Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

nifi ssl cluster best practices

nifi ssl cluster best practices

New Contributor

I am trying to understand, If I can setup a multiple node SSL Cluster with a Certificate signed by my organization without the need of adding each node as a SAN to the certificate.

Coz we keep adding nodes to the cluster, and I want to avoid asking for a updated Certificate with a new node added to SAN.


Currently I am setting the following properties in nifi.properties as the fqdn or the ip

nifi.web.https.host=10.38.140.239
nifi.cluster.node.address=10.38.140.239
nifi.remote.input.host=10.38.140.239

And setting the proxy host with the cname

nifi.web.proxy.host=ssl_cert_cname.foo.com:8443


And inside my authorizers.xml, I am adding the cname as the initial node/user identity

<userGroupProvider>
    ...
    <property name="Initial User Identity 4">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown,        ST=Unknown, C=Unknown</property> 
 </userGroupProvider>
<accessPolicyProvider>
    ...
    
    <property name="Node Identity 3">CN=ssl_cert_cname.foo.com, OU=nifi, O=Unknown, L=Unknown, ST=Unknown, C=Unknown</property>
</accessPolicyProvider>


Currently I am adding the <ip> of all the nodes in the cluster, to the cert's SAN to make it work.


Responses will be appreciated.Thanks




1 REPLY 1

Re: nifi ssl cluster best practices

Community Manager

@Vinit Sacheti, just F.Y.I…you submitted a question substantially similar to the above post with the title nifi ssl cluster avoid adding host to san that was rejected by the moderators of HCC, on the grounds that it was essentially a duplicate of the above.

Bill Brooks, Community Manager
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.