Hi all,
Been struggling with this problem for days, any hints please?
I'm using 4 desktop servers and NiFi is installed on all of them.
I configured NiFi for ssl authentication and I'm using the NiFi Certificate Authority to generate the certificates.
Problem 1, when I set the nifi.web.https.host to the default value, IE {{nifi_node_ssl_host}} and try to open the NiFi UI, the webpage does not load or does not respond.
When I set it to 0.0.0.0, the UI webpage responds, but I get an error as below
My NiFi CA is host digitata69.digitata.com and I generated the certificates with the following commands
[root@digitata66 temp]# export JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64 [root@digitata66 temp]# ./files/nifi-toolkit-*/bin/tls-toolkit.sh client -c digitata69.digitata.com -D 'CN=nifiadmin, OU=digitata.com' -p 10443 -t 1digitata23 -T pkcs12 2018/04/17 07:19:50 INFO [main] org.apache.nifi.toolkit.tls.commandLine.BaseTlsToolkitCommandLine: Command line argument --keyStoreType=pkcs12 only applies to keystore, recommended truststore type of JKS unaffected. 2018/04/17 07:19:50 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateAuthorityClient: Requesting new certificate from digitata69.digitata.com:10443 2018/04/17 07:19:51 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer: Requesting certificate with dn CN=nifiadmin,OU=digitata.com from digitata69.digitata.com:10443 2018/04/17 07:19:51 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer: Got certificate with dn CN=nifiadmin, OU=digitata.com [root@digitata66 temp]
My users.xml files seems to be correct? see below Also, what is with the space between the , and OU, is that needed or not, some of the tutorials says yes, it needed, some not? In this case I generated it with the space
[root@digitata66 temp]# cat /var/lib/nifi/conf/users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="7b8918a1-c807-3c82-825c-45a9ed044b4a" identity="CN=nifiadmin, OU=digitata.com"/>
<user identifier="ad1dcdc4-8e55-3cac-af34-57bcd85f8d11" identity="CN=digitata67, OU=digitata.com"/>
<user identifier="ff183b49-fd1d-3588-90d3-1cfb8067a277" identity="CN=digitata66, OU=digitata.com"/>
<user identifier="a412e41e-66d0-3dc3-8e86-ea6dcb6d6e28" identity="CN=digitata68, OU=digitata.com"/>
<user identifier="d814e1d2-2d9f-31ac-8d73-9a18ff282ed2" identity="CN=digitata69, OU=digitata.com"/>
</users>
</tenants>
[root@digitata66 temp]
Copy the certificate to my local machine and import If I look at the logfiles, I can see the authentication is successful
2018-04-17 07:42:27,249 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.kerb was found, but was empty 2018-04-17 07:42:27,250 WARN [main] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.dn was found, but was empty 2018-04-17 07:46:03,888 INFO [NiFi Web Server-120] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response. 2018-04-17 07:46:03,934 INFO [NiFi Web Server-120] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response. 2018-04-17 07:46:03,952 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=nifiadmin, OU=digitata.com) GET https://digitata66.digitata.com:9091/nifi-api/flow/current-user (source ip: 172.28.103.205) 2018-04-17 07:46:03,960 INFO [NiFi Web Server-24] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifiadmin, OU=digitata.com
Any ideas please?
My NiFi configuration is as follow
Bigger picture
Am I not understanding the setup correctly? I saw some posts that NiFi 1.5 does have problems, but I have not seen any reported problems for this particular problem
Some more questions,
It seems that the OU=NIFI is hardcoded, I see this when I look at the certificate? Even if I set the FQDN to something else, the certificate seems to come in with OU=NIFI?
Do you need a certificate for the user and the server, IE are there 2 certificates to be imported?
When you run a clustered NiFi operation, the UI what you use, is this one specific server, IOW, at the moment I have 4 NiFi Quick links where I can open the GUI from, but seeing that all the flows etc should be the same, should there only be one? So here you would only specify the "master" or entry GUI server?
Any document links that works would be appreciated please!
