Support Questions
Find answers, ask questions, and share your expertise

Nifi UI is not working after enabling CA cert

Versions: Ambari - 2.5.1, HDF - 3.0.1.0, Nifi - 1.2.0

In my setup, nifi is a part of cluster(Ambari). By default nifi is listening on 9091. Port is open.

	# netstat -tulnp|grep -i 9091
	
	tcp        0      0 xxxx:9091          0.0.0.0:*                   LISTEN      7426/java
	

I've refered https://community.hortonworks.com/questions/36546/nifi-ui-not-launching.html
but the solution is not working for me. (By changing port)

	INFO [main] org.apache.nifi.bootstrap.Command Apache NiFi is currently running, listening to Bootstrap on port 43781, PID=19882


Nifi services are running fine but Nifi UI is not working. Checked with same instance by lynx https://nifi-ip:9091 but it is not accessible.

Please suggest:

Output of /var/log/nifi/nifi-app.log

 INFO [Process Cluster Protocol Request-10] o.a.n.c.p.impl.SocketProtocolListener Finished processing request f5124041-e599-45af-8b47-117dfbfc91f0 (type=HEARTBEAT, length=3230 bytes) from ip-xxxx.ec2.internal:9091 in 140 millis
 INFO [Clustering Tasks Thread-1] o.a.n.c.c.ClusterProtocolHeartbeater Heartbeat created at 2017-09-12 11:54:51,923 and sent to ip-xxxx.ec2.internal:9088 at 2017-09-12 11:54:52,067; send took 143 millis
2017-09-12 11:54:53,410 INFO [Timer-Driven Process Thread-2] o.a.n.r.ambari.AmbariReportingTask AmbariReportingTask[id=3b80ba0f-a6c0-48db-b721-4dbc04cef28e] Successfully sent metrics to Ambari in 0 ms
	
2 REPLIES 2

Referred this article: https://community.hortonworks.com/articles/58009/hdf-20-enable-ssl-for-apache-nifi-from-ambari.html
From this section:

3. Generate client certificate

But there is no config.json file created and also getting some java errors at below steps:

]#./files/nifi-toolkit-*/bin/tls-toolkit.sh  client -c xxxx -D 'CN=nifiadmin, OU=xxx' -p 10443 -t xxx -T pkcs12
Exception in thread "main" java.lang.UnsupportedClassVersionError: org/apache/nifi/toolkit/tls/TlsToolkitMain : Unsupported major.minor version 52.0
        at java.lang.ClassLoader.defineClass1(Native Method)
        at java.lang.ClassLoader.defineClass(ClassLoader.java:803)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:442)
        at java.net.URLClassLoader.access$100(URLClassLoader.java:64)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:354)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:348)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:347)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:312)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
        at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482)

There are two files available with.json

config-server.json and config-client.json but 'ketstorepassword' is not there. Also there is no correct hostname, CN and OU details.

~]# cat ./files/nifi-toolkit-1.2.0.3.0.1.1-5/conf/config-client.json
{
  "keyStore" : "clientKeyStore",
  "keyStoreType" : "jks",
  "token" : "myTestTokenUseSomethingStronger",
  "dn" : "CN=otherHostname,OU=NIFI",
  "port" : 8443,
  "caHostname" : "localhost",
  "trustStore" : "clientTrustStore",
  "trustStoreType" : "jks",
  "days" : 1095,
  "keySize" : 2048,
  "keyPairAlgorithm" : "RSA",
  "signingAlgorithm" : "SHA256WITHRSA"
}

NIFI UI is not accessible. getting below error from /var/log/nifi/nifi-user.log

2017-09-13 13:31:23,676 INFO [NiFi Web Server-87] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=ip-10-248-14-236.ec2.internal, OU=NIFI does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.
; ;