question Re: The Remote Process Group has warning in an anthenticate cluster NiFi instance in Archives of Support Questions (Read Only)

The Remote Process Group has warning in an anthenticate cluster NiFi instance

zhangweigang20 — Mon, 18 Jul 2016 16:20:53 GMT

At first I distribute works in a cluster NiFi instance in perspective.(By run processor on the Primary Node only, and then use site-to-site (remote process group) to distribute that listing to all nodes in the cluster.)

Then I add User Authentication with Kerberos follow https://community.hortonworks.com/articles/34147/nifi-security-user-authentication-with-kerberos.html#

Now i want to distribute works in this secure NiFi instance.

I add the Remote Process Group with url [https://10.110.20.213:7070/nifi]. But it has warning as bellow (10.110.20.213:7070 is the web ui of my NCM, 10.110.20.215:7070 is node)

10.110.20.215:7070 Unable to connect to https://10.110.20.213:7070/nifi due to com.sun.jersey.api.client.ClientHandlerException: java.io.IOException: HTTPS hostname wrong: should be <10.110.20.213>

Where i was wrong? Thanks!

@Jobin George

Re: The Remote Process Group has warning in an anthenticate cluster NiFi instance

MattWho — Mon, 18 Jul 2016 21:52:51 GMT

NiFi secure cluster and Site-To-Site authentication is not handled by kerberos. NiFi kerberos authentication is only supported for user authentication. Secure NiFi Site-To-Site communications are still handled using TLS mutual authentication. The error you are seeing is because that TLS mutual auth is failing. The URL you are providing the Remote Process Group (RPG) is using the IP of the target NCM. The NCM is providing its public key to your nodes for autentication and that certificate does not contain the IP as its DN or as a Subject Alternative Name (SAN). So the source NiFi is saying the that the provided certificate shoudl contain 10.110.20.213 but instead it is providing something else.

If you do a verbose listing on your keystore on the NCM you will see the contents of the key. Look for CN=<some value> (This value is typically the hostname/FQDN.) Use that value in the URL you are providing your RPG. Make sure your source NiFi (In your case every Node in your NiFi cluster) can resolve that hostname to its proper IP. The other option is to get a new certificate that has the IP added to it as a SAN. Thanks,

Matt

Re: The Remote Process Group has warning in an anthenticate cluster NiFi instance

zhangweigang20 — Tue, 19 Jul 2016 10:27:17 GMT

Thanks for your advice, Matt.

I fix this problem by install certificate in my node server. And the url of RPG is set https://node1:7070/nifi. Then assign role to host1 by the nifi web UI.