@shuhaib3
The nifi.properties file is not the correct file to pass to the "-p" option for the NiFi Toolkit cli.sh. The "-p" expects you to pass a properties file you build with specific properties in it.
For example:
baseUrl=https://<target node hostname>:<target node port>
keystore=/path/to/keystore.jks
keystoreType=JKS
keystorePasswd=changeme
keyPasswd=changeme
truststore=/path/to/truststore.jks
truststoreType=JKS
truststorePasswd=changeme
proxiedEntity=nifiadmin
The nifi.properties will not include these exact property names and include other properties not used by cli.sh.
The following exception:
ERROR: Error executing command 'current-user' : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
indicates a trust chain issue between client (cli.sh) and server (target NiFi). This means that the truststore is missing one or more TrustedCertEntry for the PrivateKeyEntry presented from the keystore in the mutual TLS handshake.
Essentially the client initiates a connection to the server. The server responds with its serverAuth certificate along with a list of trusted authorities (TrustedCertEntry entries) from servers truststore. Every certificate private (PrivateKeyEntry) or public (TrustedCertEntry) has an owner (certificates distinguished name (DN)) and issuer (Distinguished name (DN) of signer of that certificate). The client looks at the issuer of the sever's certificate and checks it's truststore for a certificate owner with that same DN. If found it checks the issuer of that certificate to see if issuer and owner have same DN (self signed). If not the same, it looks again for a certificate with an owner matching that issuer DN. This continues until finds the root signing certificate (root certificate will have same issuer and owner). This compete chain of certificate authorities is known as the trust chain. If the complete trust chain is missing you get above exception.
Same can happen in the other direction. Assume above is successful, then the client returns its clientAuth certifcate (keystore) to the server to authorize who the client is. The server (NiFi node) will verify trust in the same way using the truststore on the server side. So the complete trust chain for that client certificate must also exist on the server side. If complete trust chain exist here as well, the mutual TLS handshake can be successful.
You can manually inspect the contents of your client and server side keystores and truststore files using the java keytool command.
<path to java>/keytool -v -list -keystore <keystore or truststore>
If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.
Thank you,
Matt
