Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Setting StandardSSLContext service for listenTCP

Labels:
avatar
author-rank dhieru
Expert Contributor

Created on ‎11-07-2017 09:52 PM - edited ‎08-18-2019 12:28 AM

43502-security-1.png

Hi All,

Thanks a lot to this aweosme community.

I am trying to set server.key and server.pem store in some directory on my nifi node using StandardSSLcontext service, the type is pkcs12.

Which property will be set here

Keystore properties or

the Truststore ones

I am confused between terminalogies any help

I do not have much idea about keys and certs

Thanks Dheeru

2,205 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank alopresto author-rank
Guru

Created ‎11-08-2017 12:50 AM

You need the private key and public key to be stored in a Java Keystore (*.jks) file. You can import the PEM-encoded certificate and key into this form by using the following commands:

openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name [some-alias] -chain

keytool -importkeystore -deststorepass [yourpassword] -destkeypass [yourpassword] -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [passwordfromabove] -alias [some-alias]

When creating the temporary PKCS12 keystore, make sure to provide a password at the prompt, or the Java keytool utility will not accept it. Once you have the server.jks file, populate the properties as follows:

  • Keystore file: path/to/server.jks
  • Keystore password: [yourpassword]
  • Key password: [yourpassword]
  • Keystore type: JKS

This will allow your NiFi instance/component to present a server certificate identifying itself and encrypt the channel. However, to connect to external HTTPS services, you will also need to provide a truststore. A truststore is a keystore file that contains only public certificates of other services to allow your system (in this case, NiFi) to trust them. If you have custom organizational certificates, you'll need to build your own truststore here. If you are just connecting to generic internet services, the JRE default should be fine:

  • Truststore file: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts (your JRE path may be different)
  • Truststore password: changeit
  • Truststore type: JKS

View solution in original post

1,911 Views
3 REPLIES 3

avatar
author-rank dhieru
Expert Contributor

Created ‎11-07-2017 10:45 PM

I read this blog (https://bryanbende.com/development/2017/10/13/apache-nifi-tls-with-apache-solr) by @Bryan Bende and looks

like I need download the

https://nifi.apache.org/download.html and make a keystore or truststore or both?

Am I going in the right direction?

Thanks

Dheeru

1,911 Views
0 Kudos

avatar
author-rank alopresto author-rank
Guru

Created ‎11-08-2017 12:50 AM

You need the private key and public key to be stored in a Java Keystore (*.jks) file. You can import the PEM-encoded certificate and key into this form by using the following commands:

openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name [some-alias] -chain

keytool -importkeystore -deststorepass [yourpassword] -destkeypass [yourpassword] -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [passwordfromabove] -alias [some-alias]

When creating the temporary PKCS12 keystore, make sure to provide a password at the prompt, or the Java keytool utility will not accept it. Once you have the server.jks file, populate the properties as follows:

  • Keystore file: path/to/server.jks
  • Keystore password: [yourpassword]
  • Key password: [yourpassword]
  • Keystore type: JKS

This will allow your NiFi instance/component to present a server certificate identifying itself and encrypt the channel. However, to connect to external HTTPS services, you will also need to provide a truststore. A truststore is a keystore file that contains only public certificates of other services to allow your system (in this case, NiFi) to trust them. If you have custom organizational certificates, you'll need to build your own truststore here. If you are just connecting to generic internet services, the JRE default should be fine:

  • Truststore file: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts (your JRE path may be different)
  • Truststore password: changeit
  • Truststore type: JKS
1,912 Views

avatar
author-rank dhieru
Expert Contributor

Created ‎11-08-2017 01:31 PM

@Andy LoPresto

Thanks a lot, appreciate it

1,911 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements