Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Securing NiFi 1.3.0

avatar
New Contributor

Hi, im trying to secure my nifi installation with ssl certificates. Initially i used the tls toolkit for testing purposes, things were working fine. However, when i switched to the CA SSL certs provided my infra team, im having issues.

Some of the issues i observed

1. Chrome doesnt prompt to choose certificate that i have installed (CA cert). If i use the SSL cert generated by tls toolkit, it prompts just fine.

2. I see some differences in EKU and KU sections of both the certs, see attached screenshot.

3. Certificate length is 2 for the one i generated via tls toolkit, but length is 1 for the CA one.

I have tried everything, and not able to fix this issue.

Hope someone can point me to the right direction.

40452-dv.png

40451-it.png

1 ACCEPTED SOLUTION

avatar
Contributor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
6 REPLIES 6

avatar
Super Mentor

@James V

The "Keystore" you are using that you are using that was derived form your CA should contain only a single "PrivateKeyEntry". That "PrivateKeyEntry" should have a EKU that authorizes it use for both clientAuth and ServerAuth. (Based on above, EKU looks correct.) The Issuer listed of that PrivateKeyEntry should be the DN for your CA. If the Issuer is the same as the owner, it is a self signed cert. This typically means you did not install the response you got back from your CA. You should have provided your CA with a csr (certificate signing request) which you then received a response for.

The "truststore" should not contain any PrivateKeyEntries. It should contain 1 to many "TrustedCertEntries". There should be a trustedCertEntry for every CA that signs any certificates being used anywhere to communicate with this NiFi. TrustedCertEntries are nothing more teh public keys.

Thanks,

Matt

avatar
Super Mentor
@James V

Can you post teh entire verbose output of both your Keystore and Truststore?

avatar
New Contributor

Hi Matt,

Thanks for taking the time to answer. I checked the keystore and trustedstore based on what you provided. I can see exactly what you suggest, 1 privatekeyentry in keystore and 1 trustedcertentries in trustedstore.

I have also turned on the debugging and this is what i see in nifi-bootstrap.log

40504-ks.png

40505-ts.png

nifi-bootstrap.log

40507-chain.png

Appreciate your help on this matter. Thanks!

avatar
Contributor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
New Contributor

@D H

Thank you very much for your help. It works now! Followed all your steps.

avatar
Contributor

Glad to hear it :). Enjoy your secure NiFi instance.