Support Questions
Find answers, ask questions, and share your expertise

NIFI security setup

Contributor

Hi,

am trying to setup security to my nifi node , so that i can send site-site secure data transfer. I fallowed below articles to configure security and generate certificates.

https://community.hortonworks.com/articles/58009/hdf-20-enable-ssl-for-apache-nifi-from-ambari.html

https://community.hortonworks.com/content/kbentry/58233/using-the-tls-toolkit-to-simplify-security.h...

I configured all prooperties as mentioned above to enable SSL at ambari level. then i genearte standalone certificate and copied nifiproperties, keystore,truststore properties into nifi/conf directory as mentioned..

then whenever am restarting my nifi service it is giving me fallowing exception: please let me know where am doing something wrong.

Traceback (most recent call last):
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 231, in <module>
    Master().execute()
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", line 280, in execute
    method(env)
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", line 725, in restart
    self.start(env)
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 148, in start
    self.configure(env, is_starting = True)
  File "/var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/scripts/nifi.py", line 99, in configure
    Execute('JAVA_HOME='+params.jdk64_home+' '+ca_client_script+' client -F -f '+ca_client_json, user=params.nifi_user)
  File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 155, in __init__
    self.env.run()
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 160, in run
    self.run_action(resource, action)
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 124, in run_action
    provider_action()
  File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", line 273, in action_run
    tries=self.resource.tries, try_sleep=self.resource.try_sleep)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 71, in inner
    result = function(command, **kwargs)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 93, in checked_call
    tries=tries, try_sleep=try_sleep)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 141, in _call_wrapper
    result = _call(command, **kwargs_copy)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 294, in _call
    raise Fail(err_msg)
resource_management.core.exceptions.Fail: Execution of 'JAVA_HOME=/usr/jdk64/jdk1.8.0_77 /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.0.0.2.0.0.0-579/bin/tls-toolkit.sh client -F -f /etc/nifi/2.0.0.0-579/0/nifi-certificate-authority-client.json' returned 3. 2016-10-02 00:09:43,075 ERROR [main] o.a.n.t.t.s.c.TlsCertificateAuthorityClient Unable to open existing keystore, it can be reused by specifiying both configJson and useConfigJson
Service client error: Keystore was tampered with, or password was incorrect

Usage: tls-toolkit service [-h] [args]

Services:
   standalone: Creates certificates and config files for nifi cluster.
   server: Acts as a Certificate Authority that can be used by clients to get Certificates
   client: Generates a private key and gets it signed by the certificate authority.
14 REPLIES 14

Contributor

bin/tls-toolkit.sh standalone -c ip-10-0-0-197.eu-west-1.compute.internal -n 'ip-10-0-0-197.eu-west-1.compute.internal' -C 'CN=nifi1,OU=hortonworks' -O -o /usr/test/security_output,

this is the command i used

Contributor

Please try client mode, not standalone mode. NiFi CA and standalone are two different modes that are not compatible with each other.

Client mode documentation

Contributor

@brosander

I tested in different browser with standalone mode.. still facing same issue.

Contributor

@brosander

I changed to client mode, then am able to authenticate. but as i mentioned in other question now getting permission uses. please find attached img. i already check authorization file, polices already there.

capture.png

Contributor

Awesome! Glad the authentication worked.

As far as authorization goes, it is important that the initial admin DN matches exactly (whitespace matters) the DN of the certificate you received. You should be able to see the exact DN string in the nifi logs.

You may need to manually change the authorizations.xml files if they are incorrect as I believe that they will not be updated by ambari once generated.