Support Questions
Find answers, ask questions, and share your expertise

Nifi & Registry secure setup - am I going down the wrong rabbit hole?

Explorer

We have the following Nifi setup:

3 servers where:

  • Server 1 is our main Nifi
  • Server 2 is our backup Nifi (as failover, not a node)
  • Server 3 has our Nifi Registry installation.

All three of these are on their own virtual machines (using Oracle Virtualbox).

 

What I am trying to do:

  • Secure every Nifi/Registry instance
  • Both Nifi instances connected to Nifi Registry
  • All Nifi and Registry instances can be logged in from
    • Their local machines
    • Internet, via a URL (e.g. server1.my.url, server2.my.url, registry.my.url)
    • By different users

I have currently successfully managed to create one truststore/keystore that I copied on each of these and can connect from my browser, locally and remotely. However I can't connect the two Nifi instances to Registry and the local Nifi's can't connect to their own /nifi-api using InvokeHTTP.

 

After reading this post from @DivyaKaki it seems I need to do this:


sh /opt/nifi-toolkit-1.12.1/bin/tls-toolkit.sh standalone -B  mypasswd -C 'CN=nifiadmin, OU=NIFI' -n 'server1.my.url, server2.my.url, registry.my.url, server1_hostname, server2_hostname, registry_hostname' --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o /tmp/certs/ -K mypasswd -P mypasswd -S mypasswd

 

Where server1_hostname is the hostname from the $ hostname command. Same for server2 and registry server hostnames.

 

My questions are:

Is this the right way to do it or so I need some CA server/client thing going? 

How do I manage additional users other than "nifiadmin" when it comes to browser certificates?