Support Questions

Find answers, ask questions, and share your expertise

Enabling SSL in NIFI Cluster

avatar
Contributor

I was trying to enable SSL in NIFI cluster which gives an error at NIFI UI :

Insufficient Permissions home

Untrusted proxy CN=nifiadmin, OU=NIFIrsdevhdf2.medassurant.local, OU=NIFI

I added a picture of My NIFI configuration for SSL enabling :nifi-config.png

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Veerendra Nath Jasthi

Where did you get the keystore files you are using on each of your nodes from?

I suggest performing a verbose listing on your keystore ( keytool -v -list -keysrtore <keystore,jks file> )

That listing should show a single "PrivateKeyEntry" and that should then show a "Owner" and "Issuer" as below exmaple does:

Alias name: nifi-key
Creation date: Apr 19, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nifi-sme-15.openstacklocal, OU=NIFI
Issuer: CN=nifi-sme-26.openstacklocal, OU=NIFI
Serial number: 162df02fcaf00000000
Valid from: Thu Apr 19 17:45:37 UTC 2018 until: Sun Apr 18 17:45:37 UTC 2021
Certificate fingerprints:
 MD5:  B2:B3:A8:D0:DC:E4:98:1F:53:30:A6:B4:E0:79:41:1A
 SHA1: 04:D9:3A:84:7B:75:AE:90:DD:C9:41:D3:83:1C:4F:BB:3C:18:EC:FA
 SHA256: AD:69:23:80:A1:06:1A:6C:32:A4:4C:95:B5:0E:5F:0E:AA:12:BE:DF:05:84:B8:53:27:F3:D9:46:DD:89:03:7A
 Signature algorithm name: SHA256withRSA
 Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A0 9D B4 20 80 B3 6D 31   70 2E 73 B0 7E E0 17 F9  ... ..m1p.s.....
0010: 3D 31 A1 B4                                        =1..
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
  Key_Agreement
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: nifi-sme-15.openstacklocal
  DNSName: nifi-sme-15.openstacklocal
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9B 43 A1 B1 3D 9B AF B4   1B 1B 8F DA 31 D2 14 88  .C..=.......1...
0010: 4E 3E 93 A9                                        N>..
]
]

-

The "Owner" DN form each of your Nodes keystores should match the node identities you entered in your configs (case sensitive).
-
Also note that you have names every one of your entries as "Node Identity 1". You should instead have a unique number for each node identity.

-

My guess here is that maybe your keystore contains more then one "PrivateKeyEntry". Did you create a user certificate "CN=nifiadmin, OU=NIFIrsdevhdf2.medassurant.local, OU=NIFI" and import in to each of your nodes keystores?

NiFi has no way to be configured to select a specific "PrivateKeyEntry" when multiple exist in same keystore.
-
The keystore should contain only 1 "PrivateKeyEntry". It may contain many "trustedCertEntry" entries.

-

Commonly your keystore.jks will contain only the single PrivateKeyEntry and your truststore.jks will contain 1 to many "TrustedCertEntry".

-

Once you have made the necessary corrections to your keystore.jks file and/or node identity configurations, you will need to delete the users.xml and authorizations.xml files that NiFi created as they are only created once. If they already exist, they will not be updated by changes you make to node identity configurations or initial admin identities. Once you can successfully access the secured NIFi UI as your initial admin, you will add the rest of your users and se their policies directly from within the UI.

-

Thanks,

Matt

-

If you found this answer addressed your question, please take a moment to login to the forum and click "accept" on the answer.

View solution in original post

17 REPLIES 17

avatar
Master Mentor

@Veerendra Nath Jasthi

You are so very very close. Remember how i commented above that the DN string must match exactly?

Your admin DN is:

CN=nifiadmin, OU=NIFI

But you entered the following as your Initial Admin Identity:

CN=nifiadmin,OU=NIFI

Note that you are missing the space between "CN=nifiadmin," and "OU=NIFI"

-

Thanks,

Matt

avatar
Master Mentor

@Veerendra Nath Jasthi

The DN there is coming from the keystore being used by your NiFi nodes. I have no idea why the certs created for your servers all have nifiadmin in them....
...

But just like your user DN, the node identities must match exactly with what is in those server certs in the keystore..

-

<property name="Node Identity 1">CN=nifiadmin, OU=NIFIrsdevhdf1.medassurant.local, OU=NIFI</property>
<property name="Node Identity 2">CN=nifiadmin, OU=NIFIrsdevhdf2.medassurant.local, OU=NIFI/</property>
<property name="Node Identity 3">CN=nifiadmin, OU=NIFIrsdevhdf3.medassurant.local, OU=NIFI</property>

-

so you will need to edit your node identities so they match the above and once again stop NiFi, remove your users.xml and authorizations.xml files, and then start NiFi again via Ambari.

-

Thank you,
Matt

avatar
Contributor

Hi @Matt Clarke Thanks for quick response and while I was trying to keytool -v -list -keystore keystore.jks this I was getting below error:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

java.io.IOException: Keystore was tampered with, or password was incorrect

and also I am new to this SSl Concept Could you please explain me the resolution little bit clear ?

avatar
Rising Star

Confirm below are done.

Encrypt Configuration Master Key Password: <password, min 12, character and numbers are must>

Sensitive property values encryption password: <password, min 10, character and numbers are must>

NiFi CA Token: <password>

Click the check box and Enable SSL

nifi.initial.admin.identity = admin

avatar
Contributor

new-nifi-ssl-config.png@Matt Clarke Below is the nifi-user.log & attached new SSl config in ambari :

2018-05-04 09:49:04,844 INFO [NiFi Web Server-22] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.

2018-05-04 09:49:04,877 INFO [NiFi Web Server-1237] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=nifiadmin, OU=NIFI) GET https://rsdevhdf3.medassurant.local:9091/nifi-api/flow/current-user (source ip: 10.5.43.133)

2018-05-04 09:49:04,880 INFO [NiFi Web Server-1237] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifiadmin, OU=NIFI

2018-05-04 09:49:04,897 INFO [NiFi Web Server-1237] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=nifiadmin, OU=NIFI does not have permission to access the requested resource. Unknown user with identity 'CN=nifiadmin, OU=NIFI'. Returning Forbidden response.

avatar
Contributor

avatar
Contributor

@Matt Clarke I tried the changes you mentioned in the above post but still no luck.Here I have attached 3 screen shots are:

user-xml.png

ambari-config.png

nifi-user-log.png

avatar
Contributor

After changes made as above now error:

Insufficient Permission

Untrusted proxy CN=nifiadmin, OU=NIFIrsdevhdf1.medassurant.local, OU=NIFI

user-log.png

and user.xml remains same like before:

<tenants>

<groups/>

<users>

<user identifier="9309f3b0-ef41-3014-ab0a-d55b8fe43d64" identity="CN=nifiadmin, OU=NIFI"/>

<user identifier="63839f12-a44e-3191-8916-cc4b1c96d25b" identity="CN=rsdevhdf3.medassurant.local, OU=NIFI"/>

</users>

</tenants>