Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

NiFi SAN IP using toolkit | NiFI Registry

Labels:
avatar
author-rank oneofthemany
New Contributor

Created ‎02-05-2024 04:17 AM

how do use the NiFi toolkit to create an IP within the SAN as mentioned here:

https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-tls-toolkit:~:text=...

I am using the following script:

 

bash "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone -O -n "localhost,${NIFI_SAN_DNS}" -C "${cn}" --subjectAlternativeNames "${NIFI_SAN_DNS},IP:${NIFI_SAN_IP}" -o "${NIFI_HOME_DIR}"/key_trust

 


my output is as follows from my bash script:

 

tls-toolkit.sh: JAVA_HOME not set; results may vary
The TLS Toolkit is deprecated and targeted for removal in Apache NiFi 2.0.
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine - No nifiPropertiesFile specified, using embedded one.
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Running standalone certificate generation with output directory /var/mnt/NiFi/key_trust
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Generated new CA certificate /var/mnt/NiFi/key_trust/nifi-cert.pem and key /var/mnt/NiFi/key_trust/nifi-key.key
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Using alternate name nifi.server.home with hostname localhost.
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Writing new ssl configuration to /var/mnt/NiFi/key_trust/localhost
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated TLS configuration for localhost 1 in /var/mnt/NiFi/key_trust/localhost
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Using alternate name IP:192.168.1.2 with hostname nifi.server.home.
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Writing new ssl configuration to /var/mnt/NiFi/key_trust/nifi.server.home
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated TLS configuration for nifi.server.home 1 in /var/mnt/NiFi/key_trust/nifi.server.home
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Generating new client certificate /var/mnt/NiFi/key_trust/CN=sherloq_key_OU=NiFi_C=GB.p12
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated client certificate /var/mnt/NiFi/key_trust/CN=sherloq_key_OU=NiFi_C=GB.p12
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - tls-toolkit standalone completed successfully

 


and when I look at the SAN in the cert all I see is the following:

 

root@fedora:/var/mnt/NiFi/key_trust# openssl x509 -in nifi-cert.pem -text -noout | grep "DNS"
                DNS:localhost

 


and there is no IP or additional SAN and within chrome I have the following:
oneofthemany_0-1707135148349.png

 

my main issue is that we need the SAN IP to be able to talk to NiFi registry when using SSL but I cannot seem to get the communication to work

here is my full build script for NiFi:

 

#!/bin/bash

function info {
         tput bold;
         tput setaf 3;
         echo $1;
         tput sgr0;
}

# Check if the user has root privileges
if [[ $EUID -ne 0 ]]; then
  echo "YOU MUST BE ROOT TO RUN THIS SCRIPT."
  exit 1
fi

podman rm -f nifi
wait

info "=== Before we begin we need some information ==="
read -r -p "PRESS ENTER WHEN READY"

info "=== LINUX OS DETERMINATION ==="
# shellcheck disable=SC2155
# shellcheck disable=SC2002
export ID=$( cat /etc/os-release | awk -F= '$1=="ID" { print $2 ;}')

# shellcheck disable=SC2155
# shellcheck disable=SC2002
export VARIANT=$( cat /etc/os-release | awk -F= '$1=="VARIANT_ID" { print $2 ;}')
echo "${ID}" "${VARIANT}"

info "=== Setting up NiFI ==="
sleep 1

info "=== Add a Custom Root Directory Location for your Containers ==="
read -r -p "Enter Custom Directory [/var/mnt]: " rootDir
export ROOT_DIR=${rootDir:-/var/mnt}
export NIFI_HOME_DIR=${ROOT_DIR}/NiFi
sleep 1
info "=== Add a Custom CN Key Name ==="
read -r -p "Enter CN Key Name Here [nifi_key]: " keyName
export key_name=${keyName:-nifi_key}
# shellcheck disable=SC2140
export key="${NIFI_HOME_DIR}"/key_trust/"'CN=${key_name:-nifi_key}_OU=NiFi_C=GB.p12'"
export cn="CN=${key_name}, OU=NiFi, C=GB"

info "=== Add a Custom Port for your NiFi Container ==="
read -r -p "Enter Custom Port [default: 8181]: " nifiPort
export NIFI_PORT=${nifiPort:-8181}
# shellcheck disable=SC2155
export NIFI_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_PORT}")

