https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-StandardSSLContext-service-for-listenTCP/m-p/191188#M70946 <A rel="user" href="https://community.cloudera.com/users/595/alopresto.html" nodeid="595">@Andy LoPresto</A><P>Thanks a lot, appreciate it</P> Wed, 08 Nov 2017 21:31:18 GMT dhieru 2017-11-08T21:31:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-StandardSSLContext-service-for-listenTCP/m-p/191185#M70943 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="43502-security-1.png" style="width: 799px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/18435i80152FDB6C9E2F90/image-size/medium?v=v2&amp;px=400" role="button" title="43502-security-1.png" alt="43502-security-1.png" /></span></P><P>Hi All,</P><P>Thanks a lot to this aweosme community.</P><P>I am trying to set server.key and server.pem store in some directory on my nifi node using StandardSSLcontext service, the type is pkcs12.</P><P>Which property will be set here </P><P>Keystore properties or</P><P>the Truststore ones</P><P>I am confused between terminalogies any help</P><P>I do not have much idea about keys and certs</P><P>Thanks Dheeru</P> Sun, 18 Aug 2019 07:28:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-StandardSSLContext-service-for-listenTCP/m-p/191185#M70943 dhieru 2019-08-18T07:28:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-StandardSSLContext-service-for-listenTCP/m-p/191186#M70944 <P>I read this blog (https://bryanbende.com/development/2017/10/13/apache-nifi-tls-with-apache-solr) by <A rel="user" href="https://community.cloudera.com/users/363/bbende.html" nodeid="363">@Bryan Bende</A> and looks</P><P> like I need download the </P><UL> <LI><A href="https://www.apache.org/dyn/closer.lua?path=/nifi/1.4.0/nifi-toolkit-1.4.0-bin.tar.gz">nifi-toolkit-1.4.0-bin.tar.gz</A> ( <A href="https://www.apache.org/dist/nifi/1.4.0/nifi-toolkit-1.4.0-bin.tar.gz.asc">asc</A>, <A href="https://www.apache.org/dist/nifi/1.4.0/nifi-toolkit-1.4.0-bin.tar.gz.md5">md5</A>, <A href="https://www.apache.org/dist/nifi/1.4.0/nifi-toolkit-1.4.0-bin.tar.gz.sha1">sha1</A>, <A href="https://www.apache.org/dist/nifi/1.4.0/nifi-toolkit-1.4.0-bin.tar.gz.sha256">sha256</A> ) from</LI></UL><P><A href="https://nifi.apache.org/download.html" target="_blank">https://nifi.apache.org/download.html</A> and make a keystore or truststore or both?</P><P>Am I going in the right direction?</P><P>Thanks</P><P>Dheeru</P> Wed, 08 Nov 2017 06:45:47 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-StandardSSLContext-service-for-listenTCP/m-p/191186#M70944 dhieru 2017-11-08T06:45:47Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-StandardSSLContext-service-for-listenTCP/m-p/191187#M70945 <P>You need the private key and public key to be stored in a Java Keystore (*.jks) file. You can import the PEM-encoded certificate and key into this form by using the following commands:</P><PRE>openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name [some-alias] -chain keytool -importkeystore -deststorepass [yourpassword] -destkeypass [yourpassword] -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [passwordfromabove] -alias [some-alias]</PRE><P>When creating the temporary PKCS12 keystore, make sure to provide a password at the prompt, or the Java keytool utility will not accept it. Once you have the server.jks file, populate the properties as follows:</P><UL><LI>Keystore file: path/to/server.jks</LI><LI>Keystore password: [yourpassword]</LI><LI>Key password: [yourpassword]</LI><LI>Keystore type: JKS</LI></UL><P>This will allow your NiFi instance/component to present a server certificate identifying itself and encrypt the channel. However, to connect to external HTTPS services, you will also need to provide a truststore. A truststore is a keystore file that contains only public certificates of other services to allow your system (in this case, NiFi) to trust them. If you have custom organizational certificates, you'll need to build your own truststore here. If you are just connecting to generic internet services, the JRE default should be fine:</P><UL><LI>Truststore file: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts (your JRE path may be different)</LI><LI>Truststore password: changeit</LI><LI>Truststore type: JKS</LI></UL> Wed, 08 Nov 2017 08:50:53 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-StandardSSLContext-service-for-listenTCP/m-p/191187#M70945 alopresto 2017-11-08T08:50:53Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-StandardSSLContext-service-for-listenTCP/m-p/191188#M70946 <A rel="user" href="https://community.cloudera.com/users/595/alopresto.html" nodeid="595">@Andy LoPresto</A><P>Thanks a lot, appreciate it</P> Wed, 08 Nov 2017 21:31:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-StandardSSLContext-service-for-listenTCP/m-p/191188#M70946 dhieru 2017-11-08T21:31:18Z