Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Nifi registry issue with https

Labels:
avatar
author-rank Knowledgeknow
Explorer

Created ‎10-18-2023 07:58 AM

I have enabled https on nifi registry properties and generated key store and trust store using tls toolkit and added in the properties file. I am able to start nifi registry on port 18443 and host 0.0.0.0 as it showing in logs that jetty server started on https://0.0.0.0:18443/nifi registry

my nifi registry is hosted as aks pod. 
when I enable ingress for it. It’s returning me as 502 bad request.

are there any changes to be done to make my nifi registry run https.

 

Goal : i want to enable 2 way ssl authentication so that nifi could connect to nifi registry.

3,081 Views
0 Kudos
2 ACCEPTED SOLUTIONS

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-20-2023 02:01 PM

@Knowledgeknow 

I am not clear here:
when I enable ingress for it. It’s returning me as 502 bad request

NiFi-Registry is secured once configured with an HTTPS hostname, HTTPS port, keystore, and truststore.  For more info: security_configuration 

As soon as HTTPS is enabled, TLS/SSL is used. It is either enabled as "REQUIRED" or "WANT", but can not be set to "NONE".   This is controlled by 
nifi.registry.security.needClientAuth=true (default) 
With "true" being "Required" and false being "Want"

In order for NiFi to be able to successfully negotiate a mutual TLS handshake, the NiFi "registry client" must use the HTTPS nifi-registry "https://<nifi-registry hostname>:<port> url and have either the keystore and truststore configured in nifi.properties or a  StandardRestrictedSSLContextService configured with valid keystore and truststore.

The NiFi-registry keystore must:
- Contain a single PrivateKeyEntry
- PrivateKey entry has serverAuth EKU
- PrivateKey Entry has SAN entries that include any hostname and IPs that client(s) may use to connect to it.  Since you have configured hostname with 0.0.0.0 so that NiFi-Registry binds to all NICs, you'll need to make sure valid network IPs and hostnames are in the SAN.

The NiFi-Regsitry truststore must:
- Contain the complete trust chain capable of establish trust for the PriavteKey in the NiFi keystore being used by the NiFi Registry Client.

The NiFi keystore must:
- Contain only one PrivateKey Entry.
- PrivateKey DN must not use wildcards
- PrivateKey Entry MUST have both clientAuth and ServerAuth EKU
- PrivateKey Entry must have SAN entries for NiFi hostname, and IPs clients may use to connect to it.

The NiFi truststore must:
- Contain the complete trust chain capable of establish trust for the PriavteKey in the NiFi-Registry keystore configured in the nifi-registry.properties file.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

3,052 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎11-01-2023 06:17 AM

@Knowledgeknow 

  1. Does your NiFi Keystore meet the following requirements?
  • MUST contain only one PriavteKey Entry
  • PrivateKey Entry must include ExtenedKeyUsage(EKU) for both clientAuth and serverAuth.
  • PrivateKey Entry DistinquishedName (DN) does not contain wildcards
  • PrivateKey Entry contains one of more SubjectAlternativeName (SAN) entries that includes the hostname and IP for the NiFi server on which it will be used.

2. Sounds like you have configured nifi.properties:

nifi.remote.input.host=0.0.0.0

While this will work for a http setup, it will cause issue with the TLS handshake.  Instead this should set the hostname of the NiFi server and the hostname must be a SAN entry.  If you are trying to have your NIFi bind to multiple Network Interface Cards (NICs) then you should use the "nifi.web.https.network.interface*" properties in web properties section of the nifi.properties file.

MattWho_0-1698844519875.png

 

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

2,833 Views
0 Kudos
11 REPLIES 11

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎10-18-2023 09:02 AM

@Knowledgeknow Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @MattWho @cotopaul  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
2,732 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-20-2023 02:01 PM

@Knowledgeknow 

I am not clear here:
when I enable ingress for it. It’s returning me as 502 bad request

NiFi-Registry is secured once configured with an HTTPS hostname, HTTPS port, keystore, and truststore.  For more info: security_configuration 

As soon as HTTPS is enabled, TLS/SSL is used. It is either enabled as "REQUIRED" or "WANT", but can not be set to "NONE".   This is controlled by 
nifi.registry.security.needClientAuth=true (default) 
With "true" being "Required" and false being "Want"

In order for NiFi to be able to successfully negotiate a mutual TLS handshake, the NiFi "registry client" must use the HTTPS nifi-registry "https://<nifi-registry hostname>:<port> url and have either the keystore and truststore configured in nifi.properties or a  StandardRestrictedSSLContextService configured with valid keystore and truststore.

The NiFi-registry keystore must:
- Contain a single PrivateKeyEntry
- PrivateKey entry has serverAuth EKU
- PrivateKey Entry has SAN entries that include any hostname and IPs that client(s) may use to connect to it.  Since you have configured hostname with 0.0.0.0 so that NiFi-Registry binds to all NICs, you'll need to make sure valid network IPs and hostnames are in the SAN.

