Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Secured NiFi with empty keystore password does not start

Secured NiFi with empty keystore password does not start

Rising Star

I have a cluster with 7 NiFi nodes. After a node crash, on restart, NiFi could not find the file /usr/hdf/current/nifi/conf/keystore.jks and truststore.jks

I have re-created the files with

tls-toolkit.sh client -c tp-hostname.domain.com -t passwordPassword -p 10443

In Ambari config the keystore and truststore pasword are empty.

When I start the NiFi services Ihave:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'protocolSocketConfiguration': FactoryBean threw exception on object creation; nested exception is java.io.IOException: Keystore was tampered with, or password was incorrect
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
	at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
	... 78 common frames omitted
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
	at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
	at java.security.KeyStore.load(KeyStore.java:1445)
	at org.apache.nifi.io.socket.SSLContextFactory.<init>(SSLContextFactory.java:65)
	at org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:45)
	at org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:30)
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
	... 83 common frames omitted
Caused by: java.security.UnrecoverableKeyException: Password verification failed
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
	... 91 common frames omitted


In nifi.properties I have:

nifi.security.keyPasswd=
nifi.security.keystore=/usr/hdf/current/nifi/conf/keystore.jks
nifi.security.keystorePasswd=
nifi.security.keystoreType=jks
nifi.security.needClientAuth=False
nifi.security.ocsp.responder.certificate=
nifi.security.ocsp.responder.url=
nifi.security.truststore=/usr/hdf/current/nifi/conf/truststore.jks
nifi.security.truststorePasswd=
nifi.security.truststoreType=jks
nifi.security.user.authorizer=ranger-provider
nifi.security.user.login.identity.provider=
nifi.sensitive.props.additional.keys=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.key=sdlkjdslkjsdlkjdjjd||xyGZZ+R3FO04BxcUHSL5U6+OGqtQQevXbFfecQ
nifi.sensitive.props.key.protected=aes/gcm/256
nifi.sensitive.props.provider=BC

On other NiFi nodes I have an encrypted password in nifi.properties, but the truststore and the keystore has an empty string as a password.

Do you have any idea for this issue?

Thanks in advance

2 REPLIES 2

Re: Secured NiFi with empty keystore password does not start

@Davide Isoardi

Are you still working on this issue?

Re: Secured NiFi with empty keystore password does not start

New Contributor

I got the same issue!

At the end, I deactivated and activated back SSL, so it generated new certificates for Nifi Cluster.