Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

How will I set up Secure NIFI cluster that using my real Cert that I bought instead of self generate.

Labels:
avatar
author-rank marknguyen
New Member

Created ‎10-26-2016 11:09 PM

I am following the below procedure but I don't see how I can apply the Cert that I bought.

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

3,562 Views
1 ACCEPTED SOLUTION

avatar
author-rank alopresto author-rank
Guru

Created ‎10-27-2016 12:22 AM

Mark,

The certificate you purchased from a certificate authority will identify the NiFi application. Depending on the format it is in (likely a *.key file containing the private key which never left your computer and a *.pem or *.der file containing the corresponding public key, which was then signed via a CSR (Certificate Signing Request) sent to the CA), you will need to build the following files:

  • Keystore
    • This will contain the private key and public key certificate with the issuing CA's public certificate in a chain (as a privateKeyEntry) [see example output below]
  • Truststore
    • This will contain the public key of your client certificate (if using one) in order to authenticate you as a user connecting to the UI/API.

Alternate example using keytool:

  1. You generate a public/private keypair using the Java keytool:

    $ keytool -genkey -alias nifi -keyalg RSA -keysize 2048 -keystore keystore.jks

  2. You then export a certificate signing request which you send to the certificate authority:

    $ keytool -certreq -alias nifi -keyalg RSA -file nifi.csr -keystore keystore.jks

  3. You will get a CSR file nifi.csr which you send to the CA, and they provide a signed public certificate (and the public certificate of the CA) back cert_from_ca.pem:

    $ keytool -import -trustcacerts -alias nifi -file cert_from_ca.pem -keystore keystore.jks

Here is a link to the full steps I ran (I ran my own CA in another terminal to simulate the actions of the external CA) and the resulting output.

View solution in original post

3,312 Views
4 REPLIES 4

avatar
author-rank alopresto author-rank
Guru

Created ‎10-27-2016 12:22 AM

Mark,

The certificate you purchased from a certificate authority will identify the NiFi application. Depending on the format it is in (likely a *.key file containing the private key which never left your computer and a *.pem or *.der file containing the corresponding public key, which was then signed via a CSR (Certificate Signing Request) sent to the CA), you will need to build the following files:

  • Keystore
    • This will contain the private key and public key certificate with the issuing CA's public certificate in a chain (as a privateKeyEntry) [see example output below]
  • Truststore
    • This will contain the public key of your client certificate (if using one) in order to authenticate you as a user connecting to the UI/API.

Alternate example using keytool:

  1. You generate a public/private keypair using the Java keytool:

    $ keytool -genkey -alias nifi -keyalg RSA -keysize 2048 -keystore keystore.jks

  2. You then export a certificate signing request which you send to the certificate authority:

    $ keytool -certreq -alias nifi -keyalg RSA -file nifi.csr -keystore keystore.jks

  3. You will get a CSR file nifi.csr which you send to the CA, and they provide a signed public certificate (and the public certificate of the CA) back cert_from_ca.pem:

    $ keytool -import -trustcacerts -alias nifi -file cert_from_ca.pem -keystore keystore.jks

Here is a link to the full steps I ran (I ran my own CA in another terminal to simulate the actions of the external CA) and the resulting output.

3,313 Views

avatar
author-rank marknguyen
New Member

Created ‎10-27-2016 03:36 PM

@Andy LoPresto

Hi Andy, Thank you so much for your help. I understanding much better about the Certificates and when you to use TLS Generation Toolkit and what to your for prod environment. I am running into user permission issue. Shall I ask on the same thread or shall I create new question? Thanks for the help Andy!

3,312 Views
0 Kudos

avatar
author-rank alopresto author-rank
Guru

Created ‎10-27-2016 05:12 PM

Mark, I'm glad the answer helped you. You should open a new question for the user permission issue and I will take a look.

3,312 Views
0 Kudos

avatar
author-rank marknguyen
New Member

Created ‎10-27-2016 09:58 PM

@Andy LoPresto

I have post the new question at the link below.

https://community.hortonworks.com/questions/63901/cant-login-with-the-admin-user-that-configure-in-i...

3,312 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements