Created 07-18-2016 09:20 AM
At first I distribute works in a cluster NiFi instance in perspective.(By run processor on the Primary Node only, and then use site-to-site (remote process group) to distribute that listing to all nodes in the cluster.)
Then I add User Authentication with Kerberos follow https://community.hortonworks.com/articles/34147/nifi-security-user-authentication-with-kerberos.htm...
Now i want to distribute works in this secure NiFi instance.
I add the Remote Process Group with url [https://10.110.20.213:7070/nifi]. But it has warning as bellow (10.110.20.213:7070 is the web ui of my NCM, 10.110.20.215:7070 is node)
10.110.20.215:7070 Unable to connect to https://10.110.20.213:7070/nifi due to com.sun.jersey.api.client.ClientHandlerException: java.io.IOException: HTTPS hostname wrong: should be <10.110.20.213>
Where i was wrong? Thanks!
@Jobin George
Created 07-19-2016 03:27 AM
Thanks for your advice, Matt.
I fix this problem by install certificate in my node server. And the url of RPG is set https://node1:7070/nifi. Then assign role to host1 by the nifi web UI.
Created 07-18-2016 02:52 PM
NiFi secure cluster and Site-To-Site authentication is not handled by kerberos. NiFi kerberos authentication is only supported for user authentication. Secure NiFi Site-To-Site communications are still handled using TLS mutual authentication. The error you are seeing is because that TLS mutual auth is failing. The URL you are providing the Remote Process Group (RPG) is using the IP of the target NCM. The NCM is providing its public key to your nodes for autentication and that certificate does not contain the IP as its DN or as a Subject Alternative Name (SAN). So the source NiFi is saying the that the provided certificate shoudl contain 10.110.20.213 but instead it is providing something else.
If you do a verbose listing on your keystore on the NCM you will see the contents of the key. Look for CN=<some value> (This value is typically the hostname/FQDN.) Use that value in the URL you are providing your RPG. Make sure your source NiFi (In your case every Node in your NiFi cluster) can resolve that hostname to its proper IP. The other option is to get a new certificate that has the IP added to it as a SAN. Thanks,
Matt
Created 07-19-2016 03:27 AM
Thanks for your advice, Matt.
I fix this problem by install certificate in my node server. And the url of RPG is set https://node1:7070/nifi. Then assign role to host1 by the nifi web UI.