Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Securing NiFi 1.3.0

Labels:
avatar
author-rank encikcuci
New Contributor

Created on ‎09-21-2017 02:12 PM - edited ‎08-17-2019 11:04 PM

Hi, im trying to secure my nifi installation with ssl certificates. Initially i used the tls toolkit for testing purposes, things were working fine. However, when i switched to the CA SSL certs provided my infra team, im having issues.

Some of the issues i observed

1. Chrome doesnt prompt to choose certificate that i have installed (CA cert). If i use the SSL cert generated by tls toolkit, it prompts just fine.

2. I see some differences in EKU and KU sections of both the certs, see attached screenshot.

3. Certificate length is 2 for the one i generated via tls toolkit, but length is 1 for the CA one.

I have tried everything, and not able to fix this issue.

Hope someone can point me to the right direction.

40452-dv.png

40451-it.png

3,669 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank dwanehall
Contributor

Created ‎09-25-2017 01:50 PM

hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
3,073 Views
0 Kudos
6 REPLIES 6

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-21-2017 05:00 PM

@James V

The "Keystore" you are using that you are using that was derived form your CA should contain only a single "PrivateKeyEntry". That "PrivateKeyEntry" should have a EKU that authorizes it use for both clientAuth and ServerAuth. (Based on above, EKU looks correct.) The Issuer listed of that PrivateKeyEntry should be the DN for your CA. If the Issuer is the same as the owner, it is a self signed cert. This typically means you did not install the response you got back from your CA. You should have provided your CA with a csr (certificate signing request) which you then received a response for.

The "truststore" should not contain any PrivateKeyEntries. It should contain 1 to many "TrustedCertEntries". There should be a trustedCertEntry for every CA that signs any certificates being used anywhere to communicate with this NiFi. TrustedCertEntries are nothing more teh public keys.

Thanks,

Matt

3,073 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-25-2017 11:36 AM

@James V

Can you post teh entire verbose output of both your Keystore and Truststore?

3,073 Views
0 Kudos

avatar
author-rank encikcuci
New Contributor

Created on ‎09-25-2017 10:32 AM - edited ‎08-17-2019 11:04 PM

Hi Matt,

Thanks for taking the time to answer. I checked the keystore and trustedstore based on what you provided. I can see exactly what you suggest, 1 privatekeyentry in keystore and 1 trustedcertentries in trustedstore.

I have also turned on the debugging and this is what i see in nifi-bootstrap.log

40504-ks.png

40505-ts.png

nifi-bootstrap.log

40507-chain.png

Appreciate your help on this matter. Thanks!

3,073 Views
0 Kudos

avatar
author-rank dwanehall
Contributor

Created ‎09-25-2017 01:50 PM

hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
3,074 Views
0 Kudos

avatar
author-rank encikcuci
New Contributor

Created ‎09-27-2017 08:23 AM

@D H

Thank you very much for your help. It works now! Followed all your steps.

3,073 Views
0 Kudos

avatar
author-rank dwanehall
Contributor

Created ‎09-27-2017 12:53 PM

Glad to hear it :). Enjoy your secure NiFi instance.

3,073 Views
0 Kudos
webinar banner
Announcements
Community Announcements
CommunityOverCode Asia 2024 will be held in Hangzhou from Ju...
What's New @ Cloudera
Apache Flink is Now Generally Available in the Cloudera Stre...
Product Announcements
[ANNOUNCE] Cloudera Data Services 1.5.4 on Private Cloud Rel...
What's New @ Cloudera
Run your Apache NiFi and Apache Kafka workloads on Kubernete...
What's New @ Cloudera
Cloudera DataFlow now powers GenAI pipelines and supports ch...
View More Announcements
meetups banner