Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to set NIFI Security Configuration

Labels:
avatar
author-rank 1164798488
Contributor

Created ‎05-15-2017 08:12 AM

I used 'bin/tls-toolkit.sh standalone -n localhost' to generate the localhost folder and copy three files, keystore.jks truststore.jks nifi.properties,into the nifi conf.

After start up the nifi, the background log shows 'https://localhost:9443/nifi successfully start'.

When I open the browser, it shows

This site can’t provide a secure connection

localhost didn’t accept your login certificate, or one may not have been provided.

  • Try contacting the system admin.

ERR_BAD_SSL_CLIENT_AUTH_CERT

What's wrong with it?

Thank you!

5,286 Views
0 Kudos
2 REPLIES 2

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎05-15-2017 12:16 PM

@frank chen

The CN for your certificate should match the FQDN of the server where you installed NiFi. Using localhost in a certificate is never a good idea from a security standpoint. Alternatively you can create a certificate that uses SAN names. These SAN names should be DNS resolvable hostnames (With a SAN entry that matches the FQDN of the server the CN does not then need to contain the FQDN. While it is possible to add a security exception in your browser for this bad server cert, you will not be able to do this should you standup a NiFi cluster where the nodes talk securely to one another.

I suggest using the toolkit to generate a certificate that uses the servers FQDN as both its CN and as a Subject Alternative Name (SAN) DNS entry.

That aside, where did you get your user certificate that is being used to authenticate you as a user to access NiFi? You can use the tls-tookit to create a user certificate as well which you will need to load in your browser. Alternatively, you could configure NiFi to use an external LDAP server or kerberos for user authentication.

When you access a secured NiFi instance/cluster URL, the server looks for a valid user certificate it can trust in the request. If no client cert is presented to authenticate with, NiFi will check to see fi any other authentication method has been configured in NiFi. If none have been configured the connection is closed.

So your issue is one of the following:

1. Your browser is not have a client (user) certificate loaded to pass to NIFi for authentication.

2. You have a user certificate but it is not trusted by your NiFi instance/cluster. The entries in the NiFi truststore.jks are used to trust the client certificates presented. The keystore typically includes a bunch Certificate authority (CA) trustedCertEntries. It may also contain the public keys of self-signed certificates as trustedCertEntries.

If you found this answer addressed your question, please don't forget to mark it "accepted".

Thank you,

Matt

3,633 Views

avatar
author-rank ashok_kumar
Contributor

Created ‎07-25-2018 10:03 AM

@frank I also faced this issue. Once i added my certificate to keychain, it worked.

3,633 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements