Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Is it possible to provide options to InvokeHTTP nifi processor / disable InvokeHTTP SSL certificate verification ?

Highlighted

Is it possible to provide options to InvokeHTTP nifi processor / disable InvokeHTTP SSL certificate verification ?

New Contributor

Hi,


I want to use nifi InvokeHTTP processor to get data from a remote URL.


First, I have tested the following URL with CURL from CLI of my nifi host, retrieving me the file I want so it is OK :


curl --insecure --user <USER>:<PASSWORD> https://<MY_REMOTE_URL>;


The same URL with GET method set in InvokeHTTP processor gives me a SSLHandshakeException (user/password are respectively set in <Basic Authentication Username> and <Basic Authentication Password>)


Routing to Failure due to exception: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


This error is skipped with CURL thanks to --insecure option, disabling SSL certificate verification.


So I would like to know if a workaround exists with nifi to disable SSL certificate verification ? (I currently cannot get a certificate allowing me accessing to remote host).

Or is it possible to provide some options to InvokeHTTP processor ? (I know we can set headers using attributes, but what about options like "--insecure" or "-k" ?)


The only way I have found at the moment to achieve what I want is encapsulating the curl call into an ExecuteScript processor, but this solution is not totally satisfying for me.


Thanks



Benjamin

1 REPLY 1

Re: Is it possible to provide options to InvokeHTTP nifi processor / disable InvokeHTTP SSL certificate verification ?

Master Guru

@Benjamin Bouret

The invokeHTTP processor would require you to use a SSL context service when communicating with a secure (https) endpoint. The SSLContext service can be setup with only a truststore.jks if this is only a 1-way TLS connection that does not require client authentication.

-

You should be able to use openssl to get the complete public certificate chain from the target secured endpoint.

From command line execute following command:

Openssl s_client -connect <hostname>:<port> -showcerts

-

The return from this command will include one or more public certificates.

each public certificate will start with and end with following:

-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----

-

Copy each certificate including the above two lines and write each to separate file with a .crt extension.

for example:

CA-1.crt

-

Then import each of these public certificates in to the truststore you want to use in your SSLContext service as follows:

# keytool -import -alias <unique Alias name 1> -file CA-1.crt -keystore truststore.jks
# keytool -import -alias <unique Alias name 2> -file CA-2.crt -keystore truststore.jks
etc...

-

Make your your NiFi service user can read this file where ever you decide to place on each of your NiFi nodes.

-

Thank you,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.