Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to use site-to-site over two nifi instances using SSL(https)?

avatar
Explorer

The remote process group on insance-1 trying to connect to instance-2 says forbidden. How can i fix this?

1 ACCEPTED SOLUTION

avatar
Super Mentor
@Harshith Venkatesh

When performing Site-to-Site (S2S) between two Secured NiFi installs, server authentication and authorization will need to be successful. In your case it sounds like authentication was likely successful (You can confirm this by looking in the nifi-user.log of the target NiFi). What appears to be missing is source server(s) authorization.

To resolve the "forbidden" you are seeing on your RPG, you will need to go to the target NiFi and add a new user for the source NiFi server(s) running the RPG. Click on "Users" to add new

13370-screen-shot-2017-03-08-at-100805-am.png

The user you are adding will need to be the full DN from the source NiFI's server certificate. (Case sensitive and white spaces count as valid characters). You can pull he DN out of the nifi-user.log or by doing a verbose listing source NiFi's keystore.

After you have added the server as a user, you will need to authorize that server by clicking on "Policies" and granting the server "retrieve site-to-site details" access policy. After doing the above the "forbidden" response on the RPG should go away on next sync.

What you still will not see is a list of available input and output ports on the target NiFi to which your source NiFi can connect with over S2S. Remote input and output ports can only be added to the root canvas level. After they have been added you will need to allow your source NiFi server user to access them as well before they will show up in the RPG.

This is done via the "Operate panel":

13402-screen-shot-2017-03-08-at-104750-am.png

Selecting an input or output port on the canvas will show that component as the selected component in the operate panel. Select the key icon and grant your NiFi source Server the following policy:

For input ports --> "receive data via site-to-site" access policy

For output ports --> "send data via site-to-site" access policy

On next sync RPG should now show these ports as available to your source Nifi for connecting to over S2S.

Thanks,

Matt

View solution in original post

8 REPLIES 8

avatar
Super Mentor
@Harshith Venkatesh

When performing Site-to-Site (S2S) between two Secured NiFi installs, server authentication and authorization will need to be successful. In your case it sounds like authentication was likely successful (You can confirm this by looking in the nifi-user.log of the target NiFi). What appears to be missing is source server(s) authorization.

To resolve the "forbidden" you are seeing on your RPG, you will need to go to the target NiFi and add a new user for the source NiFi server(s) running the RPG. Click on "Users" to add new

13370-screen-shot-2017-03-08-at-100805-am.png

The user you are adding will need to be the full DN from the source NiFI's server certificate. (Case sensitive and white spaces count as valid characters). You can pull he DN out of the nifi-user.log or by doing a verbose listing source NiFi's keystore.

After you have added the server as a user, you will need to authorize that server by clicking on "Policies" and granting the server "retrieve site-to-site details" access policy. After doing the above the "forbidden" response on the RPG should go away on next sync.

What you still will not see is a list of available input and output ports on the target NiFi to which your source NiFi can connect with over S2S. Remote input and output ports can only be added to the root canvas level. After they have been added you will need to allow your source NiFi server user to access them as well before they will show up in the RPG.

This is done via the "Operate panel":

13402-screen-shot-2017-03-08-at-104750-am.png

Selecting an input or output port on the canvas will show that component as the selected component in the operate panel. Select the key icon and grant your NiFi source Server the following policy:

For input ports --> "receive data via site-to-site" access policy

For output ports --> "send data via site-to-site" access policy

On next sync RPG should now show these ports as available to your source Nifi for connecting to over S2S.

Thanks,

Matt

avatar
Explorer

@Matt Clarke

I've added the DN under users and added the same under 'retrieve site-to-site details' policy But I am still getting forbidden warning.

13440-user-added.png

13439-policy-added.png

13442-forbidden.png

avatar
Super Mentor

@Harshith Venkatesh

What do you see in the nifi-user.log on the target NiFi server of the RPG? What is the full error seen in the nifi-app.log of the source NiFi server?

avatar
Explorer

@Matt Clarke

This is the error i see in nifi-app.log

Process Thread-10] o.apache.nifi.controller.FlowController Unable to communicate with remote instance RemoteProcessGroup[https://xx.xx.xx.xx:8124/nifi] due to org.apache.nifi.controller.exception.CommunicationsException: Unable to communicate with Remote NiFi at URI https://xx.xx.xx.xx:8124/nifi-api due to: response code 403:Forbidden with explanation: null

avatar
Super Mentor

@Harshith Venkatesh

And what do you see in the nifi-user.log on the other NiFi instance?

avatar
Super Mentor

@Harshith Venkatesh

Where the certificates created to secure each of these NiFi instances signed by the same CA?

The authentication that is going to occur between these NiFi instances is 2-way SSL. Both servers must be able to trust the certificate being presented by the other NiFi instance.

Thanks,

Matt

avatar
Master Guru

avatar
Explorer

@Matt Clarke

This is what i found in nifi-user.log

13485-app-log.png

I had created server certificate, client certificate and a CAcert holding signature of both from tinycert.org. I had mentioned server certificate and CAcert path in nifi.properties and was loading client certificate into my browser. I was using same certificate for both the nifi instances.

Like you said I had added the client cert DN under the users but nifi was using server cert DN (which i got to know after seeing the nifi-user.log) for site-to-site authentication. So, i added the server DN under the user and added the same under 'retrieve site-to-site details' policy. Now the issue is fixed. The RPG is now able to establish connection.

Thanks,

Harshith