Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

[RESOLVED] : NIFI : LISTENHTTP SSL

Labels:
avatar
author-rank maykiwogno
Rising Star

Created ‎10-24-2016 09:36 AM

Hi all,

I'm trying use listenhttp with ssl.

I've read this post : http://www.simonellistonball.com/technology/nifi-ssl-listenhttp/

But i don't know how use keystore from client. It is the same keystore than keystore used in nifi.properties ?

thanks

18,052 Views
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-24-2016 12:45 PM

hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
16,243 Views
1
15 REPLIES 15

avatar
author-rank shariquealam786
Explorer

Created ‎09-17-2019 02:42 AM

Hi Mat,

 

Sorry to post my question here not getting the way out.

 

I have configured SSL with CA signed certs on the Server.By CA signed i mean actual CA and not NIFI CA.

I am using Nifi on a single machine without Ambari.

 

Now i want a client to authenticate and use nifi , how to create the client cert so that it authenticates to the CA signed cert on server.

 

10,087 Views
0 Kudos

avatar
author-rank maykiwogno
Rising Star

Created on ‎10-28-2016 09:21 AM - edited ‎08-18-2019 06:20 AM

@mclark

I've changed my configuration Controller Service but I'm running an issue

I've checked all truststore/keystore on all the cluster, their use same passwd

8953-controller-service-ssl.jpg

8954-ssl-error-01.jpg

10,090 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-28-2016 11:14 AM

It does not look like you provided you key password.

10,091 Views
0 Kudos

avatar
author-rank maykiwogno
Rising Star

Created ‎10-31-2016 08:34 AM

@mclark

Now that ContextServiceSSL was enabled. I need to generate keystore for my client/user ?

10,091 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎10-31-2016 01:03 PM

ListenHTTP requires 2-way SSL when enabled. So the client will also need a keystore and truststore. The Truststore on both your client and server will need to contain the trusted cert entry for each others client cert. If you used the same CA for both then you should be good. If not you will need to add the CA or trusted key entry (Public key from each private key entry.) to each others Truststores.

10,091 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-05-2020 08:00 AM

Want to add some clarity to this last comment:

ListenHTTP requires 2-way TLS when enabled if a SSLContextService has been configured with a truststore.  The truststore is used to trust the client certificate presented by the client, for the purpose of authentication, connecting to this secured ListenHTTP processor.    

If only a keystore and no truststore is configured in the SSLContext service, the ListenHTTP will not require that clients present a client certificate.

The server certificate from the keystore will be presented to the client so the client can verify that it trusts the server (NiFI listenHTTP jetty server) that it is connecting with.


9,970 Views
0 Kudos
webinar banner
Announcements
Community Announcements
CommunityOverCode Asia 2024 will be held in Hangzhou from Ju...
What's New @ Cloudera
Apache Flink is Now Generally Available in the Cloudera Stre...
Product Announcements
[ANNOUNCE] Cloudera Data Services 1.5.4 on Private Cloud Rel...
What's New @ Cloudera
Run your Apache NiFi and Apache Kafka workloads on Kubernete...
What's New @ Cloudera
Cloudera DataFlow now powers GenAI pipelines and supports ch...
View More Announcements
meetups banner