Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How will I set up Secure NIFI cluster that using my real Cert that I bought instead of self generate.

Labels:
avatar
author-rank marknguyen
Contributor

Created ‎10-26-2016 11:09 PM

I am following the below procedure but I don't see how I can apply the Cert that I bought.

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

2,293 Views
1 ACCEPTED SOLUTION

avatar
author-rank alopresto author-rank
Guru

Created ‎10-27-2016 12:22 AM

Mark,

The certificate you purchased from a certificate authority will identify the NiFi application. Depending on the format it is in (likely a *.key file containing the private key which never left your computer and a *.pem or *.der file containing the corresponding public key, which was then signed via a CSR (Certificate Signing Request) sent to the CA), you will need to build the following files:

  • Keystore
    • This will contain the private key and public key certificate with the issuing CA's public certificate in a chain (as a privateKeyEntry) [see example output below]
  • Truststore
    • This will contain the public key of your client certificate (if using one) in order to authenticate you as a user connecting to the UI/API.

Alternate example using keytool:

  1. You generate a public/private keypair using the Java keytool:

    $ keytool -genkey -alias nifi -keyalg RSA -keysize 2048 -keystore keystore.jks

  2. You then export a certificate signing request which you send to the certificate authority:

    $ keytool -certreq -alias nifi -keyalg RSA -file nifi.csr -keystore keystore.jks

  3. You will get a CSR file nifi.csr which you send to the CA, and they provide a signed public certificate (and the public certificate of the CA) back cert_from_ca.pem:

    $ keytool -import -trustcacerts -alias nifi -file cert_from_ca.pem -keystore keystore.jks

Here is a link to the full steps I ran (I ran my own CA in another terminal to simulate the actions of the external CA) and the resulting output.

View solution in original post

2,043 Views
4 REPLIES 4

avatar
author-rank alopresto author-rank
Guru

Created ‎10-27-2016 12:22 AM

Mark,

The certificate you purchased from a certificate authority will identify the NiFi application. Depending on the format it is in (likely a *.key file containing the private key which never left your computer and a *.pem or *.der file containing the corresponding public key, which was then signed via a CSR (Certificate Signing Request) sent to the CA), you will need to build the following files:

  • Keystore
    • This will contain the private key and public key certificate with the issuing CA's public certificate in a chain (as a privateKeyEntry) [see example output below]
  • Truststore
    • This will contain the public key of your client certificate (if using one) in order to authenticate you as a user connecting to the UI/API.

Alternate example using keytool:

  1. You generate a public/private keypair using the Java keytool:

    $ keytool -genkey -alias nifi -keyalg RSA -keysize 2048 -keystore keystore.jks

  2. You then export a certificate signing request which you send to the certificate authority:

    $ keytool -certreq -alias nifi -keyalg RSA -file nifi.csr -keystore keystore.jks

  3. You will get a CSR file nifi.csr which you send to the CA, and they provide a signed public certificate (and the public certificate of the CA) back cert_from_ca.pem:

    $ keytool -import -trustcacerts -alias nifi -file cert_from_ca.pem -keystore keystore.jks

Here is a link to the full steps I ran (I ran my own CA in another terminal to simulate the actions of the external CA) and the resulting output.

2,044 Views

avatar
author-rank marknguyen
Contributor

Created ‎10-27-2016 03:36 PM

@Andy LoPresto

Hi Andy, Thank you so much for your help. I understanding much better about the Certificates and when you to use TLS Generation Toolkit and what to your for prod environment. I am running into user permission issue. Shall I ask on the same thread or shall I create new question? Thanks for the help Andy!

2,043 Views
0 Kudos

avatar
author-rank alopresto author-rank
Guru

Created ‎10-27-2016 05:12 PM

Mark, I'm glad the answer helped you. You should open a new question for the user permission issue and I will take a look.

2,043 Views
0 Kudos

avatar
author-rank marknguyen
Contributor

Created ‎10-27-2016 09:58 PM

@Andy LoPresto

I have post the new question at the link below.

https://community.hortonworks.com/questions/63901/cant-login-with-the-admin-user-that-configure-in-i...

2,043 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements