https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158313#M20913 <P>Definetly not an answer but i'll leave it here : i "solved" the issue by putting the same file and password for the keystore than i had for the truststore (the ones mentionned in the questions/9509). Probably not something to do since i have absolutly no understanding of SSL but it allowed me to move forward.. I'm still interested in a real answer.</P> Fri, 26 Feb 2016 01:53:46 GMT lubinlemarchand 2016-02-26T01:53:46Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158312#M20912 <P>Hi,</P><P>I've been trying to pull data from the facebook graph api using nifi. As i need to make a lot of request, i want to be able to post a json to <A href="http://graph.facebook.com" target="_blank">http://graph.facebook.com</A> as explained here <A href="https://developers.facebook.com/docs/graph-api/making-multiple-requests" target="_blank">https://developers.facebook.com/docs/graph-api/making-multiple-requests</A>.</P><P>So i created a PostHTTP processor on NiFi but it requires a SSL context. </P><P>Now i found some answers thanks to <A rel="user" href="https://community.cloudera.com/users/361/apiri.html" nodeid="361">@Aldrin Piri</A> and his answer to <A href="https://community.hortonworks.com/questions/9509/connecting-to-datasift-https-api-using-nifi.html" target="_blank">https://community.hortonworks.com/questions/9509/connecting-to-datasift-https-api-using-nifi.html</A> but i still don't know how to fill the fields "Keystore Filename" and "Keystore Password".</P><P>Thank you in advance.</P> Thu, 25 Feb 2016 17:35:08 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158312#M20912 lubinlemarchand 2016-02-25T17:35:08Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158313#M20913 <P>Definetly not an answer but i'll leave it here : i "solved" the issue by putting the same file and password for the keystore than i had for the truststore (the ones mentionned in the questions/9509). Probably not something to do since i have absolutly no understanding of SSL but it allowed me to move forward.. I'm still interested in a real answer.</P> Fri, 26 Feb 2016 01:53:46 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158313#M20913 lubinlemarchand 2016-02-26T01:53:46Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158314#M20914 <P> Hi <A rel="user" href="https://community.cloudera.com/users/2855/lubinlemarchand.html" nodeid="2855">@Lubin Lemarchand</A>, </P> The <CODE>keystore</CODE> is a protected container which holds the private keys and certificates used to identify your service (in this case NiFi) during TLS (nee SSL) communications. According to <A target="_blank" href="https://developers.facebook.com/docs/graph-api/securing-requests">Graph API - Securing Requests</A>, it does not appear that Facebook requires (or even provides for) you to send a client certificate to authenticate your requests. Rather, they rely on an access token in the request. Because of this, you do not need a keystore file <EM>for this <CODE>SSLContext</CODE></EM>. Please note that if you wish NiFi's web interface and API to be protected by TLS, you will still need a keystore file with a <CODE>privateKeyEntry</CODE> in order to do that, but it is a separate issue. <P> You will need to add the Facebook certificate (or the CA that signed it) into your truststore, in order to allow NiFi (acting as the client) to verify the server's presented certificate. </P> <P> I hope this answers your question. Please let me know if it is still unclear. </P> Fri, 26 Feb 2016 02:52:32 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158314#M20914 alopresto 2016-02-26T02:52:32Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158315#M20915 <P> This does not have a negative side effect, as there should be no sensitive keys in your <CODE>truststore </CODE> </P><P> This does not have a negative side effect, as there should be no sensitive keys in your <CODE>truststore</CODE>. However, if you tried to use this <CODE>PostHTTP</CODE> processor to connect to a site that did require TLS mutual auth (presenting a client certificate), you would want to ensure that the <CODE>keystore</CODE> and <CODE>truststore</CODE> files were different and the <CODE>truststore</CODE> did not contain the <CODE>privateKeyEntry</CODE> used in the <CODE>keystore</CODE></P> Fri, 26 Feb 2016 02:59:59 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158315#M20915 alopresto 2016-02-26T02:59:59Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158316#M20916 <P><A rel="user" href="https://community.cloudera.com/users/595/alopresto.html" nodeid="595">@Andy LoPresto</A> Thank you for your answer, one question to be sure : if i don't pay too much attention to security, can i use the graph api without adding the Facebook CA into my trustore?</P> Fri, 26 Feb 2016 17:00:38 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158316#M20916 lubinlemarchand 2016-02-26T17:00:38Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158317#M20917 <P>I'm not sure why you would want to ignore this. Facebook's servers present a certificate to allow you to verify that the resource you are communicating with is, in fact, Facebook and not an imposter. This also allows encryption of all content in transit between your server and Facebook's. </P><P>If you honestly do not care about the protection of your data (and again, I would urge you to, especially considering you are communicating with Facebook, and therefore probably accessing personal information for customers/users), you can use the plain HTTP endpoint provided at <A href="http://graph.facebook.com">http://graph.facebook.com</A> and you won't need a truststore at all. </P> Sat, 27 Feb 2016 02:18:44 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158317#M20917 alopresto 2016-02-27T02:18:44Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158318#M20918 <A rel="user" href="https://community.cloudera.com/users/595/alopresto.html" nodeid="595">@Andy LoPresto</A> <P>i try to use the plain http endpoind of api open graph of facebook but it support https endpoint so i obliged to add certificate facebook to nifi , i upload th different certificate that facebook use but i don't know how to configure nifi to know it,any help is apreciate</P> Mon, 29 Feb 2016 21:46:08 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158318#M20918 nejmhadjmbarek 2016-02-29T21:46:08Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158319#M20919 <P><A rel="user" href="https://community.cloudera.com/users/2068/nejmhadjmbarek.html" nodeid="2068">@nejm hadj</A> it sounds like you need to complete the following steps:</P><OL><LI>Download the Facebook server certificate (via the browser or using openssl).</LI><LI>Import that certificate as a trusted certificate into a truststore file.</LI><LI>Configure the PostHTTP processor to use an SSLContext which references that truststore file. </LI></OL><P>As <A rel="user" href="https://community.cloudera.com/users/2855/lubinlemarchand.html" nodeid="2855">@Lubin Lemarchxnd</A> noted above, there are explicit instructions for these steps available <A target="_blank" href="https://community.hortonworks.com/questions/9509/connecting-to-datasift-https-api-using-nifi.html">here</A>. </P> Tue, 01 Mar 2016 02:43:06 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Creating-a-SSL-context-Nifi/m-p/158319#M20919 alopresto 2016-03-01T02:43:06Z