if [[ "${NIFI_PORT_CHECK}" != "" ]]; then
  info "=== PORT IN USE - WOULD YOU LIKE ME TO CHOOSE A PORT FOR YOU? ==="
  read -r -p "Please Enter your Response [enter: Y/y or N/n]: " nifiAnswer
  export NIFI_ANSWER=${nifiAnswer:-}
fi

if [[ "${NIFI_ANSWER}" =~ (Y|y) ]]; then
while [[ -n "${NIFI_PORT_CHECK}" ]]; do
  echo "Port ${NIFI_PORT} is in use. Trying another port..."
  NIFI_PORT=$((NIFI_PORT + 1))
  NIFI_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_PORT}")
done

elif [[ "${NIFI_ANSWER}" =~ (N|n) ]]; then
while [[ -n "${NIFI_PORT_CHECK}" ]]; do
  echo "Port ${NIFI_PORT} is in use. Trying another port..."
  read -r -p "Enter a new port: " newNIFIPort
  NIFI_PORT=${newNIFIPort}
  NIFI_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_PORT}")
done

fi

info "=== Add a Custom Port for Protobuf ==="
read -r -p "Enter Custom Port [default: 8282]: " protobufPort
export PROTO_PORT=${protobufPort:-8282}
# shellcheck disable=SC2155
export PROTO_PORT_CHECK=$(lsof -i -P -n | grep "${PROTO_PORT}")

if [[ "${PROTO_PORT_CHECK}" != "" ]]; then
  info "=== PORT IN USE - WOULD YOU LIKE ME TO CHOOSE A PORT FOR YOU? ==="
  read -r -p "Please Enter your Response [enter: Y/y or N/n]: " protoAnswer
  export PROTO_ANSWER=${protoAnswer:-}
fi

if [[ "${PROTO_ANSWER}" =~ (Y|y) ]]; then
while [[ -n "${PROTO_PORT_CHECK}" ]]; do
  echo "Port ${PROTO_PORT} is in use. Trying another port..."
  PROTO_PORT=$((PROTO_PORT + 1))
  PROTO_PORT_CHECK=$(lsof -i -P -n | grep "${PROTO_PORT}")
done

elif [[ "${PROTO_ANSWER}" =~ (N|n) ]]; then
while [[ -n "${PROTO_PORT_CHECK}" ]]; do
  echo "Port ${PROTO_PORT} is in use. Trying another port..."
  read -r -p "Enter a new port: " newPROTOPort
  PROTO_PORT=${newPROTOPort}
  PROTO_PORT_CHECK=$(lsof -i -P -n | grep "${PROTO_PORT}")
done

fi

info "=== Add a Custom Port for Web Proxy for NiFi ==="
read -r -p "Enter Custom Port [default: 9191]: " nifiProxy
export NIFI_WEB_PROXY_PORT=${nifiProxy:-9191}
# shellcheck disable=SC2155
export PROXY_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_WEB_PROXY_PORT}")

if [[ "${PROXY_PORT_CHECK}" != "" ]]; then
  info "=== PORT IN USE - WOULD YOU LIKE ME TO CHOOSE A PORT FOR YOU? ==="
  read -r -p "Please Enter your Response [enter: Y/y or N/n]: " proxyAnswer
  export PROXY_ANSWER=${proxyAnswer:-}
fi

if [[ "${PROXY_ANSWER}" =~ (Y|y) ]]; then
while [[ -n "${PROXY_PORT_CHECK}" ]]; do
  echo "Port ${NIFI_WEB_PROXY_PORT} is in use. Trying another port..."
  NIFI_WEB_PROXY_PORT=$((NIFI_WEB_PROXY_PORT + 1))
  PROXY_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_WEB_PROXY_PORT}")
done

elif [[ "${PROXY_ANSWER}" =~ (N|n) ]]; then
while [[ -n "${PROXY_PORT_CHECK}" ]]; do
  echo "Port ${NIFI_WEB_PROXY_PORT} is in use. Trying another port..."
  read -r -p "Enter a new port: " newPROXYPort
  NIFI_WEB_PROXY_PORT=${newPROXYPort}
  PROXY_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_WEB_PROXY_PORT}")
done
fi

echo "Port ${NIFI_WEB_PROXY_PORT} is available."
info "=== Please take note of port as you will need to login to NiFi ==="
read -r -p "PRESS ENTER WHEN READY"

