Support Questions

Find answers, ask questions, and share your expertise

Generate Browser Certificate for NiFi login Error: Token does not meet minimum size of 16 bytes

avatar
Contributor

I am getting an error - "Token does not meet minimum size of 16 bytes" while generating a browser certificate for NiFi login. I tried to modify "NiFi CA Token" (nifi.toolkit.tls.token) to 20 characters - "Centos$168Centos$168" but still in vain. Which token is it? Or, my JAVA_HOME didn't set it correctly. Any suggestions?

My Environment (only listed relevance):

HDP-3.1.0.0 (3.1.0.0-78)
NiFi 1.7.0
Kerberized with AD (Win 2012R2) 

My commands (Ran from Ambari server which is running NiFi):

wget http://localhost:8080/resources/common-services/NIFI/1.0.0/package/archive.zip
unzip archive.zip
export JAVA_HOME=/usr/jdk64/jdk1.8.0_112
./files/nifi-toolkit-*/bin/tls-toolkit.sh client -c $(hostname -f) -D "CN=hadoopadmin, OU=LAB.HORTONWORKS.NET" -p 10443 -t Centos$168 -T pkcs12

Error:

2019/02/07 09:07:28 INFO [main] org.apache.nifi.toolkit.tls.commandLine.BaseTlsToolkitCommandLine: Command line argument --keyStoreType=pkcs12 only applies to keystore, recommended truststore type of JKS unaffected.
2019/02/07 09:07:28 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateAuthorityClient: Requesting new certificate from hdp311.lab.hortonworks.net:10443
Service client error: java.security.GeneralSecurityException: Token does not meet minimum size of 16 bytes.
4 REPLIES 4

avatar
Master Mentor

@Howchoy

Can you try something like it worked when I tried setting up once I have tweaked it a bit Iif I remember it needed 13 characters

export JAVA_HOME=/usr/jdk64/jdk1.8.0_112 
./files/nifi-toolkit-*/bin/tls-toolkit.sh client -c $(hostname -f)-D "CN=hadoopadmin, OU=LAB.HORTONWORKS.NET"-p 10443-t Welcome2018nifihdf3 -T pkcs12

Please let me know

avatar
Master Mentor

@Howchoy

You have 2 threads open for the same issue

https://community.hortonworks.com/questions/239915/untrusted-proxy-in-kerberized-nifi.html

Can you validate that the solution I gave earlier worked for the password generation because I see in the new thread you seem to have successfully generated the password if so please accept the answer and close the old thread?

f you found this answer addressed your question, please take a moment to log in and click the "accept" link on the answer.

avatar
Contributor

Thank you for your reply.

Yes, it's working now. I changed my commands as below - I added the escape in front of the $.

export JAVA_HOME=/usr/jdk64/jdk1.8.0_112
./files/nifi-toolkit-*/bin/tls-toolkit.sh client -c $(hostname -f) -D "CN=hadoopadmin, OU=LAB.HORTONWORKS.NET" -p 10443 -t "Centos\$168Centos\$168" -T pkcs12

So the 16-byte is the parameter -t, not NiFi CA Token. 🙂

Thank you again.

Cheers,

avatar
Master Mentor

@Howchoy

Nice to know it worked but the real issue is that the tookit.sh interprets the $ sign as a special character that's the reason you MUST use an escape character for it to work and the length of more than 13 characters.

I am sure if you tried "Ce\$18C" it won't work either.