Support Questions
Find answers, ask questions, and share your expertise

NIFI security setup



am trying to setup security to my nifi node , so that i can send site-site secure data transfer. I fallowed below articles to configure security and generate certificates.

I configured all prooperties as mentioned above to enable SSL at ambari level. then i genearte standalone certificate and copied nifiproperties, keystore,truststore properties into nifi/conf directory as mentioned..

then whenever am restarting my nifi service it is giving me fallowing exception: please let me know where am doing something wrong.

Traceback (most recent call last):
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/", line 231, in <module>
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/", line 280, in execute
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/", line 725, in restart
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/", line 148, in start
    self.configure(env, is_starting = True)
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/", line 99, in configure
    Execute('JAVA_HOME='+params.jdk64_home+' '+ca_client_script+' client -F -f '+ca_client_json, user=params.nifi_user)
  File "/usr/lib/python2.6/site-packages/resource_management/core/", line 155, in __init__
  File "/usr/lib/python2.6/site-packages/resource_management/core/", line 160, in run
    self.run_action(resource, action)
  File "/usr/lib/python2.6/site-packages/resource_management/core/", line 124, in run_action
  File "/usr/lib/python2.6/site-packages/resource_management/core/providers/", line 273, in action_run
    tries=self.resource.tries, try_sleep=self.resource.try_sleep)
  File "/usr/lib/python2.6/site-packages/resource_management/core/", line 71, in inner
    result = function(command, **kwargs)
  File "/usr/lib/python2.6/site-packages/resource_management/core/", line 93, in checked_call
    tries=tries, try_sleep=try_sleep)
  File "/usr/lib/python2.6/site-packages/resource_management/core/", line 141, in _call_wrapper
    result = _call(command, **kwargs_copy)
  File "/usr/lib/python2.6/site-packages/resource_management/core/", line 294, in _call
    raise Fail(err_msg)
resource_management.core.exceptions.Fail: Execution of 'JAVA_HOME=/usr/jdk64/jdk1.8.0_77 /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit- client -F -f /etc/nifi/' returned 3. 2016-10-02 00:09:43,075 ERROR [main] o.a.n.t.t.s.c.TlsCertificateAuthorityClient Unable to open existing keystore, it can be reused by specifiying both configJson and useConfigJson
Service client error: Keystore was tampered with, or password was incorrect

Usage: tls-toolkit service [-h] [args]

   standalone: Creates certificates and config files for nifi cluster.
   server: Acts as a Certificate Authority that can be used by clients to get Certificates
   client: Generates a private key and gets it signed by the certificate authority.


bin/ standalone -c -n '' -C 'CN=nifi1,OU=hortonworks' -O -o /usr/test/security_output,

this is the command i used


Please try client mode, not standalone mode. NiFi CA and standalone are two different modes that are not compatible with each other.

Client mode documentation



I tested in different browser with standalone mode.. still facing same issue.



I changed to client mode, then am able to authenticate. but as i mentioned in other question now getting permission uses. please find attached img. i already check authorization file, polices already there.



Awesome! Glad the authentication worked.

As far as authorization goes, it is important that the initial admin DN matches exactly (whitespace matters) the DN of the certificate you received. You should be able to see the exact DN string in the nifi logs.

You may need to manually change the authorizations.xml files if they are incorrect as I believe that they will not be updated by ambari once generated.