# shellcheck disable=SC2155
export NIFI_WEB_PROXY_IP="$(ip route get 8.8.8.8 | grep -oP 'src \K[^ ]+')"
# shellcheck disable=SC2155
export NIFI_SAN_IP="${NIFI_WEB_PROXY_IP}"
# shellcheck disable=SC2155
export NIFI_NET_IP=$(ip ro | awk -v san_ip="${NIFI_SAN_IP}" '$0 ~ san_ip && $2 == "dev" {print $1; exit}')
export NIFI_NET_IP=${NIFI_NET_IP%/*}
export NIFI_SAN_DNS=nifi.server.home
export NIFI_WEB_PROXY_HOST=${NIFI_WEB_PROXY_IP}:${NIFI_WEB_PROXY_PORT}

info "=== INFLUX SNAPSHOT VERSION ==="
read -r -p "Enter Snapshot Version ..or.. ENTER TO ACCEPT DEFAULT [default:1.28.0-SNAPSHOT]: " snapshotVersion
export influx_version=${snapshotVersion:-1.28.0-SNAPSHOT}

info "=== NIFI VERSION ==="
read -r -p "Enter NIFI Version ..or.. ENTER TO ACCEPT CURRENT KNOWN WORKING [current known working:1.25.0]: " nifiVersion
export nifi_version=${nifiVersion:-1.25.0}

# shellcheck disable=SC2155
export work_dir=$(pwd)

if [[ ! -d ${NIFI_HOME_DIR} ]]; then
mkdir -p "${NIFI_HOME_DIR}"
elif [[ -d ${NIFI_HOME_DIR} ]]; then
  rm -rf "${NIFI_HOME_DIR}"; mkdir "${NIFI_HOME_DIR}"
fi

mkdir -p "${NIFI_HOME_DIR}"/UID
touch "${NIFI_HOME_DIR}"/UID/admin
sleep 1
# shellcheck disable=SC2027
echo """${cn}""" > "${NIFI_HOME_DIR}"/UID/admin

podman pull docker.io/apache/nifi:"${nifi_version}"

podman run -d \
--name nifi_cp \
-p "${NIFI_PORT}":8080 \
nifi:"${nifi_version}"

podman run -d \
--name protobuf \
-p "${PROTOBUF_PORT}":8080 \
whiver/nifi-protobuf:latest

## influx ##
if [[ ! -e ${work_dir}/nifi-influx-database-nar-${influx_version}.nar ]]; then
wget https://github.com/influxdata/nifi-influxdb-bundle/releases/download/v"${influx_version}"/nifi-influx-database-nar-"${influx_version}".nar
fi


## apache iotdb ##
wget https://repo1.maven.org/maven2/org/apache/nifi/nifi-iotdb-nar/"${nifi_version}"/nifi-iotdb-nar-"${nifi_version}".nar

podman cp nifi_cp:/opt/nifi "${NIFI_HOME_DIR}"
podman cp protobuf:/opt/nifi/nifi-1.4.0/lib/nifi-protobuf-processor-0.2.0.nar "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/

# shellcheck disable=SC2086
mkdir ${NIFI_HOME_DIR}/nifi/certs && mkdir "${NIFI_HOME_DIR}"/nifi-registry && mkdir "${NIFI_HOME_DIR}"/nifi-registry/certs/

mv "${work_dir}"/nifi-influx-database-nar-"${influx_version}".nar "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/.
mv "${work_dir}"/nifi-iotdb-nar-"${nifi_version}".nar "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/.

podman stop nifi_cp && podman stop protobuf
wait
podman rm -f nifi_cp && podman rm -f protobuf
wait

cd "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/ || return

#bash "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone -O -n "${NIFI_SAN_IP}" -C "${cn}" -o "${NIFI_HOME_DIR}"/key_trust
# shellcheck disable=SC2027
bash "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone -O -n "localhost,${NIFI_SAN_DNS}" -C "${cn}" --subjectAlternativeNames "${NIFI_SAN_DNS},IP:192.168.1.2" -o "${NIFI_HOME_DIR}"/key_trust

mv "${NIFI_HOME_DIR}"/key_trust/localhost/*.jks "${NIFI_HOME_DIR}"/nifi/certs/ && chown 1000:1000 -R "${NIFI_HOME_DIR}" && cp "${NIFI_HOME_DIR}"/nifi/certs/* "${NIFI_HOME_DIR}"/nifi-registry/certs/

