Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Unable to start NiFI after i go HTTPS.?

Labels:
avatar
author-rank saikrishna_tara
Super Collaborator

Created ‎11-17-2016 04:02 PM

Hi,

I am using the latest version of NiFi and was working with HTTP recently. i tried to go HTTPS by doing the steps below and my NiFi wont start..

keytool -genkey -alias localhost -keyalg RSA -keysize 1024 -dname "CN=nifis2s,OU=nestle,O=nestle,L=selfsigned,ST=stl,C=us" -keypass testpass-keystore localhost.keystore.jks -storepass testpass

keytool -export -alias localhost -keystore localhost.keystore.jks -rfc -file localhost.cert -storepass testpass

keytool -import -noprompt -alias localhost -file localhost.cert -keystore localhost.truststore.jks -storepass testpass

it generated keystore.jks and truststore.jks files. and i pointed them in nifi.config and changed it use https. also added entry in to authorizers.xml with initial user as "CN=nifis2s,OU=nestle,O=nestle,L=selfsigned,ST=stl,C=us"

but when i tried to start up nifi after changes , it wont start up after some time it is shutting down with this errors below.

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'x509AuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: javax.xml.bind.UnmarshalException

does CN=nifis2s,OU=nestle,O=nestle,L=selfsigned,ST=stl,C=us need to be a valid user on the machine.?

i tried with different combinations like CN=nifiuser,OU=test

is there anything that i am missing.??

12,943 Views
0 Kudos
21 REPLIES 21

avatar
author-rank alopresto author-rank
Guru

Created ‎11-23-2016 03:33 AM

Your truststore has two trustedCertEntries -- one for the server cert and one for the client. I don't know what browser you are using to attempt to access the UI, so I don't know why it is not prompting you for a client certificate. I recommend you use the following OpenSSL command to attempt a client connection from the command line and either verify that it successfully negotiates a mutually-authenticated handshake or fails and you can provide more error output. The command is on this Gist I have published. 

$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>

If you do not have your various certificates and keys in the correct format to use with this command, sections 2, 3, and 6 will allow you to export them to the right format.

It also appears from your earlier comment that you generated the client certificate and then stored it in your keystore. This is unnecessary and incorrect. The various keystores and certificates should be as follows:

  • Keystore
    • Used by NiFi application
    • Contains private key and public certificate (single PrivateKeyEntry entry) used by the server to identify itself
    • The public certificate should contain multiple certificates in the chain (in the same entry) to reach a trusted signing certificate (either one you control and manually trust, or a publicly-trusted certificate)
  • Truststore
    • Used by the NiFi application
    • Contains arbitrary number of trustedCertEntry entries (all public certificate(s) only) to verify "peer" certificates (either incoming client connections or connections NiFi makes to external resources, i.e. to ingest data from an HTTPS site)
  • Client certificate
    • Usually stored in PKCS12 keystore (*.p12)
    • Must contain the private key and public certificate with CN=<user name>
    • Certificate must be explicitly trusted or signed by known trusted certificate in truststore
    • Certificate must have complete chain in order for truststore to build certificate validation path
3,409 Views
0 Kudos

avatar
author-rank saikrishna_tara
Super Collaborator

Created ‎11-23-2016 04:52 PM

@Andy LoPresto

i have generated all the .pems as you suggested and tried to test from openssl command line.

It looks like it is able to do the hand shake , but showing a alert\warning towards the end..i am attaching the log from openssl

Preview file
17 KB
1,212 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements