Created 11-01-2021 04:08 AM
Hi,
I was able to setup a secure NiFi cluster with two nodes on two different AWS EC2 linux instances using the certificate generated using NiFi toolkit but I am not able to secure it with company provided certificates. I followed this article - https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-provided-certificat... and was able to execute all steps on one of the nodes and tried to access the UI shutting down the other node but still I get below error - <server name> didn't accept your login certificate, or a login certificate may not have been provided. ERR_BAD_SSL_CLIENT_AUTH_CERT
Can you please suggest what can be done to address this issue or point to some walkthrough article other than the link I mentioned above where the enterprise provided certificate has been deployed successfully.
Created 11-02-2021 09:38 AM
@sandip87
Without the detailed output of your NiFi keystore and truststore and the of your client certificate you are using to authenticate yourself to NiFi, it would be difficult to say exactly where your issue is. I am leaning towards and issue with your company issued certificates because you stated the this same NiFi worked fine when using certificates and keystores generated by NiFi's TLS toolkit.
For NiFi's keystore (configured in nifi.properties file), make sure the following are correct:
1. keystore contains 1 and only 1 PrivateKeyEntry
2. Make sure the PrivateKeyEntry ExtendedKeyUsage (EKU) contains clientAuth and serverAuth
3. Make sure that the PrivateKeyEntry contains a SAN entry that matches the hostname of the host where NiFi is running.
For the user certificate loaded in the browser being used to authenticate with this NiFi:
1. verify certificate issuer. Is it an intermediate CA or the root CA?
2. Verify the NiFi's truststore.jks (configured in nifi.properties file) contains aTrustedCertEntry for the complete trust chain that goes with your certificate and the certificate found in the keystore.jks. A complete trust chain means that the truststore has the public keys for the issuer of each of the above certificates and if that issuer is and intermediate CA, you also have the public certificate for the CA that signed that intermediate CA in the truststore. You'll know when you have reached the root CA when the TrustedCertEntry has the same DN for both owner and issuer.
Your browser must also contain the complete trusts chain for the certificates issued to your NiFi nodes.
Once all the above is verified, clear your browser cache and site cookies.
If you still have same issue and you are using Chrome browser, try typing "thisisunsafe" (which tells chrome to skip certificate verification on the certificate presented from the NiFi instance) while the NiFi chrome tab is in focus. If this works and allows you to proceed, this again points at a trust issue between your corporately issued certificate and your browser. Go back and verify structure/content of the NiFi keystore again.
If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.
Thank you,
Matt
Created 11-05-2021 03:40 AM
Hi Matt,
Thank you very much for the detailed response. As I don't have much knowledge about these security configurations, I have set the keystore and truststore password to be same and without the hostname. Would you able to provide the reference to the lines in the nifi.properties file which refer to the three things you mentioned in your response:
For NiFi's keystore (configured in nifi.properties file), make sure the following are correct:
1. keystore contains 1 and only 1 PrivateKeyEntry
2. Make sure the PrivateKeyEntry ExtendedKeyUsage (EKU) contains clientAuth and serverAuth
3. Make sure that the PrivateKeyEntry contains a SAN entry that matches the hostname of the host where NiFi is running.
Kind regards,
Sandip
Created 11-08-2021 06:04 AM
The following properties within the nifi.properties file will tell you where your NiFi's keystore and truststore files are located:
1. nifi.security.keystore
2. nifi.security.truststore
You can use the java keytool command to see the verbose details of the content of these two keystores:
<path to java JDK>/bin/keytool -v -list -keystore <keystore/truststore>
Once you inspect the these to make sure the contents are good, then you need to make sure you can successfully authenticate your user in to your NiFi.
By default once NIFi is secured, the only method to authenticate a user/client is via a mutual TLS handshake which means your user needs to have a certificate loaded in the browser.
Optionally you can add additional user authentication methods if you want.
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
Created 11-09-2021 10:51 PM
@sandip87, Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.
Regards,
Vidya Sargur,Created 11-11-2021 05:41 AM
Hi @MattWho ,
Sorry for the delayed response as I was off work for last few days.
Thanks for sharing the keytool command to check all the details you had asked to check in your first response. Below are the findings after running the command for the configured keystore and truststore in NiFi:
For NiFi's keystore (configured in nifi.properties file), make sure the following are correct:
1. keystore contains 1 and only 1 PrivateKeyEntry --> That's true.
2. Make sure the PrivateKeyEntry ExtendedKeyUsage (EKU) contains clientAuth and serverAuth --> That's true
3. Make sure that the PrivateKeyEntry contains a SAN entry that matches the hostname of the host where NiFi is running. --> That's true.
For the user certificate loaded in the browser being used to authenticate with this NiFi:
1. verify certificate issuer. Is it an intermediate CA or the root CA? --> We have one IssuingCA and another root CA. We had combined them to form one certificate and then follow steps in the NiFi documentation.
2. Verify the NiFi's truststore.jks (configured in nifi.properties file) contains a TrustedCertEntry for the complete trust chain that goes with your certificate and the certificate found in the keystore.jks. A complete trust chain means that the truststore has the public keys for the issuer of each of the above certificates and if that issuer is and intermediate CA, you also have the public certificate for the CA that signed that intermediate CA in the truststore. You'll know when you have reached the root CA when the TrustedCertEntry has the same DN for both owner and issuer. --> NiFi's Truststore contains a TrustedCertEntry and the TrustedCertEntry has the same DN for both owner and issuer.
I cleared browser cache and site cookies but still same issue.
I even tried "thisisunsafe" trick in chrome, but it's reloading the page with same issue.
Thanks,
Sandip
Created 11-16-2021 06:25 AM
@sandip87
This statement is not clear to me:
We had combined them to form one certificate and then follow steps in the NiFi documentation.
Sounds to me like your trusts chain has an intermediate and root CAs in it.
That means your truststore must have two trustedCert Entries in it. One for intermediate CA and other for the Root CA. It sounds like you only have the root CA in your truststore.
If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.
Thank you,
Matt