Support Questions

lubinlemarchand · ‎02-25-2016

Hi,

I've been trying to pull data from the facebook graph api using nifi. As i need to make a lot of request, i want to be able to post a json to http://graph.facebook.com as explained here https://developers.facebook.com/docs/graph-api/making-multiple-requests.

So i created a PostHTTP processor on NiFi but it requires a SSL context.

Now i found some answers thanks to @Aldrin Piri and his answer to https://community.hortonworks.com/questions/9509/connecting-to-datasift-https-api-using-nifi.html but i still don't know how to fill the fields "Keystore Filename" and "Keystore Password".

Thank you in advance.

alopresto · ‎02-25-2016

Hi @Lubin Lemarchand,

The keystore is a protected container which holds the private keys and certificates used to identify your service (in this case NiFi) during TLS (nee SSL) communications. According to Graph API - Securing Requests, it does not appear that Facebook requires (or even provides for) you to send a client certificate to authenticate your requests. Rather, they rely on an access token in the request. Because of this, you do not need a keystore file for this SSLContext. Please note that if you wish NiFi's web interface and API to be protected by TLS, you will still need a keystore file with a privateKeyEntry in order to do that, but it is a separate issue.

You will need to add the Facebook certificate (or the CA that signed it) into your truststore, in order to allow NiFi (acting as the client) to verify the server's presented certificate.

I hope this answers your question. Please let me know if it is still unclear.

View solution in original post

lubinlemarchand · ‎02-25-2016

Definetly not an answer but i'll leave it here : i "solved" the issue by putting the same file and password for the keystore than i had for the truststore (the ones mentionned in the questions/9509). Probably not something to do since i have absolutly no understanding of SSL but it allowed me to move forward.. I'm still interested in a real answer.

alopresto · ‎02-25-2016

This does not have a negative side effect, as there should be no sensitive keys in your truststore

This does not have a negative side effect, as there should be no sensitive keys in your truststore. However, if you tried to use this PostHTTP processor to connect to a site that did require TLS mutual auth (presenting a client certificate), you would want to ensure that the keystore and truststore files were different and the truststore did not contain the privateKeyEntry used in the keystore

alopresto · ‎02-25-2016

Hi @Lubin Lemarchand,

The keystore is a protected container which holds the private keys and certificates used to identify your service (in this case NiFi) during TLS (nee SSL) communications. According to Graph API - Securing Requests, it does not appear that Facebook requires (or even provides for) you to send a client certificate to authenticate your requests. Rather, they rely on an access token in the request. Because of this, you do not need a keystore file for this SSLContext. Please note that if you wish NiFi's web interface and API to be protected by TLS, you will still need a keystore file with a privateKeyEntry in order to do that, but it is a separate issue.

You will need to add the Facebook certificate (or the CA that signed it) into your truststore, in order to allow NiFi (acting as the client) to verify the server's presented certificate.

I hope this answers your question. Please let me know if it is still unclear.

lubinlemarchand · ‎02-26-2016

@Andy LoPresto Thank you for your answer, one question to be sure : if i don't pay too much attention to security, can i use the graph api without adding the Facebook CA into my trustore?

alopresto · ‎02-26-2016

I'm not sure why you would want to ignore this. Facebook's servers present a certificate to allow you to verify that the resource you are communicating with is, in fact, Facebook and not an imposter. This also allows encryption of all content in transit between your server and Facebook's.

If you honestly do not care about the protection of your data (and again, I would urge you to, especially considering you are communicating with Facebook, and therefore probably accessing personal information for customers/users), you can use the plain HTTP endpoint provided at http://graph.facebook.com and you won't need a truststore at all.

nejmhadjmbarek · ‎02-29-2016

@Andy LoPresto

i try to use the plain http endpoind of api open graph of facebook but it support https endpoint so i obliged to add certificate facebook to nifi , i upload th different certificate that facebook use but i don't know how to configure nifi to know it,any help is apreciate

alopresto · ‎02-29-2016

@nejm hadj it sounds like you need to complete the following steps:

Download the Facebook server certificate (via the browser or using openssl).
Import that certificate as a trusted certificate into a truststore file.
Configure the PostHTTP processor to use an SSLContext which references that truststore file.

As @Lubin Lemarchxnd noted above, there are explicit instructions for these steps available here.

Cloudera Community

Support Questions

Creating a SSL context Nifi

NIFI SSL in Modern Versions of NiFi

NiFi rest api creating parameter context

Interacting with Nifi Paramater Context using Invo...

Nifi misses parameter context inheritance after re...

Issue on SSL Context Service in ExecuteStateless p...

Nifi: Context Parameter usage

Kafka ssl Nifi

Securing Nifi with SSL and using OIDC provider for...

Creating NiFi Template via Rest API

Customizing Ranger Policies with Dynamic Context