Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Unable to open NIFI web UI after TLS

avatar

Hi All,

 

I enabled TLS for NIFI web UI ( CDF ) , while services are running fine on cluster I'm unable to access NIFI web UI from my browser. Below are the steps I followed please suggest what might be causing issue ?

 

I repeated below steps for all the machines in my nifi cluster

 

1. Received signed host certificate from IT team ( <hostname>.pem ) , also rootca (root.pem)

2. Copy the JDK cacerts file to jssecacerts as follows:

 

 

sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts

 

 

3. import rootca cert into JKS store

 

 

sudo $JAVA_HOME/bin/keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts -file /opt/cloudera/security/pki/root.pem

 

 

4. Created JKS and imported host certificate in keystore.

 

 

$JAVA_HOME/bin/keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keystore /opt/cloudera/security/pki/$(hostname -f).jks -keysize 2048 -dname "CN=$(hostname -f),OU=Engineering,O=Cloudera,L=Singapore,ST=Singapore,C=Singapore" -ext san=dns:$(hostname -f)
sudo $JAVA_HOME/bin/keytool -importcert -alias $(hostname -f) -file /opt/cloudera/security/pki/$(hostname -f).pem -keystore /opt/cloudera/security/pki/$(hostname -f).jks

 

 

5. creating symlinks

 

 

sudo ln -s /opt/cloudera/security/pki/$(hostname -f).pem /opt/cloudera/security/pki/agent.pem

sudo ln -s /opt/cloudera/security/pki/$(hostname -f).jks /opt/cloudera/security/pki/server.jks

 

 

6. Enabled TLS from Cloudera Manager for NIFI

nif_tls.PNGnifi_cm_ssl.PNG

7. Restarted services from Cloudera manager 

nifi_health.PNG

 

8. Unable to access from Browser 

 

nifi_tls_issue.PNG

 

 

4 ACCEPTED SOLUTIONS

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
13 REPLIES 13

avatar

@MattWho  from here does nifi picks up node Information for forming cluster ? Is this information stored in some directory or file? 

avatar

@MattWho I deleted local NIFI state directory and it worked like magic :), I finally have my first 7 node secured NIFI cluster accessible using client cert.

 

Thanks a ton for your valuable inputs and detailed explanations without which I might have been still stuck, highly appreciated.

avatar
Super Mentor

@chhaya_vishwaka 

It may be beneficially to other users since this thread/topic was so long, if you accept each response that helped directly with getting to your final working cluster.

I am happy to hear that you are up and running.  Now you get to explore the very granular authorizations/access policies NiFi provides within your secured cluster.

 

Matt

avatar
New Contributor

The site does not use SSL, but shares an IP address with some other site that does.