In this article I am going to review the required steps and processes to setup some NiFi SSL Context Services with modern versions of NiFi (1.20, 1.21, 2.0). In the past, nifi installations did not come installed with SSL enabled. If you were a NiFi admin and had to setup ssl, you know it was not an easy task, and could often times prevented the cluster from even being secured at all. Thanks to the wonderful team of innovators working on the Apache NiFi Project, I am happy to show the Easy Button works to install a fully secured Nifi. I will also show how to setup SSL Context Services for internal and external connection to https enabled endpoints.
First, let's do a new install of Apache NiFi 1.21. This article is not about how to do that, so fast forward to a running NiFi, lets take a look at some important details that you will find in the nifi-app.log:
Your login details:
2023-06-01 10:02:55,493 INFO [main] o.a.n.a.s.u.SingleUserLoginIdentityProvider Generated Username [9cd754fa-9ca2-49f2-a627-53934a6876d6] Generated Password [QQtZMerKoc9zmsGIT3X33OweIfm+nAd4]
Where you can find the NiFi UI:
2023-06-01 10:05:29,806 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs: 2023-06-01 10:05:29,806 INFO [main] org.apache.nifi.web.server.JettyServer https://127.0.0.1:8443/nifi
We should be able to now login to the NiFi UI on the secured host https://[nifihost]:8443 with the provided username and password. WOW: we have a user/pass to force a login right out of the box!!
Alright, now let's get started with that internal SSL Context Service. We want to create the SSL Context Service Controller Service on the root nifi canvas. This will make the ssl context service available to all our process groups. In my last article Operationalize NiFi data flows with Cloudera DataFlow , I was connecting to https://[nifihost] endpoints from within NiFi to communicate with the NiFi REST API. This process should be similar with java cacerts, or your own custom keystore(s) and truststore(s).
Let's find the SSL details used to secure NIFI in conf/nifi.properties:
# security properties # nifi.sensitive.props.key=7rOfiLY584X8nNpYMdye6p2DjwfgrvW3 nifi.sensitive.props.key.protected= nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 nifi.sensitive.props.additional.keys= nifi.security.autoreload.enabled=false nifi.security.autoreload.interval=10 secs nifi.security.keystore=./conf/keystore.p12 nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd=1391fbf8ada209439bd99b95432892ca nifi.security.keyPasswd=1391fbf8ada209439bd99b95432892ca nifi.security.truststore=./conf/truststore.p12 nifi.security.truststoreType=PKCS12 nifi.security.truststorePasswd=0a85b23929af71e49990916bb73e1733 nifi.security.user.authorizer=single-user-authorizer nifi.security.allow.anonymous.authentication=false nifi.security.user.login.identity.provider=single-user-provider nifi.security.user.jws.key.rotation.period=PT1H nifi.security.ocsp.responder.url= nifi.security.ocsp.responder.certificate=
Now that we have the details we need (keystore,truststore,and passwords) we can make a new SSL Context Service like this:
It is still possible to create more SSL Context Services, especially if you have self signed or custom certs attached to external endpoints you need to communicate with. To connect to most public signed certs, java's cacerts works great. This is always the first SSL Context Service I start with for connecting to public https:// endpoints.
First I need to copy cacerts to my nifi conf directory:
cp /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-4.el8_5.x86_64/lib/security/cacerts /root/nifi-1.21.0/conf/
Now I can create a new SSL Context Service like this:
The cacerts password is "changeit".
In conclusion, installing a fully secured NIFI with basic user auth and SSL is now much easier than in older versions of NiFi. Additionally when setting up NiFi SSL Context Service(s) just be sure to get all the right details and they will work as expected.
If you land on this article and are still struggling with setting up your own SSL Context Service, create a new community post here and give me an @steven-matison and I will be glad to help out!!