# shellcheck disable=SC2002
KEYSTORE_PASSWORD="$(cat "${NIFI_HOME_DIR}"/key_trust/localhost/nifi.properties | grep nifi.security.keystorePasswd)"
KEYSTORE_PASSWORD="$(echo -n "${KEYSTORE_PASSWORD//nifi.security.keystorePasswd=/""}")"
# shellcheck disable=SC2002
TRUSTSTORE_PASSWORD="$(cat "${NIFI_HOME_DIR}"/key_trust/localhost/nifi.properties | grep nifi.security.truststorePasswd)"
TRUSTSTORE_PASSWORD="$(echo -n "${TRUSTSTORE_PASSWORD//nifi.security.truststorePasswd=/""}")"
USER_ID="$(cat "${NIFI_HOME_DIR}"/UID/admin)"



## nifi config optimisation ##
sed -i 's/java.arg.2=-Xms512m/java.arg.2=-Xms10g/g' "${NIFI_HOME_DIR}"/nifi/nifi-current/conf/bootstrap.conf
sed -i 's/java.arg.3=-Xmx512m/java.arg.3=-Xmx10g/g' "${NIFI_HOME_DIR}"/nifi/nifi-current/conf/bootstrap.conf
##rm /home/NiFi/nifi/nifi-current/conf/authorizers.xml

podman run -d \
--name nifi \
--security-opt label=disable \
--privileged \
-v "${NIFI_HOME_DIR}"/nifi/certs:/opt/certs \
-v "${NIFI_HOME_DIR}"/nifi/nifi-current/lib:/opt/nifi/nifi-current/lib \
-p "${NIFI_WEB_PROXY_PORT}":8443 \
-e NIFI_WEB_PROXY_HOST="${NIFI_WEB_PROXY_HOST}" \
-e AUTH=tls \
-e KEYSTORE_PATH=/opt/certs/keystore.jks \
-e KEYSTORE_TYPE=JKS \
-e KEYSTORE_PASSWORD="$KEYSTORE_PASSWORD" \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_TYPE=JKS \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_PASSWORD="$TRUSTSTORE_PASSWORD" \
-e INITIAL_ADMIN_IDENTITY="$USER_ID" \
nifi:"${nifi_version}"

## remove for new approach ##
#-v "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/nifi-protobuf-processor-0.2.0.nar:/opt/nifi/nifi-current/lib/nifi-protobuf-processor-0.2.0.nar \
#-v "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/nifi-influx-database-nar-"${influx_version}".nar:/opt/nifi/nifi-current/lib/nifi-influx-database-nar-"${influx_version}".nar \

if [[ ! -e /etc/systemd/system/nifi.service ]]; then
  cat << EOF > /etc/systemd/system/nifi.service
  [Unit]
  Description=NiFi Container
  After=firewalld.service

  [Service]
  Restart=always
  ExecStart=/usr/bin/podman start -a nifi
  ExecStop=/usr/bin/podman stop -t 2 nifi

  [Install]
  WantedBy=multi-user.target
EOF

systemctl enable nifi.service && systemctl start nifi.service

fi

info "=== DO YOU INTEND TO ACCESS NIFI FROM A REMOTE HOST? ==="
read -r -p "Please Enter your Response [enter: Y/y or N/n]: " hostAnswer
export HOST_ANSWER=${hostAnswer:-}

if [[ "${HOST_ANSWER}" =~ (Y|y) ]]; then
info "=== Set up Remote Host Details for NIFI Key ==="
sleep 1
info "=== NOTE: YOU NEED SSH ENABLED ON REMOTE HOST ==="
sleep 2

info "=== Add a SCP User ==="
read -r -p "Enter Remote User Name [insert user here]: " userName
export scp_user=${userName:-}

info "=== Add Remote User Password ===="
read -r -s -p "Enter Your User Password [insert password here]: " userPasswd
echo
echo "Re-enter Your User Password: "
read -r -s -p "" userPasswd2

