Support Questions

Paul Yang · ‎11-21-2016

HI,

We have a kerberos enabled FDT cluster, I want to access the nifi api through https of python. But I cannot got it.

I don't know how to put the parameter, self.key, and self.cert: how to get the private key, and the certificate chain.

 httplib.HTTPSConnection(host,key_file=self.key,cert_file=self.cert,timeout=timeout)

there is my https config

nifi-cofig.png

Could you give me any point. Thanks.

Paul

mburgess · ‎11-21-2016

According to Python documentation, using key_file and cert_file is deprecated, they recommend you pass in a context (one that has been configured by calling load_cert_chain). You'll need a certfile and a keyfile there too, which you can get using various openssl commands (assuming you have openssl installed). For example, to export a client secret key from a PKCS12 keystore to a PEM file:

openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -nodes -nocerts -out client.key

Or to export a server private key from a JKS keystore to a PEM file:

keytool -importkeystore -srckeystore <keystore.jks> -destkeystore keystore.p12 -deststoretype PKCS12

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out nifi.key

Or to export a CA cert from a JKS keystore to a PEM file:

keytool -export -alias <your_alias> -file ca.der -keystore <truststore.jks>

openssl x509 -inform der -in ca.der -out ca.pem

View solution in original post

mburgess · ‎11-21-2016

According to Python documentation, using key_file and cert_file is deprecated, they recommend you pass in a context (one that has been configured by calling load_cert_chain). You'll need a certfile and a keyfile there too, which you can get using various openssl commands (assuming you have openssl installed). For example, to export a client secret key from a PKCS12 keystore to a PEM file:

openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -nodes -nocerts -out client.key

Or to export a server private key from a JKS keystore to a PEM file:

keytool -importkeystore -srckeystore <keystore.jks> -destkeystore keystore.p12 -deststoretype PKCS12

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out nifi.key

Or to export a CA cert from a JKS keystore to a PEM file:

keytool -export -alias <your_alias> -file ca.der -keystore <truststore.jks>

openssl x509 -inform der -in ca.der -out ca.pem

Paul Yang · ‎11-22-2016

Thanks for your response.

For me I cannot got the first step of client secret key, there is not CN<something_you_typed>_OU=ApacheNiFi.p12

file , I just do the second step :

keytool -importkeystore -srckeystore <keystore.jks> -destkeystore keystore.p12 -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -out nifi-01.pem -nodes

So I put the nifi-01.pem to :

conn=httplib.HTTPSConnection('nifi-test01.beta1.fn', 9091, key_file=None, cert_file="nifi-01.pem")

and it works.

BTW , I really don't need to put username and password and I can access the rest get api.

Of course, I did not to use post or delete api, is it the correct behavior?

Thanks again.

Cloudera Community

Support Questions

How to access kerberos NIFI cluster with nifi api of python https