Support Questions

ravi_tadepally · ‎12-22-2023

Hi,

We are currently working on scenario to connect to secured Rabbitmq server for consuming messages. We have used StandardSSLContextService for that purpose and configured both truststore and keystore properties. These certs are created specific to Rabbitmq connection.

Everything is working fine as expected but the only issue we are facing is that when both keystore and truststore are expired and we need to update the certs currently the only way we see is to restart the server or controller service.

But we would like to know if there is any other way the NIFI StandardSSLContextService can check if the cert is expired and if we provide a new keystore and truststore then it will reload the latest certs without the need for restarts.

Any suggestions on this issue is greatly appreciated.

MattWho · ‎12-22-2023

@ravi_tadepally

NiFi introduced the ability for the NiFi web server to auto scan and reload the keystore and truststore configured in the nifi.properties file.

This auto-scan and reload is not something Apache NiFi has extended to the StandardSSLContextService controller service. The reason for this is due to complexity here versus the web UI. There are many processors and controller service components that can be configured to with a dependency on the StandardSSLContextService. Each of these components uses its own client which may handle the StandardSSLContextService abstraction differently. Keep in mind the SSLContextServixe was created to simplify management of your dataflows by restricting/limiting access to keystores and truststores, centralizing keystore and truststores for reuse by multiple components, etc. rather then requiring keystore and truststore properties being set in every individual component. Theses individual client libraries would need to be able to auto-scan for keystore and truststore changes. Since many of these client libraries are not written specifically for Apache NiFi, this could be challenging to implement.

So as things exist now, changes to the SSLContextService keystore and trustsore will require a disable and enable of the controller service. When the SSLContextService is disable, it triggers the stopping of the dependent components using that controller service. Then enabling controller service (with option to start referencing components) would start all those clients again triggering them to read the updated keystore and truststore files.

I could not find an Apache NiFi jira (https://issues.apache.org/jira/) for adding an auto-reload to the StandardSSLContextService, but encourage you to do so. Perhaps the community developers can come up with a way to abstract this from the various clients to make it possible in some future release.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

MattWho · ‎12-22-2023

@ravi_tadepally

NiFi introduced the ability for the NiFi web server to auto scan and reload the keystore and truststore configured in the nifi.properties file.

This auto-scan and reload is not something Apache NiFi has extended to the StandardSSLContextService controller service. The reason for this is due to complexity here versus the web UI. There are many processors and controller service components that can be configured to with a dependency on the StandardSSLContextService. Each of these components uses its own client which may handle the StandardSSLContextService abstraction differently. Keep in mind the SSLContextServixe was created to simplify management of your dataflows by restricting/limiting access to keystores and truststores, centralizing keystore and truststores for reuse by multiple components, etc. rather then requiring keystore and truststore properties being set in every individual component. Theses individual client libraries would need to be able to auto-scan for keystore and truststore changes. Since many of these client libraries are not written specifically for Apache NiFi, this could be challenging to implement.

So as things exist now, changes to the SSLContextService keystore and trustsore will require a disable and enable of the controller service. When the SSLContextService is disable, it triggers the stopping of the dependent components using that controller service. Then enabling controller service (with option to start referencing components) would start all those clients again triggering them to read the updated keystore and truststore files.

I could not find an Apache NiFi jira (https://issues.apache.org/jira/) for adding an auto-reload to the StandardSSLContextService, but encourage you to do so. Perhaps the community developers can come up with a way to abstract this from the various clients to make it possible in some future release.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

ravi_tadepally · ‎12-26-2023

Hi @MattWho

thank you for your prompt response. I will try to add this onto Apache NIFI Jira as suggested.

Thanks
Ravi

Cloudera Community

Support Questions

NIFI StandardSSLContextService - Update Keystore and Truststore certs without downtime or controller service restarts