# shellcheck disable=SC2053
while [[ $userPasswd != $userPasswd2 ]]; do
  echo "Passwords do not match."
  echo "Please try again."
  read -r -s -p "Enter Your User Password: " userPasswd
  echo
  read -r -s -p "Please Re-Enter Your User Password: " userPasswd2
  echo
done

echo "Passwords Match Hooray."
export ssh_pwd=${userPasswd:-}

info "=== Add Remote Host IP Address ==="
read -r -p "Enter Your IP Here [192.168.1.1]: " remoteIpAddress
export scp_ip=${remoteIpAddress:-192.168.1.1}

info "=== Add Remote Host SSH Port ==="
read -r -p "Enter Your Port Here [Default: 22]: " remotePort
export scp_port=${remotePort:-22}

info "=== Add Remote SCP Directory ==="
sleep 1
info "=== NOTE: TAKE THIS OPPORTUNITY TO SETUP A FOLDER ON REMOTE HOST ==="
read -r -p "PRESS ENTER WHEN READY"

read -r -p "Enter Remote Directory [example:/Users/${scp_user}/Desktop/p12]: " remoteDir
export remote_dir=${remoteDir:-/Users/${scp_user}/Desktop/p12}

sshpass -p "${ssh_pwd}" scp -P "${scp_port}" -o StrictHostKeyChecking=no "${key}" "${scp_user}"@"${scp_ip}":"${remote_dir}"

elif [[ "${HOST_ANSWER}" =~ (N|n) ]]; then

info "=== Add Local Directory for NiFI p12 key and pwd ==="
sleep 1
info "=== NOTE: TAKE THIS OPPORTUNITY TO SETUP A FOLDER ON YOUR HOST ==="
read -r -p "PRESS ENTER WHEN READY"

# shellcheck disable=SC2155
export local_user=$(who | awk 'NR==1 {print$1}')

read -r -p "Enter Local Directory [example:/var/home/${local_user}/Documents/p12]: " localDir
export local_dir=${localDir:-/var/home/${local_user}/Documents/p12}

cp "${NIFI_HOME_DIR}"/key_trust/CN* "${local_dir}"/.

chown 1000:1000 "${local_dir}"/*

fi

info "=== DETERMINING FIREWALL STATE ==="
if [[ "${ID}" = "fedora" ]]; then
# shellcheck disable=SC2155
export FIREWALL_STATE=$(firewall-cmd --state)
echo "${VARIANT}" "${ID}" "${FIREWALL_STATE}"
elif [[ "${ID}" == "debian" || "${ID}" == "ubuntu" ]]; then
# shellcheck disable=SC2155
export FIREWALL_STATE=$(ufw status | awk -F: '$1=="Status" { print $2;}')
echo "${VARIANT}" "${ID}" "${FIREWALL_STATE}"
fi

if [[ "${ID}" = "fedora" ]]; then
# shellcheck disable=SC2155
export ACTIVE_ZONE=$(firewall-cmd --get-active-zones | awk 'NR==1' | grep -o '^[^(]*')
echo "ACTIVE ZONE=""${ACTIVE_ZONE}"
fi

if [[ "${ID}" == "fedora" ]] && [[ "${FIREWALL_STATE}" == "running" ]]; then
  echo "== FIREWALL IS RUNNING - APPLYING INFLUX PORTS TO FIREWALL =="
  firewall-cmd --zone="${ACTIVE_ZONE}" --permanent --add-port="${NIFI_WEB_PROXY_PORT}"/tcp
  firewall-cmd --reload
elif [[ "${ID}" == "debian" || "${ID}" == "ubuntu" ]] && [[ "${FIREWALL_STATE}" == "active" ]]; then
    echo "== FIREWALL IS ACTIVE - APPLYING INFLUX PORTS TO FIREWALL =="
    ufw allow "${NIFI_WEB_PROXY_PORT}"/tcp
    ufw disable && ufw enable
fi


sleep 40

podman exec nifi sed -i 's/NIFI_ANALYTICS_PREDICT_ENABLED:-false/NIFI_ANALYTICS_PREDICT_ENABLED:-true/g' /opt/nifi/scripts/start.sh
podman exec nifi sed -i 's/NIFI_ANALYTICS_PREDICT_INTERVAL:-3 mins/NIFI_ANALYTICS_PREDICT_INTERVAL:-60 mins/g' /opt/nifi/scripts/start.sh

podman stop nifi
wait
podman start nifi

# shellcheck disable=SC2155
export CN_PASSWD=$(cat "${NIFI_HOME_DIR}"/key_trust/CN*.password)
echo "CN PASSWORD: ${CN_PASSWD}"

 



 

120 Views
0 Kudos
0 REPLIES 0
webinar banner
Announcements
Community Announcements
April 2024 Community Highlights
Community Announcements
January 2024 Community Highlights
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
View More Announcements
meetups banner