Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Nifi registry issue with https

avatar

I have enabled https on nifi registry properties and generated key store and trust store using tls toolkit and added in the properties file. I am able to start nifi registry on port 18443 and host 0.0.0.0 as it showing in logs that jetty server started on https://0.0.0.0:18443/nifi registry

my nifi registry is hosted as aks pod. 
when I enable ingress for it. It’s returning me as 502 bad request.

are there any changes to be done to make my nifi registry run https.

 

Goal : i want to enable 2 way ssl authentication so that nifi could connect to nifi registry.

2 ACCEPTED SOLUTIONS

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
11 REPLIES 11

avatar
Community Manager

@Knowledgeknow Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @MattWho @cotopaul  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar

IMG_4656.jpeg

now I have apache secured nifi and secured nifi registry running on local host. When I try to integrate with nifi with nifi registry it’s giving me connection refused.  I added the images how I created certificates and the error.  I added trust and key store files in nifi registry and nifi properties. I want to make 2 way ssl connection.

IMG_4657.jpeg

avatar

I generated those certificates using tiny cert. Do we have any reference script which I could generate self signed certificates for nifi and nifi registry.

avatar
Super Mentor

@Knowledgeknow 
I would think that certs created by tiny cert should be fine.
Troubleshooting mutual TLS handshake this is difficult without the verbose keytool output for the NiFi keystore and truststore and the NiFi-Registry keystore and truststore.

Your first screenshot with connection refused, you'll probably want to look at the nifi-registry-app.log at time you opened that UI to see what may have been logged.

Can the NiFi host resolve and reach the configured Apache NiFi-Registry host?  Can this be done via the NiFi service user via command line on the NiFi host?

Once you get past any potential MutualTLS issue, we would need to inspect the configurations you have in place within:
NiFi:

  1. nifi.properties
  2. know what user-identity-string is currently authenticated into you secured NiFi when trying to interact with NiFi-Registry.

NiFi-Registry:

  1. nifi-registry.properties
  2. authorizers.xml
  3. users.xml
  4. authorizations.xml

So there is far too little information to offer up any solution or useful suggestions.
Thank you,
Matt

avatar

Certs using tinycert is not acceptable in my organisation. I started creating ca using open ssl and server cert client certs I created a key store and imported ca into true store. When I hit throw browser it’s saying ssl issue. 

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Community Manager

@Knowledgeknow Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
New Contributor

how do use the toolkit to create and IP within the SAN?

I am using the following script:

bash "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone -O -n 'localhost' -C "${cn}" -o "${NIFI_HOME_DIR}"/key_trust --subjectAlternativeNames dns:'localhost',ip:"${NIFI_SAN_IP}"

but only the DNS:localhost gets created