The NiFi-Regsitry truststore must:
- Contain the complete trust chain capable of establish trust for the PriavteKey in the NiFi keystore being used by the NiFi Registry Client.

The NiFi keystore must:
- Contain only one PrivateKey Entry.
- PrivateKey DN must not use wildcards
- PrivateKey Entry MUST have both clientAuth and ServerAuth EKU
- PrivateKey Entry must have SAN entries for NiFi hostname, and IPs clients may use to connect to it.

The NiFi truststore must:
- Contain the complete trust chain capable of establish trust for the PriavteKey in the NiFi-Registry keystore configured in the nifi-registry.properties file.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

3,053 Views
0 Kudos

avatar
author-rank Knowledgeknow
Explorer

Created on ‎10-23-2023 10:01 AM - edited ‎10-23-2023 10:02 AM

IMG_4656.jpeg

now I have apache secured nifi and secured nifi registry running on local host. When I try to integrate with nifi with nifi registry it’s giving me connection refused.  I added the images how I created certificates and the error.  I added trust and key store files in nifi registry and nifi properties. I want to make 2 way ssl connection.

IMG_4657.jpeg

2,677 Views
0 Kudos

avatar
author-rank Knowledgeknow
Explorer

Created ‎10-23-2023 11:29 PM

I generated those certificates using tiny cert. Do we have any reference script which I could generate self signed certificates for nifi and nifi registry.

2,649 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-24-2023 08:38 AM

@Knowledgeknow 
I would think that certs created by tiny cert should be fine.
Troubleshooting mutual TLS handshake this is difficult without the verbose keytool output for the NiFi keystore and truststore and the NiFi-Registry keystore and truststore.

Your first screenshot with connection refused, you'll probably want to look at the nifi-registry-app.log at time you opened that UI to see what may have been logged.

Can the NiFi host resolve and reach the configured Apache NiFi-Registry host?  Can this be done via the NiFi service user via command line on the NiFi host?

Once you get past any potential MutualTLS issue, we would need to inspect the configurations you have in place within:
NiFi:

  1. nifi.properties
  2. know what user-identity-string is currently authenticated into you secured NiFi when trying to interact with NiFi-Registry.

NiFi-Registry:

  1. nifi-registry.properties
  2. authorizers.xml
  3. users.xml
  4. authorizations.xml

So there is far too little information to offer up any solution or useful suggestions.
Thank you,
Matt

2,634 Views
0 Kudos

avatar
author-rank Knowledgeknow
Explorer

Created ‎11-01-2023 01:12 AM

Certs using tinycert is not acceptable in my organisation. I started creating ca using open ssl and server cert client certs I created a key store and imported ca into true store. When I hit throw browser it’s saying ssl issue. 

2,503 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎11-01-2023 06:17 AM

@Knowledgeknow 

  1. Does your NiFi Keystore meet the following requirements?
  • MUST contain only one PriavteKey Entry
  • PrivateKey Entry must include ExtenedKeyUsage(EKU) for both clientAuth and serverAuth.
  • PrivateKey Entry DistinquishedName (DN) does not contain wildcards
  • PrivateKey Entry contains one of more SubjectAlternativeName (SAN) entries that includes the hostname and IP for the NiFi server on which it will be used.

2. Sounds like you have configured nifi.properties:

nifi.remote.input.host=0.0.0.0

While this will work for a http setup, it will cause issue with the TLS handshake.  Instead this should set the hostname of the NiFi server and the hostname must be a SAN entry.  If you are trying to have your NIFi bind to multiple Network Interface Cards (NICs) then you should use the "nifi.web.https.network.interface*" properties in web properties section of the nifi.properties file.

MattWho_0-1698844519875.png

 

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

2,834 Views
0 Kudos

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎10-30-2023 10:42 PM

@Knowledgeknow Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
2,516 Views
0 Kudos

avatar
author-rank oneofthemany
New Contributor

Created ‎02-02-2024 06:07 AM

how do use the toolkit to create and IP within the SAN?

I am using the following script:

bash "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone -O -n 'localhost' -C "${cn}" -o "${NIFI_HOME_DIR}"/key_trust --subjectAlternativeNames dns:'localhost',ip:"${NIFI_SAN_IP}"

but only the DNS:localhost gets created
1,713 Views
Announcements
What's New @ Cloudera
Updates to the HDFS clusters on AWS environments to add supp...
What's New @ Cloudera
Enhancements to the create-database command
Community Announcements
September 2024 Community Highlights
What's New @ Cloudera
Cloudera Streams Messaging Operator 1.1
What's New @ Cloudera
From Silos to Synergy: Unifying Data Warehousing and AI
View More Announcements