Support Questions

ask_bill_brooks · ‎01-22-2020

How to Generate Certs to secure 3 node nifi cluster and configs

All, I am new to nifi and started to secure nifi

can some share how to generate certs using toolkit standalone

Do I need to generate certs on all nodes

node1.xyz.com

node2.xyz.com

node3.xyz.com

I understand initial admin identity but what is

Node Identity for 3 nodes i have to update in authorizers.xml file

DivyaKaki · ‎02-03-2020

Hi @MattWho one last question

since i have generated certs as per hostnames with proper cn & san..

to configure truststore, do i need to merge the truststore.jks generated for both the hosts or can i use one truststore for both hosts?

sh /opt/nifi-toolkit-1.9.2/bin/tls-toolkit.sh standalone -B mypasswd -C 'CN=nifiadmin, OU=NIFI' -n 'ip-10-175-12x-xx.abc.com,ip-10-175-12x-xxx.abc.com' --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o /tmp/certs_divya/ -K mypasswd -P mypasswd -S mypasswd

-rw-------. 1 root root 3437 Feb 3 04:46 CN=nifiadmin_OU=NIFI.p12
-rw-------. 1 root root 29 Feb 3 04:46 CN=nifiadmin_OU=NIFI.password
drwx------. 2 root root 71 Feb 3 04:46 ip-10-175-12x-xxx.abc.com
drwx------. 2 root root 71 Feb 3 04:46 ip-10-175-12x-xxx.abc.com
-rw-------. 1 root root 1200 Feb 3 04:46 nifi-cert.pem
-rw-------. 1 root root 1675 Feb 3 04:46 nifi-key.key

View solution in original post

MattWho · ‎02-04-2020

@DivyaKaki

Since all your certificates have been signed by the same CA, the truststore used by all nodes only needs to contain the public cert for that one CA.

Thanks,

Matt

View solution in original post

DivyaKaki · ‎02-03-2020

Hi @MattWho one last question

since i have generated certs as per hostnames with proper cn & san..

to configure truststore, do i need to merge the truststore.jks generated for both the hosts or can i use one truststore for both hosts?

sh /opt/nifi-toolkit-1.9.2/bin/tls-toolkit.sh standalone -B mypasswd -C 'CN=nifiadmin, OU=NIFI' -n 'ip-10-175-12x-xx.abc.com,ip-10-175-12x-xxx.abc.com' --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o /tmp/certs_divya/ -K mypasswd -P mypasswd -S mypasswd

-rw-------. 1 root root 3437 Feb 3 04:46 CN=nifiadmin_OU=NIFI.p12
-rw-------. 1 root root 29 Feb 3 04:46 CN=nifiadmin_OU=NIFI.password
drwx------. 2 root root 71 Feb 3 04:46 ip-10-175-12x-xxx.abc.com
drwx------. 2 root root 71 Feb 3 04:46 ip-10-175-12x-xxx.abc.com
-rw-------. 1 root root 1200 Feb 3 04:46 nifi-cert.pem
-rw-------. 1 root root 1675 Feb 3 04:46 nifi-key.key

MattWho · ‎02-04-2020

@DivyaKaki

Since all your certificates have been signed by the same CA, the truststore used by all nodes only needs to contain the public cert for that one CA.

Thanks,

Matt

DivyaKaki · ‎02-18-2020

@MattWho really appreciate you for educating me on this. Thanks!

Cloudera Community

Support Questions

How to Generate Certs to secure 3 node nifi cluster and configs

Creating a 3 node NiFi cluster using Vagrant and V...

HDF 2.0 Secure 3 Node Development Cluster in Docke...

HDF 2.x - Adding a new NiFi Node to an existing se...

3 Node Cluster, Nodes Disconnect

Offload NiFi Cluster Nodes using the NiFi Toolkit ...

HDF 2.0 and Beyond - Integrating Secured NiFi with...

secured nifi cluster must import a cert to browser...

Demystify Knox, LDAP, SSL, CA Cert integration

HDFS Balancer (3): Cluster Balancing Algorithm

3 Nodes Hadoop Cluster