Support Questions

Find answers, ask questions, and share your expertise

add Certificates Facebook to apache nifi

avatar
Rising Star

i try to use the plain HTTP endpoint of api open graph of facebook, but it support HTTPS endpoint ( authentication with access_token) , so i obliged to add certificate facebook to nifi and create a ssl context, i upload the different certificates (file PEM) that facebook use but i don't know how to configure nifi to know it( how i add to keystore and trustore), any help is appreciate.

1 ACCEPTED SOLUTION

avatar

@nejm hadj, as I answered to your comment on the other question, it sounds like you need to complete the following steps:

  1. Download the Facebook server certificate (via the browser or using openssl). $ openssl s_client -showcerts -connect graph.facebook.com:443 </dev/null
  2. Import that certificate as a trusted certificate into a truststore file (not required in this case as explained below, but would be required if using an internal or custom organizational CA not pre-loaded in the JRE/JDK cacerts).
    1. As you can see in the output of the above openssl command, the Facebook server certificate (identified by subject /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com) is issued by the DigiCert certificate (/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3), and that intermediate CA is in turn issued by the DigiCert Root CA (/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA). The Root CA is already present in the default Java cacerts truststore, located at $JAVA_HOME/jre/lib/security/cacerts. You can verify this by running the following command: $ keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -alias digicerthighassuranceevrootca and comparing the SHA-1 fingerprints (also available at DigiCert's website).
  3. Configure the PostHTTP processor to use an SSLContext which references that truststore file.
    1. The truststore type is JKS.
    2. The truststore location is $JAVA_HOME/jre/lib/security/cacerts.
    3. The truststore password is changeit.

View solution in original post

8 REPLIES 8

avatar
Master Mentor

@nejm hadj

Here is good doc surely it will help you Nifi

Let me know if it worked

avatar

@Geoffrey Shelton Ogot, that article describes how to configure certificates, a keystore, and a truststore in order to provide NiFi as an HTTPS server, and how to configure certificates for individual users to provide client authentication. It will not assist @nejm hadj in this case.

avatar
Master Mentor

If I understood well that's exactly the process nejm is trying to implement import and add the facebook certificate to a keystore and truststore to nifi !

avatar

@Geoffrey Shelton Ogot My response is too long to fit here. I've posted it as a GitHub gist.

avatar
Master Mentor

@Andy LoPresto

Surely I will have a look at that post !!

avatar

@nejm hadj, as I answered to your comment on the other question, it sounds like you need to complete the following steps:

  1. Download the Facebook server certificate (via the browser or using openssl). $ openssl s_client -showcerts -connect graph.facebook.com:443 </dev/null
  2. Import that certificate as a trusted certificate into a truststore file (not required in this case as explained below, but would be required if using an internal or custom organizational CA not pre-loaded in the JRE/JDK cacerts).
    1. As you can see in the output of the above openssl command, the Facebook server certificate (identified by subject /C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com) is issued by the DigiCert certificate (/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3), and that intermediate CA is in turn issued by the DigiCert Root CA (/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA). The Root CA is already present in the default Java cacerts truststore, located at $JAVA_HOME/jre/lib/security/cacerts. You can verify this by running the following command: $ keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -alias digicerthighassuranceevrootca and comparing the SHA-1 fingerprints (also available at DigiCert's website).
  3. Configure the PostHTTP processor to use an SSLContext which references that truststore file.
    1. The truststore type is JKS.
    2. The truststore location is $JAVA_HOME/jre/lib/security/cacerts.
    3. The truststore password is changeit.

avatar
Rising Star

thank you @Andy LoPresto i follow the 3rd step without adding the Facebook server certificates and it 'is work , the PostHttp processor can support now https request but your document is very useful for me to know how i can add certificate to my trustore .

avatar
Contributor

Hi @Andy LoPresto

I am still struggling with that. Tried to add certificate to the truststore as well as you mentioned in your posts however,still getHTTP is not working. It is showing me an error in the access token which is working fine if I put that in the browser. I am yusing the template provided by github. SSL context service is also enabled.

Highly appreciate your support. Thanks.

13161-error.png