Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Securing a NiFi 2.0 cluster

Labels:
avatar
author-rank jfs912
Frequent Visitor

Created ‎07-21-2025 11:48 AM

We want to move from NiFi 1.28.1 -> NiFi 2.4. We have done most of the prerequisites like using the json flow file not xml but are confused with the deprecation of the the ./tls-toolkit.sh. How are NiFi 2.0+ clusters secured? We are using helm charts. 

165 Views
0 Kudos
1 REPLY 1

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-22-2025 05:26 AM

@jfs912 

NiFi 2.x is secured in the same way as NiFi 1.x was secured.  The Apache NIFi community made a decision to move away from providing a toolkit for generating TLS certificates since it did not make sense to have its own tool to manage certificate creation when there is nothing special the toolkit does (NIFI-12200)

.  You can create your own self signed certificates (simple web search will show many resources on how to do this), you can use a certificate service to create yoru certificates and sign them for you, you can setup your own certificate authority for signing your certificates, etc.    It really made no sense for Apache NiFi to maintain this code. 

The important parts to remember when creating your NiFi certificates are:
Keystore for NiFi:

  • Must contain 1 and only 1 PrivateKey entry
  • PrivateKey entry DN must NOT contain wildcards.  The DN is used as the client identity and use of wildcards in client identities is not a proper security practice.
  • PrivateKey entry must have ExtendedKeyUsage with both ClientAuth and ServerAuth.  NiFi uses this certificate for both client and server authorizations
  • PrivateKey entry must include at least one SAN entry that matches the hostname of the NiFi server on which the certificate will be used. During a TLS exchange hostname verification is performed to make sure the hostname accessed via the URL used matches a SAN entry in the Server certificate the target server responds with.  It is not uncommon for a certificate to contain more then one SAN entry.
  • Recommend that PrivateKey password and Keystore password are the same.

Truststore for NiFi:

  • The NiFi truststore contains one too many trusted cert entries.  Some choose to use the Java default cacerts (truststore) file and just add the NiFi additional trusted certs entries to it.  This same truststore is then used on every node in a NiFi cluster.
  • Must contain the complete trusts chain for the NiFi certificates.  A NiFi certificate may be self signed meaning the issuer and signer are the same DistinquishedName (DN).  I this case the public cert for each of yoru NiFi node's certificates needs to be added to the truststore.  A NiFi certificate might be signed by an Intermediate Certificate Authority (CA).  An intermediate CA would be the signer DN for the NIFi certificate. An Intermediate CA will have a different Issuer and Signer DN.  The truststore must contain the public cert for this Intermediate CA.  There may be multiple levels of intermediate CAs before reaching the signer that is the root CA. The root CA public certificate can be identified  because it will have the same DN for issuer and signer.  The truststore must contain the public certificate for the root CA.  Having all the public certificates for every signer for the NiFi certificate to the Root CA makes up the complete trust chain required for trust of the signed NiFi certificate.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

133 Views
0 Kudos
Announcements
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
Join Us at CommunityOverCode Asia 2025: Exploring the Future...
What's New @ Cloudera
Announcing Cloudera Surveyor with Cloudera Streams Messaging...
View More Announcements