Support Questions

Find answers, ask questions, and share your expertise

NIfi and Nifi Registry Integration

avatar

I have 3 nodes NiFi and 1 node Registry instances running.

Registry - SSL enabled and AD-integrated 

NIfi  - SSL enabled and AD-integrated 

 

how can I integrate NiFI with Registry, so I can start using Registry.

 

@MattWho please advice for any recommendations 

 

 

3 ACCEPTED SOLUTIONS

avatar
Master Mentor

Hello @Former Member 

Now that you have both NiFi and NiFi-Registry secured they will use TLS to authenticate with one another.  NiFi-Registry does not initiate any connections to NiFi.  NiFi will always act as the client talking to NiFi-Registry.

1. All 3 of your NiFi nodes must exist as users in the NiFi-Registry.
2. Any users who will be version controlling NiFi process Groups will need to exist as users in NiFi-Registry.
3. Your NiFi nodes must be authorized in NiFi-Registry for "Can proxy user requests" and read for "can manage buckets".  Found by clicking on settings in NiFi-Regsitry UI, then selecting Users tab, and clicking pencil to right of each of your NiFi nodes.
4. You users must create a bucket(s) in NiFi-Registry and authorize your NiFi user(s) for read, write, delete on the bucket.  From same setting UI click buckets tab, click "add bucket" then using pencil to left of bucket authorize your user(s).
5. From the NiFi UI, click on the global menu (upper right corner) --> Controller Settings --> Registry Clients tab.  Click the "+" icon to add a new NiFi-Registry client.  Provide the HTTPS://<nifi-regsitry-hostname:port> as the URL and a name of your choosing.

Provide the keystores and truststores created for your NiFi and NiFi-Registry can support mutual authentication between these two services, you will be good to go.  Otherwise check your nifi and nifi-registry app logs for any TLS handshake errors which would need to be resolved.

Hope this helps you get going with NiFi-Registry,

Matt

View solution in original post

avatar
Master Collaborator

SSLHandshakeException: PKIX path building failed, which means one or more certificated chain is missing thus SSL handshake is failing, Can you check and confirm if NiFi and NiFi Registry are both signed by same certificate signing Authority ? if not then please make sure you have imported/exchanged complete trusted chain in truststore file used by NiFi and NiFi Registry vice versa 

View solution in original post

avatar
Master Mentor

@RB764 

@ckumar is correct that what is failing here is a mutual TLS handshake.
"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Above is telling you that one side or the other of this TLS connection is unable to establish trust for the certificate presented during the handshake.  The "PrivateKeyEntry" from the keystore file is being presented and the "trustedCertEntry"s from the truststore file are being used to verify trust for that certificate.

In order to establish trust, the complete trust chain needs to be in your truststore files.
Your PrivateKeyEntry will have an owner and an issuer.  The issuer is the signer of the certificate.
That issuer will have its own public key (TrustedCertEntry) in the truststore files.  That issuer public key will also have an owner and an issuer.  If the issuer DN is not the same as the owner DN, then it is an intermediate CA.  So again you would need the public key for the issuer of that intermediate Public key.  Once you reach the point in the trust chain where the public key owner and issuer are the same DN, then you have the complete trust chain.

You can use openssl command to get the complete trustchain in most scenarios.

openssl s_client -connect <nifi-hostname>:<nifi port> -showcerts
openssl s_client -connect <nifi-regsitry-hostname>:<nifi-registry port> -showcerts

The certs will be returned in the format of:

-----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO...
-----END CERTIFICATE-----

You can copy each and save it is a .pem file and import those that are missing in to your truststore files.

If NiFi-registry is secured, then NiFi will need to be secured to talk to use it.
If NiFi is secured, it is optional to secure NiFi-Registry.  (You can add a http nifi-registry client in NiFi)

If you found the information provided by anyone was helpful with your query, please take a moment to login and click "Accept" on every response that helped you to a solution.

