andy LoPresto

Surely I will have a look at that post !!

Re: add Certificates Facebook to apache nifi

nejmhadjmbarek — Wed, 02 Mar 2016 18:47:56 GMT

thank you @Andy LoPresto i follow the 3rd step without adding the Facebook server certificates and it 'is work , the PostHttp processor can support now https request but your document is very useful for me to know how i can add certificate to my trustore .

Re: add Certificates Facebook to apache nifi

omeralvi — Mon, 19 Aug 2019 12:05:48 GMT

Hi @Andy LoPresto

I am still struggling with that. Tried to add certificate to the truststore as well as you mentioned in your posts however,still getHTTP is not working. It is showing me an error in the access token which is working fine if I put that in the browser. I am yusing the template provided by github. SSL context service is also enabled.

Highly appreciate your support. Thanks.