Community Articles
Find and share helpful community-sourced technical articles
Labels (1)


This tutorial walks you through how to install and secure a NiFi Registry using client certificates. A quick example of modifying user privileges in the Registry is also included.

A video version of this tutorial can be seen here:

Note: To learn the basics of setting up an unsecured Registry and integrating with Apache NiFi see the HCC article Versioned DataFlows with Apache NiFi 1.5 and Apache NiFi Registry 0.1.0.


This tutorial was tested using the following environment and components:

  • Mac OS X 10.11.6
  • Apache NiFi Registry 0.1.0
  • Apache NiFi Toolkit 1.5.0

Secure NiFi Registry Configuration

Download & Extract Tarballs

Download the tarball for the 0.1.0 Registry release:


and the tarball for the 1.5.0 NiFi Toolkit:


Extract the tars:

 tar xzvf nifi-registry-0.1.0-bin.tar.gz
 tar xzvf nifi-toolkit-1.5.0-bin.tar.gz

Generate Configuration and Certificate Files

We will use the Apache NiFi TLS Toolkit to generate the necessary keystore, truststore, and client certificates. In this tutorial, we will create certs for two users: "sys_admin" and "test_user". The user “sys_admin” will have full access to the registry while “test_user” will be configured to have targeted access in the registry.

In the directory of your NiFi Toolkit install, run the following command:

 ./bin/ standalone -n "localhost" -C "CN=sys_admin, OU=NIFI" -o target

Note: To see the usage information for the TLS Toolkit, run: ./bin/ standalone -h.

TLS Toolkit generates the following in the target directory:


The localhost directory contains:


Registry Configuration

Copy the keystore and trustore to the conf directory of your Registry install.

Copy the values of the keystore and truststore properties from the file:

into the values for the equivalent properties in the file:

While you are in, modify the HTTP and HTTPS web properties as follows:

In the same Registry conf directory, modify authorizers.xml in two places. First in the userGroupProvider section, add the "sys_admin" DN to the "Initial Admin Identity 1" property:

 <property name="Initial User Identity 1">CN=sys_admin, OU=NIFI</property>

Then in the accessPolicyProvider section, add the "sys_admin" DN to the "Initial Admin Identity" property:

 <property name="Initial Admin Identity">CN=sys_admin, OU=NIFI</property>

Note: During this step, it is crucial that you specify the exact DN string used when the TLS Toolkit was invoked. A common error is entering "CN=sys_admin,OU=NIFI" which will not work as it has a missing space.

Add Certificate to Keychain

Double-click on the .p12 file that was generated by the TLS Toolkit. When prompted, provide the password from the .password file.


Start the Registry

In a terminal window, navigate to the directory where NiFi Registry was installed and run:

 ./bin/ start

Open Registry UI

Navigate to the registry UI in your web browser (Chrome used in the following examples):


When prompted, select the "sys_admin" cert to add to your browser:


When prompted, enter your "login" keychain password:


You should now be able to view the Registry UI as the "CN=sys_admin, OU=NIFI" user:


Registry Administration

The "sys_admin" user has full access to the registry. Here are some examples of administration functions immediately available.

Bucket Creation

Select the Settings icon ( 60479-iconsettings.png) in the top right corner of the screen. In the Buckets window that appears, select the "New Bucket" button.


In the dialog that appears, enter the bucket name "ABC" and select the "Create" button.


The "ABC" bucket is created:


User Administration

Select "Users" at the top of the UI to access the user administration area of the Registry:


Select the pencil icon ( 60480-iconmanage.png) next to the "CN=sys_admin, OU=NIFI" user. This will open a side nav that shows the Special Privileges and group Membership:


You can see that the "sys_admin" was given all special privileges as the Initial Admin Identity (IAI). The privileges for the IAI are not editable. Let's create a second user to see how bucket access can be restricted by modifying these privileges.

Second User Creation

Close the side nav and select the "Add User" button.


Enter "CN=test_user, OU=NIFI" in the Identity field and select the "Add" button:


"CN=test_user", OU=NIFI" user is created:


Second User Certificate

Next we need a client certificate for "test_user".

Return to the directory of your NiFi Toolkit installation and run:

 ./bin/ standalone -C "CN=test_user, OU=NIFI" -o target

NOTE:The output directory must be set to target in order for the existing CA certificate in that directory to be used.

TLS Toolkit generates the following additional files in the target directory:


Add the .p12 cert to the Keychain as described earlier. However, choose a different browser this time to access the UI (Safari in the following examples):


Add the client certificate to the browser:


You should now be able to view the Registry UI as the "CN=test_user, OU=NIFI" user:


You can see that "test_user" has no access to Settings.

Return to the Chrome browser where "sys_admin" is the user. Give "test_user" read-only bucket privileges:


Return to the Safari browser where "test_user" is the user. Reload the browser. Select the Settings icon which is now available. The ABC bucket is now visible, but note that the Action to delete the bucket is not enabled, which is consistent with the privileges given to this user:


Additional Help

If you would like to learn more about NiFi Registry functionality and working with versioned flows in NiFi, see the following articles:

Or documentation:

Don't have an account?
Version history
Revision #:
2 of 2
Last update:
‎08-17-2019 09:07 AM
Updated by:
Top Kudoed Authors