Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Minifi SSLHandshake

Labels:
avatar
author-rank nisrine001
Explorer

Created ‎11-06-2018 10:46 AM

Hello.

I have in issue with NIFI and MINIFI connection.

1- I installed NIFI 1.0.0 with 3.0 HDP with a secure properties and CA.

2- I wanna use a NIFI agent so i used this tuto https://nifi.apache.org/minifi/minifi-java-agent-quick-start.html and connecting to NIFI using https://nifi.apache.org/minifi/getting-started.html but i get this errors in minifi logs when starting MINIFI:

WARN [Http Site-to-Site PeerSelector] o.apache.nifi.remote.client.PeerSelector org.apache.nifi.remote.client.PeerSelector@ Unable to refresh Remote Group's peers due to sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

so MINIFI Couldn't find a valid peer to communicate with for my Remote Process Group

3- Is MINIFI need a Self Signed Certificates ? how could i use site to site connection ?

Any suggesion.

Thank you in advance.

1,813 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎11-06-2018 11:21 AM

@nisrine elloumi

-

Since the target NiFi configured in the Remote Process Group has been secured, your MiNiFi agent will need a keystore an truststore as well. The keystore must contain a singls PrivateKeyEntry that will be trusted by a TrustedCertEntry in the truststore of your NiFi. The truststore on your MiNiFi agent must contain a trustecCertEntry that is capable of establishing trust of the certificate coming from the target NiFi.

-

If your target NiFi has been secured using the the NiFi CA, you can use the TLS-toolkit to generate a new server certificate for your MiNiFi agent. Below can be found in the NiFi Admin guide:

-

Client

The client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running ./bin/tls-toolkit.sh client -h which prints the usage information along with descriptions of options that can be specified.

You can use the following command line options with the tls-toolkit in client mode:

  • -a,--keyAlgorithm <arg> Algorithm to use for generated keys (default: RSA)
  • -c,--certificateAuthorityHostname <arg> Hostname of NiFi Certificate Authority (default: localhost)
  • -C,--certificateDirectory <arg> The directory to write the CA certificate (default: .)
  • --configJsonIn <arg> The place to read configuration info from, implies useConfigJson if set (default: configJsonvalue)
  • -D,--dn <arg> The DN to use for the client certificate (default: CN=<localhost name>,OU=NIFI) (this is auto-populated by the tool)
  • -f,--configJson <arg> The place to write configuration info (default: config.json)
  • -F,--useConfigJson Flag specifying that all configuration is read from configJson to facilitate automated use (otherwise configJson will only be written to)
  • -g,--differentKeyAndKeystorePasswords Use different generated password for the key and the keystore
  • -h,--help Print help and exit
  • -k,--keySize <arg> Number of bits for generated keys (default: 2048)
  • -p,--PORT <arg> The port to use to communicate with the Certificate Authority (default: 8443)
  • --subjectAlternativeNames <arg> Comma-separated list of domains to use as Subject Alternative Names in the certificate
  • -T,--keyStoreType <arg> The type of keystores to generate (default: jks)
  • -t,--token <arg> The token to use to prevent MITM (required and must be same as one used by CA)

After running the client you will have the CA’s certificate, a keystore, a truststore, and a config.json with information about them as well as their passwords.

-

You will need to collect the needed information about your CA. You could run this toolkit right on the server where the NiFi CA was installed (for example from /tmp directory). Then you just need to move the produced keystore and truststore files over to your MiNiFi agent and configured the yaml file to use them.

-

If you are using a keystores and truststores generated by some other CA, you will need to follow whatever procedure that authority to generate the new keystore and truststore needed for your MiNiFi agent. Just make sure the criteria I outlined at the beginning is being met so that the 2-way TLS handshake will be successful.

-

Thank you,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.

View solution in original post

1,611 Views
0 Kudos
1 REPLY 1

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎11-06-2018 11:21 AM

@nisrine elloumi

-

Since the target NiFi configured in the Remote Process Group has been secured, your MiNiFi agent will need a keystore an truststore as well. The keystore must contain a singls PrivateKeyEntry that will be trusted by a TrustedCertEntry in the truststore of your NiFi. The truststore on your MiNiFi agent must contain a trustecCertEntry that is capable of establishing trust of the certificate coming from the target NiFi.

-

If your target NiFi has been secured using the the NiFi CA, you can use the TLS-toolkit to generate a new server certificate for your MiNiFi agent. Below can be found in the NiFi Admin guide:

-

Client

The client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running ./bin/tls-toolkit.sh client -h which prints the usage information along with descriptions of options that can be specified.

You can use the following command line options with the tls-toolkit in client mode:

  • -a,--keyAlgorithm <arg> Algorithm to use for generated keys (default: RSA)
  • -c,--certificateAuthorityHostname <arg> Hostname of NiFi Certificate Authority (default: localhost)
  • -C,--certificateDirectory <arg> The directory to write the CA certificate (default: .)
  • --configJsonIn <arg> The place to read configuration info from, implies useConfigJson if set (default: configJsonvalue)
  • -D,--dn <arg> The DN to use for the client certificate (default: CN=<localhost name>,OU=NIFI) (this is auto-populated by the tool)
  • -f,--configJson <arg> The place to write configuration info (default: config.json)
  • -F,--useConfigJson Flag specifying that all configuration is read from configJson to facilitate automated use (otherwise configJson will only be written to)
  • -g,--differentKeyAndKeystorePasswords Use different generated password for the key and the keystore
  • -h,--help Print help and exit
  • -k,--keySize <arg> Number of bits for generated keys (default: 2048)
  • -p,--PORT <arg> The port to use to communicate with the Certificate Authority (default: 8443)
  • --subjectAlternativeNames <arg> Comma-separated list of domains to use as Subject Alternative Names in the certificate
  • -T,--keyStoreType <arg> The type of keystores to generate (default: jks)
  • -t,--token <arg> The token to use to prevent MITM (required and must be same as one used by CA)

After running the client you will have the CA’s certificate, a keystore, a truststore, and a config.json with information about them as well as their passwords.

-

You will need to collect the needed information about your CA. You could run this toolkit right on the server where the NiFi CA was installed (for example from /tmp directory). Then you just need to move the produced keystore and truststore files over to your MiNiFi agent and configured the yaml file to use them.

-

If you are using a keystores and truststores generated by some other CA, you will need to follow whatever procedure that authority to generate the new keystore and truststore needed for your MiNiFi agent. Just make sure the criteria I outlined at the beginning is being met so that the 2-way TLS handshake will be successful.

-

Thank you,

Matt

-

If you found this answer addressed your question, please take a moment to login in and click the "ACCEPT" link.

1,612 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements