Support Questions

Find answers, ask questions, and share your expertise

How to set NIFI Security Configuration

avatar
Contributor

I used 'bin/tls-toolkit.sh standalone -n localhost' to generate the localhost folder and copy three files, keystore.jks truststore.jks nifi.properties,into the nifi conf.

After start up the nifi, the background log shows 'https://localhost:9443/nifi successfully start'.

When I open the browser, it shows

This site can’t provide a secure connection

localhost didn’t accept your login certificate, or one may not have been provided.

  • Try contacting the system admin.

ERR_BAD_SSL_CLIENT_AUTH_CERT

What's wrong with it?

Thank you!

2 REPLIES 2

avatar
Master Mentor

@frank chen

The CN for your certificate should match the FQDN of the server where you installed NiFi. Using localhost in a certificate is never a good idea from a security standpoint. Alternatively you can create a certificate that uses SAN names. These SAN names should be DNS resolvable hostnames (With a SAN entry that matches the FQDN of the server the CN does not then need to contain the FQDN. While it is possible to add a security exception in your browser for this bad server cert, you will not be able to do this should you standup a NiFi cluster where the nodes talk securely to one another.

I suggest using the toolkit to generate a certificate that uses the servers FQDN as both its CN and as a Subject Alternative Name (SAN) DNS entry.

That aside, where did you get your user certificate that is being used to authenticate you as a user to access NiFi? You can use the tls-tookit to create a user certificate as well which you will need to load in your browser. Alternatively, you could configure NiFi to use an external LDAP server or kerberos for user authentication.

When you access a secured NiFi instance/cluster URL, the server looks for a valid user certificate it can trust in the request. If no client cert is presented to authenticate with, NiFi will check to see fi any other authentication method has been configured in NiFi. If none have been configured the connection is closed.

So your issue is one of the following:

1. Your browser is not have a client (user) certificate loaded to pass to NIFi for authentication.

2. You have a user certificate but it is not trusted by your NiFi instance/cluster. The entries in the NiFi truststore.jks are used to trust the client certificates presented. The keystore typically includes a bunch Certificate authority (CA) trustedCertEntries. It may also contain the public keys of self-signed certificates as trustedCertEntries.

If you found this answer addressed your question, please don't forget to mark it "accepted".

Thank you,

Matt

avatar
Contributor

@frank I also faced this issue. Once i added my certificate to keychain, it worked.