Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Setting StandardSSLContext service for listenTCP

Labels:
avatar
author-rank dhieru
Expert Contributor

Created on ‎11-07-2017 09:52 PM - edited ‎08-18-2019 12:28 AM

43502-security-1.png

Hi All,

Thanks a lot to this aweosme community.

I am trying to set server.key and server.pem store in some directory on my nifi node using StandardSSLcontext service, the type is pkcs12.

Which property will be set here

Keystore properties or

the Truststore ones

I am confused between terminalogies any help

I do not have much idea about keys and certs

Thanks Dheeru

2,691 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank alopresto author-rank
Guru

Created ‎11-08-2017 12:50 AM

You need the private key and public key to be stored in a Java Keystore (*.jks) file. You can import the PEM-encoded certificate and key into this form by using the following commands:

openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name [some-alias] -chain

keytool -importkeystore -deststorepass [yourpassword] -destkeypass [yourpassword] -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [passwordfromabove] -alias [some-alias]

When creating the temporary PKCS12 keystore, make sure to provide a password at the prompt, or the Java keytool utility will not accept it. Once you have the server.jks file, populate the properties as follows:

  • Keystore file: path/to/server.jks
  • Keystore password: [yourpassword]
  • Key password: [yourpassword]
  • Keystore type: JKS

This will allow your NiFi instance/component to present a server certificate identifying itself and encrypt the channel. However, to connect to external HTTPS services, you will also need to provide a truststore. A truststore is a keystore file that contains only public certificates of other services to allow your system (in this case, NiFi) to trust them. If you have custom organizational certificates, you'll need to build your own truststore here. If you are just connecting to generic internet services, the JRE default should be fine:

  • Truststore file: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts (your JRE path may be different)
  • Truststore password: changeit
  • Truststore type: JKS

View solution in original post

2,397 Views
3 REPLIES 3

avatar
author-rank dhieru
Expert Contributor

Created ‎11-07-2017 10:45 PM

I read this blog (https://bryanbende.com/development/2017/10/13/apache-nifi-tls-with-apache-solr) by @Bryan Bende and looks

like I need download the

https://nifi.apache.org/download.html and make a keystore or truststore or both?

Am I going in the right direction?

Thanks

Dheeru

2,397 Views
0 Kudos

avatar
author-rank alopresto author-rank
Guru

Created ‎11-08-2017 12:50 AM

You need the private key and public key to be stored in a Java Keystore (*.jks) file. You can import the PEM-encoded certificate and key into this form by using the following commands:

openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name [some-alias] -chain

keytool -importkeystore -deststorepass [yourpassword] -destkeypass [yourpassword] -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [passwordfromabove] -alias [some-alias]

When creating the temporary PKCS12 keystore, make sure to provide a password at the prompt, or the Java keytool utility will not accept it. Once you have the server.jks file, populate the properties as follows:

  • Keystore file: path/to/server.jks
  • Keystore password: [yourpassword]
  • Key password: [yourpassword]
  • Keystore type: JKS

This will allow your NiFi instance/component to present a server certificate identifying itself and encrypt the channel. However, to connect to external HTTPS services, you will also need to provide a truststore. A truststore is a keystore file that contains only public certificates of other services to allow your system (in this case, NiFi) to trust them. If you have custom organizational certificates, you'll need to build your own truststore here. If you are just connecting to generic internet services, the JRE default should be fine:

  • Truststore file: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts (your JRE path may be different)
  • Truststore password: changeit
  • Truststore type: JKS
2,398 Views

avatar
author-rank dhieru
Expert Contributor

Created ‎11-08-2017 01:31 PM

@Andy LoPresto

Thanks a lot, appreciate it

2,397 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements