nifi ssl cluster best practices

vsacheti · ‎05-08-2019

I am trying to understand, If I can setup a multiple node SSL Cluster with a Certificate signed by my organization without the need of adding each node as a SAN to the certificate.

Coz we keep adding nodes to the cluster, and I want to avoid asking for a updated Certificate with a new node added to SAN.

Currently I am setting the following properties in nifi.properties as the fqdn or the ip

nifi.web.https.host=10.38.140.239
nifi.cluster.node.address=10.38.140.239
nifi.remote.input.host=10.38.140.239

And setting the proxy host with the cname

nifi.web.proxy.host=ssl_cert_cname.foo.com:8443

And inside my authorizers.xml, I am adding the cname as the initial node/user identity

<userGroupProvider>
    ...
    <property name="Initial User Identity 4">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown,        ST=Unknown, C=Unknown</property> 
 </userGroupProvider>

<accessPolicyProvider>
    ...
    
    <property name="Node Identity 3">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown, ST=Unknown, C=Unknown</property>
</accessPolicyProvider>

Currently I am adding the <ip> of all the nodes in the cluster, to the cert's SAN to make it work.

Responses will be appreciated.Thanks

ask_bill_brooks · ‎05-08-2019

@Vinit Sacheti, just F.Y.I…you submitted a question substantially similar to the above post with the title nifi ssl cluster avoid adding host to san that was rejected by the moderators of HCC, on the grounds that it was essentially a duplicate of the above.

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.