Matt


View solution in original post

5 REPLIES 5

avatar
Master Mentor

Hello @Former Member 

Now that you have both NiFi and NiFi-Registry secured they will use TLS to authenticate with one another.  NiFi-Registry does not initiate any connections to NiFi.  NiFi will always act as the client talking to NiFi-Registry.

1. All 3 of your NiFi nodes must exist as users in the NiFi-Registry.
2. Any users who will be version controlling NiFi process Groups will need to exist as users in NiFi-Registry.
3. Your NiFi nodes must be authorized in NiFi-Registry for "Can proxy user requests" and read for "can manage buckets".  Found by clicking on settings in NiFi-Regsitry UI, then selecting Users tab, and clicking pencil to right of each of your NiFi nodes.
4. You users must create a bucket(s) in NiFi-Registry and authorize your NiFi user(s) for read, write, delete on the bucket.  From same setting UI click buckets tab, click "add bucket" then using pencil to left of bucket authorize your user(s).
5. From the NiFi UI, click on the global menu (upper right corner) --> Controller Settings --> Registry Clients tab.  Click the "+" icon to add a new NiFi-Registry client.  Provide the HTTPS://<nifi-regsitry-hostname:port> as the URL and a name of your choosing.

Provide the keystores and truststores created for your NiFi and NiFi-Registry can support mutual authentication between these two services, you will be good to go.  Otherwise check your nifi and nifi-registry app logs for any TLS handshake errors which would need to be resolved.

Hope this helps you get going with NiFi-Registry,

Matt

avatar
Explorer

@MattWhothank you for providing this response. I am in the same situation. I tried the steps you mentioned above. My apologies if I am asking a basic question, where can I get help on how I can resolve TLS handshake errors? I am getting the below error -

Error

Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

After setting up Nifi and Nifi Registry should I be setting up certs to enable ssl connections between nifi and registry? Thanks in advance. 

avatar
Master Mentor

@RB764 

@ckumar is correct that what is failing here is a mutual TLS handshake.
"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Above is telling you that one side or the other of this TLS connection is unable to establish trust for the certificate presented during the handshake.  The "PrivateKeyEntry" from the keystore file is being presented and the "trustedCertEntry"s from the truststore file are being used to verify trust for that certificate.

In order to establish trust, the complete trust chain needs to be in your truststore files.
Your PrivateKeyEntry will have an owner and an issuer.  The issuer is the signer of the certificate.
That issuer will have its own public key (TrustedCertEntry) in the truststore files.  That issuer public key will also have an owner and an issuer.  If the issuer DN is not the same as the owner DN, then it is an intermediate CA.  So again you would need the public key for the issuer of that intermediate Public key.  Once you reach the point in the trust chain where the public key owner and issuer are the same DN, then you have the complete trust chain.

You can use openssl command to get the complete trustchain in most scenarios.

openssl s_client -connect <nifi-hostname>:<nifi port> -showcerts
openssl s_client -connect <nifi-regsitry-hostname>:<nifi-registry port> -showcerts

The certs will be returned in the format of:

-----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO...
-----END CERTIFICATE-----

You can copy each and save it is a .pem file and import those that are missing in to your truststore files.

If NiFi-registry is secured, then NiFi will need to be secured to talk to use it.
If NiFi is secured, it is optional to secure NiFi-Registry.  (You can add a http nifi-registry client in NiFi)

If you found the information provided by anyone was helpful with your query, please take a moment to login and click "Accept" on every response that helped you to a solution.

Matt


avatar
Master Collaborator

SSLHandshakeException: PKIX path building failed, which means one or more certificated chain is missing thus SSL handshake is failing, Can you check and confirm if NiFi and NiFi Registry are both signed by same certificate signing Authority ? if not then please make sure you have imported/exchanged complete trusted chain in truststore file used by NiFi and NiFi Registry vice versa 

avatar
Explorer

@MattWho  @ckumar  thanks for your inputs! I was able to resolve the issue following the steps you mentioned. Much appreciated!