Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to use site-to-site over two nifi instances using SSL(https)?

Solved Go to solution

How to use site-to-site over two nifi instances using SSL(https)?

Explorer

The remote process group on insance-1 trying to connect to instance-2 says forbidden. How can i fix this?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to use site-to-site over two nifi instances using SSL(https)?

Master Guru
@Harshith Venkatesh

When performing Site-to-Site (S2S) between two Secured NiFi installs, server authentication and authorization will need to be successful. In your case it sounds like authentication was likely successful (You can confirm this by looking in the nifi-user.log of the target NiFi). What appears to be missing is source server(s) authorization.

To resolve the "forbidden" you are seeing on your RPG, you will need to go to the target NiFi and add a new user for the source NiFi server(s) running the RPG. Click on "Users" to add new

13370-screen-shot-2017-03-08-at-100805-am.png

The user you are adding will need to be the full DN from the source NiFI's server certificate. (Case sensitive and white spaces count as valid characters). You can pull he DN out of the nifi-user.log or by doing a verbose listing source NiFi's keystore.

After you have added the server as a user, you will need to authorize that server by clicking on "Policies" and granting the server "retrieve site-to-site details" access policy. After doing the above the "forbidden" response on the RPG should go away on next sync.

What you still will not see is a list of available input and output ports on the target NiFi to which your source NiFi can connect with over S2S. Remote input and output ports can only be added to the root canvas level. After they have been added you will need to allow your source NiFi server user to access them as well before they will show up in the RPG.

This is done via the "Operate panel":

13402-screen-shot-2017-03-08-at-104750-am.png

Selecting an input or output port on the canvas will show that component as the selected component in the operate panel. Select the key icon and grant your NiFi source Server the following policy:

For input ports --> "receive data via site-to-site" access policy

For output ports --> "send data via site-to-site" access policy

On next sync RPG should now show these ports as available to your source Nifi for connecting to over S2S.

Thanks,

Matt

8 REPLIES 8

Re: How to use site-to-site over two nifi instances using SSL(https)?

Master Guru
@Harshith Venkatesh

When performing Site-to-Site (S2S) between two Secured NiFi installs, server authentication and authorization will need to be successful. In your case it sounds like authentication was likely successful (You can confirm this by looking in the nifi-user.log of the target NiFi). What appears to be missing is source server(s) authorization.

To resolve the "forbidden" you are seeing on your RPG, you will need to go to the target NiFi and add a new user for the source NiFi server(s) running the RPG. Click on "Users" to add new

13370-screen-shot-2017-03-08-at-100805-am.png

The user you are adding will need to be the full DN from the source NiFI's server certificate. (Case sensitive and white spaces count as valid characters). You can pull he DN out of the nifi-user.log or by doing a verbose listing source NiFi's keystore.

After you have added the server as a user, you will need to authorize that server by clicking on "Policies" and granting the server "retrieve site-to-site details" access policy. After doing the above the "forbidden" response on the RPG should go away on next sync.

What you still will not see is a list of available input and output ports on the target NiFi to which your source NiFi can connect with over S2S. Remote input and output ports can only be added to the root canvas level. After they have been added you will need to allow your source NiFi server user to access them as well before they will show up in the RPG.

This is done via the "Operate panel":

13402-screen-shot-2017-03-08-at-104750-am.png

Selecting an input or output port on the canvas will show that component as the selected component in the operate panel. Select the key icon and grant your NiFi source Server the following policy:

For input ports --> "receive data via site-to-site" access policy

For output ports --> "send data via site-to-site" access policy

On next sync RPG should now show these ports as available to your source Nifi for connecting to over S2S.

Thanks,

Matt

Re: How to use site-to-site over two nifi instances using SSL(https)?

Explorer

@Matt Clarke

I've added the DN under users and added the same under 'retrieve site-to-site details' policy But I am still getting forbidden warning.

13440-user-added.png

13439-policy-added.png

13442-forbidden.png

Re: How to use site-to-site over two nifi instances using SSL(https)?

Master Guru

@Harshith Venkatesh

What do you see in the nifi-user.log on the target NiFi server of the RPG? What is the full error seen in the nifi-app.log of the source NiFi server?

Re: How to use site-to-site over two nifi instances using SSL(https)?

Explorer

@Matt Clarke

This is the error i see in nifi-app.log

Process Thread-10] o.apache.nifi.controller.FlowController Unable to communicate with remote instance RemoteProcessGroup[https://xx.xx.xx.xx:8124/nifi] due to org.apache.nifi.controller.exception.CommunicationsException: Unable to communicate with Remote NiFi at URI https://xx.xx.xx.xx:8124/nifi-api due to: response code 403:Forbidden with explanation: null

Re: How to use site-to-site over two nifi instances using SSL(https)?

Master Guru

@Harshith Venkatesh

And what do you see in the nifi-user.log on the other NiFi instance?

Re: How to use site-to-site over two nifi instances using SSL(https)?

Master Guru

@Harshith Venkatesh

Where the certificates created to secure each of these NiFi instances signed by the same CA?

The authentication that is going to occur between these NiFi instances is 2-way SSL. Both servers must be able to trust the certificate being presented by the other NiFi instance.

Thanks,

Matt

Re: How to use site-to-site over two nifi instances using SSL(https)?

Re: How to use site-to-site over two nifi instances using SSL(https)?

Explorer

@Matt Clarke

This is what i found in nifi-user.log

13485-app-log.png

I had created server certificate, client certificate and a CAcert holding signature of both from tinycert.org. I had mentioned server certificate and CAcert path in nifi.properties and was loading client certificate into my browser. I was using same certificate for both the nifi instances.

Like you said I had added the client cert DN under the users but nifi was using server cert DN (which i got to know after seeing the nifi-user.log) for site-to-site authentication. So, i added the server DN under the user and added the same under 'retrieve site-to-site details' policy. Now the issue is fixed. The RPG is now able to establish connection.

Thanks,

Harshith

Don't have an account?
Coming from Hortonworks? Activate your account here