https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-kerberos-NIFI-cluster-with-nifi-api-of-python/m-p/113908#M46837 <P>According to <A target="_blank" href="https://docs.python.org/2/library/httplib.html#httplib.HTTPSConnection">Python documentation</A>, using key_file and cert_file is deprecated, they recommend you pass in a context (one that has been configured by calling <A target="_blank" href="https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_cert_chain">load_cert_chain</A>). You'll need a certfile and a keyfile there too, which you can get using various openssl commands (assuming you have openssl installed). For example, to export a client secret key from a PKCS12 keystore to a PEM file:</P><PRE>openssl pkcs12 -in CN=&lt;something_you_typed&gt;_OU=Apache NiFi.p12 -nodes -nocerts -out client.key</PRE><P>Or to export a server private key from a JKS keystore to a PEM file:</P><PRE>keytool -importkeystore -srckeystore &lt;keystore.jks&gt; -destkeystore keystore.p12 -deststoretype PKCS12 openssl pkcs12 -in keystore.p12 -nodes -nocerts -out nifi.key</PRE><P>Or to export a CA cert from a JKS keystore to a PEM file:</P><PRE>keytool -export -alias &lt;your_alias&gt; -file ca.der -keystore &lt;truststore.jks&gt; openssl x509 -inform der -in ca.der -out ca.pem</PRE> Mon, 21 Nov 2016 23:14:43 GMT mburgess 2016-11-21T23:14:43Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-kerberos-NIFI-cluster-with-nifi-api-of-python/m-p/113907#M46836 <P>HI,</P><P> We have a kerberos enabled FDT cluster, I want to access the nifi api through https of python. But I cannot got it.</P><P>I don't know how to put the parameter, self.key, and self.cert: how to get the private key, and the certificate chain.</P><PRE> httplib.HTTPSConnection(host,key_file=self.key,cert_file=self.cert,timeout=timeout) </PRE><P> there is my https config</P><P><A href="https://community.cloudera.com/legacyfs/online/attachments/9672-nifi-cofig.png">nifi-cofig.png</A></P><P>Could you give me any point. Thanks.</P><P>Paul</P> Mon, 21 Nov 2016 20:49:58 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-kerberos-NIFI-cluster-with-nifi-api-of-python/m-p/113907#M46836 Paul Yang 2016-11-21T20:49:58Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-kerberos-NIFI-cluster-with-nifi-api-of-python/m-p/113908#M46837 <P>According to <A target="_blank" href="https://docs.python.org/2/library/httplib.html#httplib.HTTPSConnection">Python documentation</A>, using key_file and cert_file is deprecated, they recommend you pass in a context (one that has been configured by calling <A target="_blank" href="https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_cert_chain">load_cert_chain</A>). You'll need a certfile and a keyfile there too, which you can get using various openssl commands (assuming you have openssl installed). For example, to export a client secret key from a PKCS12 keystore to a PEM file:</P><PRE>openssl pkcs12 -in CN=&lt;something_you_typed&gt;_OU=Apache NiFi.p12 -nodes -nocerts -out client.key</PRE><P>Or to export a server private key from a JKS keystore to a PEM file:</P><PRE>keytool -importkeystore -srckeystore &lt;keystore.jks&gt; -destkeystore keystore.p12 -deststoretype PKCS12 openssl pkcs12 -in keystore.p12 -nodes -nocerts -out nifi.key</PRE><P>Or to export a CA cert from a JKS keystore to a PEM file:</P><PRE>keytool -export -alias &lt;your_alias&gt; -file ca.der -keystore &lt;truststore.jks&gt; openssl x509 -inform der -in ca.der -out ca.pem</PRE> Mon, 21 Nov 2016 23:14:43 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-kerberos-NIFI-cluster-with-nifi-api-of-python/m-p/113908#M46837 mburgess 2016-11-21T23:14:43Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-kerberos-NIFI-cluster-with-nifi-api-of-python/m-p/113909#M46838 <P>Thanks for your response.</P><P>For me I cannot got the first step of client secret key, there is not CN&lt;something_you_typed&gt;_OU=ApacheNiFi.p12</P><P>file , I just do the second step : </P><PRE>keytool -importkeystore -srckeystore &lt;keystore.jks&gt; -destkeystore keystore.p12 -deststoretype PKCS12 openssl pkcs12 -in keystore.p12 -out nifi-01.pem -nodes </PRE><P>So I put the nifi-01.pem to :</P><PRE>conn=httplib.HTTPSConnection('nifi-test01.beta1.fn', 9091, key_file=None, cert_file="nifi-01.pem") </PRE><P>and it works. </P><P>BTW , I really don't need to put username and password and I can access the rest get api. </P><P>Of course, I did not to use post or delete api, is it the correct behavior?</P><P>Thanks again.</P> Tue, 22 Nov 2016 15:00:10 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-kerberos-NIFI-cluster-with-nifi-api-of-python/m-p/113909#M46838 Paul Yang 2016-11-22T15:00:10Z