Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

The Remote Process Group has warning in an anthenticate cluster NiFi instance

Labels:
avatar
author-rank zhangweigang20
Rising Star

Created ‎07-18-2016 09:20 AM

At first I distribute works in a cluster NiFi instance in perspective.(By run processor on the Primary Node only, and then use site-to-site (remote process group) to distribute that listing to all nodes in the cluster.)

Then I add User Authentication with Kerberos follow https://community.hortonworks.com/articles/34147/nifi-security-user-authentication-with-kerberos.htm...

Now i want to distribute works in this secure NiFi instance.

I add the Remote Process Group with url [https://10.110.20.213:7070/nifi]. But it has warning as bellow (10.110.20.213:7070 is the web ui of my NCM, 10.110.20.215:7070 is node)

10.110.20.215:7070 Unable to connect to https://10.110.20.213:7070/nifi due to com.sun.jersey.api.client.ClientHandlerException: java.io.IOException: HTTPS hostname wrong: should be <10.110.20.213>

Where i was wrong? Thanks!

@Jobin George

1,637 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank zhangweigang20
Rising Star

Created ‎07-19-2016 03:27 AM

Thanks for your advice, Matt.

I fix this problem by install certificate in my node server. And the url of RPG is set https://node1:7070/nifi. Then assign role to host1 by the nifi web UI.

View solution in original post

1,246 Views
0 Kudos
2 REPLIES 2

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎07-18-2016 02:52 PM

NiFi secure cluster and Site-To-Site authentication is not handled by kerberos. NiFi kerberos authentication is only supported for user authentication. Secure NiFi Site-To-Site communications are still handled using TLS mutual authentication. The error you are seeing is because that TLS mutual auth is failing. The URL you are providing the Remote Process Group (RPG) is using the IP of the target NCM. The NCM is providing its public key to your nodes for autentication and that certificate does not contain the IP as its DN or as a Subject Alternative Name (SAN). So the source NiFi is saying the that the provided certificate shoudl contain 10.110.20.213 but instead it is providing something else.

If you do a verbose listing on your keystore on the NCM you will see the contents of the key. Look for CN=<some value> (This value is typically the hostname/FQDN.) Use that value in the URL you are providing your RPG. Make sure your source NiFi (In your case every Node in your NiFi cluster) can resolve that hostname to its proper IP. The other option is to get a new certificate that has the IP added to it as a SAN. Thanks,

Matt

1,246 Views

avatar
author-rank zhangweigang20
Rising Star

Created ‎07-19-2016 03:27 AM

Thanks for your advice, Matt.

I fix this problem by install certificate in my node server. And the url of RPG is set https://node1:7070/nifi. Then assign role to host1 by the nifi web UI.

1,247 Views
0 Kudos
webinar banner
Announcements
Community Announcements
January 2024 Community Highlights
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
View More Announcements
meetups banner