Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here. Want to know more about what has changed? Check out the Community News blog.

Securing Apache NIFI with SSL (org certs)

Highlighted

Securing Apache NIFI with SSL (org certs)

New Contributor

Hello @Andy LoPresto - I'm trying to secure NIFI with the Internal Certificates provided by my org. I have a Signed Certificate, root certificate and a private key. Following the instructions on the NIFI docs, i did the following. I restarted NIFI and launched the NIFI UI with https://<hostname>:8443/nifi and i get the following error ERR_BAD_SSL_CLIENT_AUTH_CERT. Below are the steps i followed after referring to

  1. https://community.hortonworks.com/questions/171208/nifi-ssl-how-to-use-registered-certificates-not-s...
  2. https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#additional_certificate_commands

Please can you help me with this?

Steps:

1. openssl pkcs12 -export -out keystore.p12 -inkey myhost.key -in myhost.pem
2. keytool -genkey -keyalg RSA -alias temp -keystore truststore.jks
3. keytool -delete -alias temp -keystore truststore.jks
4. keytool -import -v -trustcacerts -alias domain_ca -file myhost.pem -keystore truststore.jks
5. keytool -genkey -keyalg RSA -alias temp -keystore keystore.jks
6. keytool -delete -alias temp -keystore keystore.jks
7. keytool -v -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
8. keytool -import -v -trustcacerts -alias root_cert -file RootAuthority.pem -keystore truststore.jks (additonal step to import root CA cert provided by my org) 

nifi.properties file.

# web properties #
nifi.web.war.directory=./lib
#nifi.web.http.host=
#nifi.web.http.port=8080
nifi.web.http.network.interface.default=
nifi.web.https.host=
nifi.web.https.port=8443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=
nifi.web.proxy.host=

# security properties #
nifi.sensitive.props.key=
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

nifi.security.keystore=/tmp/NSO/keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=mypass
#nifi.security.keyPasswd=mypass
nifi.security.truststore=/tmp/NSO/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=mypass
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=