Created 10-05-2023 01:32 AM
Hi Team,
I already created 3 node Nifi secured cluster with self signed certificated , where I used nifi-toolkit to do the task. But now I have signed certificate (shared by IT team), the pem and key file. Can you please help (step by step guide) to create 3 node nifi cluster using that certificate?
Created 10-05-2023 07:41 AM
@PriyankaMondal
You should have a signed certificate for each of your three NiFi nodes. Make sure those certificates meet the minimum requirements for NiFi.
The Certificate (PrivateKey) needs to be placed inside a JKS or PKCS12 keystore. There are plenty of resource in the web for creating keystores. But essentially you want to combine your pem and key files to make a p12 file. You can then import that p12 file in to a JKS keystore. A NiFi keystore must contain ONLY one PrivateKeyEntry. So don't create a singel keystore where you import all 3 private keys. You should have three separate Keystores (one for each NiFi node).
NiFi uses two keystores (keystore and truststore):
As far as the setup of NIFi goes, nothing else is different from what you did when using the self-signed certificates when it comes to configuration. Keep in mind that each node's identity is derived from the nodes private certifcate DN. That DN is evaluated against and configured user identity mapping patterns configired in the nifi.properties file. If the java regex pattern matches the certificate DN, the mapping value and mapping transform are applied. That resulting mapped identity is what needs to be authorized in NiFi. So these mapped identities become your node identities when configuring the NiFi authorizer.
If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created on 10-06-2023 03:49 AM - edited 10-06-2023 03:51 AM
Thank you For your response @MattWho .
Please help me with these basic information:
1. I can get three separate Keystores (one for each NiFi node), from Nifi-toolkit
2. I also have Keystore and truststore shared by IT Team(which is signed certificate), where cn=*.domainlabs.com
Now, Should I merge these two keystore and truststore? If yes, please share steps to merge that.
Created 10-06-2023 09:01 AM
@PriyankaMondal
1. Not clear on the question here. Why use Toolkit to create three keystores? I thought you were getting three certificated (one for each node) from your IT team. Use those to create the three unique keystores you will use.
2. It appears your DN has a wildcard in it. NiFi does not support the use of wildcards in the DN of node ClientAuth certificates. This is because NiFi utilizes mutualTLS connections and the clientAuth DN is used to identify the unique connecting clients and is used to setup and configure the authorizations. Now you could ask your IT team to create you one keystore with a non wildcard DN like "cn=nifi-cluster, ou=domainlabs, DC=com" and add all three of your Nifi node's hostnames as SAN entries in that one PrivateKeyEntry. This would allow you to use that same PrivateKey keystore on all three NiFi nodes. This has downsides liek security. If keystore on one node gets compromised, all hosts are compromised because it is reused. All nodes will present as same client identity (since all present same DN) during authorization. So nothing will distinguish one node from the other.
The keystore used by NiFi can ONLY contain one privateKey entry. Merging multiple keystores with privateKey entries will result in one keystore with more than one PrivateKeyEntry which is not supported by NiFi.
If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt