Support Questions
Find answers, ask questions, and share your expertise

NIFI security setup

Contributor

Hi,

am trying to setup security to my nifi node , so that i can send site-site secure data transfer. I fallowed below articles to configure security and generate certificates.

https://community.hortonworks.com/articles/58009/hdf-20-enable-ssl-for-apache-nifi-from-ambari.html

https://community.hortonworks.com/content/kbentry/58233/using-the-tls-toolkit-to-simplify-security.h...

I configured all prooperties as mentioned above to enable SSL at ambari level. then i genearte standalone certificate and copied nifiproperties, keystore,truststore properties into nifi/conf directory as mentioned..

then whenever am restarting my nifi service it is giving me fallowing exception: please let me know where am doing something wrong.

Traceback (most recent call last):
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 231, in <module>
    Master().execute()
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", line 280, in execute
    method(env)
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", line 725, in restart
    self.start(env)
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 148, in start
    self.configure(env, is_starting = True)
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 99, in configure
    Execute('JAVA_HOME='+params.jdk64_home+' '+ca_client_script+' client -F -f '+ca_client_json, user=params.nifi_user)
  File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 155, in __init__
    self.env.run()
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 160, in run
    self.run_action(resource, action)
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 124, in run_action
    provider_action()
  File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", line 273, in action_run
    tries=self.resource.tries, try_sleep=self.resource.try_sleep)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 71, in inner
    result = function(command, **kwargs)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 93, in checked_call
    tries=tries, try_sleep=try_sleep)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 141, in _call_wrapper
    result = _call(command, **kwargs_copy)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 294, in _call
    raise Fail(err_msg)
resource_management.core.exceptions.Fail: Execution of 'JAVA_HOME=/usr/jdk64/jdk1.8.0_77 /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.0.0.2.0.0.0-579/bin/tls-toolkit.sh client -F -f /etc/nifi/2.0.0.0-579/0/nifi-certificate-authority-client.json' returned 3. 2016-10-02 00:09:43,075 ERROR [main] o.a.n.t.t.s.c.TlsCertificateAuthorityClient Unable to open existing keystore, it can be reused by specifiying both configJson and useConfigJson
Service client error: Keystore was tampered with, or password was incorrect

Usage: tls-toolkit service [-h] [args]

Services:
   standalone: Creates certificates and config files for nifi cluster.
   server: Acts as a Certificate Authority that can be used by clients to get Certificates
   client: Generates a private key and gets it signed by the certificate authority.
14 REPLIES 14

+ @brosander

@vnandigam the below is the root error. Can you confirm that the keystore password you entered in Ambari was correct?

Since you generated standlone certificate, you can confirm the password by nifi.properties that was generated in the folder specified by -o (e.g. security_output) when you run tls-toolkit.sh

Execution of 'JAVA_HOME=/usr/jdk64/jdk1.8.0_77 /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.0.0.2.0.0.0-579/bin/tls-toolkit.sh client -F -f /etc/nifi/2.0.0.0-579/0/nifi-certificate-authority-client.json' returned 3. 

2016-10-02 00:09:43,075 ERROR [main] o.a.n.t.t.s.c.TlsCertificateAuthorityClient Unable to open existing keystore, it can be reused by specifiying both configJson and useConfigJsonService client error: Keystore was tampered with, or password was incorrect

Contributor

Hi ,

Thanks for the reply. am fallowing this procedure to enable security and then use this to implement site-site transfer:

1. Modifed nifi properties by fallowing option1 from the below article:

https://community.hortonworks.com/questions/59397/nifi-security-setup.html

CN=nifiadmin, OU=hortonworks,

and node indentities as:

<property name="Node Identity 1">CN=ip-10-0-0-53.eu-west-1.compute.internal , OU=hortonworks</property>

then restart nifi to effect all properties.

2. then generate certificate using:

bin/tls-toolkit.sh standalone -c ip-10-0-0-53.eu-west-1.compute.internal -n 'ip-10-0-0-53.eu-west-1.compute.internal' -C 'CN=nifiadmin,OU=hortonworks' -O -o /usr/test/security_output

3. then import .p12 file into browser, restart nifi and browser.

4. when i started nifi UI i, still am unable to access UI. its not even asking certificate..

am i fallowing proper procedure or am missing anything?

Contributor

capture.png

Hi, these are the fallowing properties am using in ambari. so as per my understanding am not entering anything keystore password.

i fallowed same link to enable sSL for nifi cluster. at that time i uses client mode to generate certificate

Contributor

Hi @vnandigam

If you are using the tls-toolkit in standalone mode, you would want to uninstall all instances of NiFi CA from your cluster. The two are different usecases and it appears that NiFi CA is attempting to supercede your manually generated configuration.

If you don't have a compelling reason to manually manage your TLS settings, I would suggest using NiFi CA from the start. A walkthrough is available that uses docker. However, if you already have a different cluster, you should be able to skip to t...

If you use that walkthrough without the docker part though, you will probably need to substitute your NiFi node hostnames into the Node Identities xml segment.

+ @Ali Bajwa

Contributor

@brosander

Hi , i already changes nodeidenties.xml with my host name. i want to use NIFI CA to enable SSL. but once i setup everything using NIFI CA at amabri, i need nifi toolkit to generate .pem, .p12 file to use at browser. currently we don't have nifi-toolkit available with nifi installation(nifi 1.0.), thats why i downloaded nifi toolkit from apache and generated certificates in standalone mode.

am i doiny anything wrong?

Contributor

Hi @brosander

I fallowed the same approach as you mentioned, created new cluster, generate CA certificates at the time of installation. then genearted standalone certificate using toolkit and imported into browser to access nifi.

but am getting " the site cant be reached" .. please find attached img.capture.png

Contributor

@vnandigam

Did you run the toolkit in client mode to generate your client certificate?

bin/tls-toolkit.sh client -c YOUR_CA_FQDN -D 'CN=admin, OU=NIFI' -p 10443 -T pkcs12 -t YOUR_CA_TOKEN

That will ask the NiFi CA for a certificate the cluster will see as valid. Standalone and client/server mode are two different modes of operation that shouldn't be mixed.

If the above command is how you generated your client certificate, we have seen some browser issues in testing this functionality where certain browsers don't notice new client certs available.

I'd suggest trying a different browser or private browsing / incognito mode to see if it's some weird browser behavior.

Contributor

yes. i used the above command to generate my certificate.. i will test in mozila and will let you know.

Contributor

sorry. its my mistake. i used standalone mode to generate certificate not cleint mode.