Created on 12-24-2018 05:43 AM - edited 09-16-2022 07:00 AM
hi i'm using nifi 1.8.0(just nifi.. ), 3-node cluster, and secured.
is it necessary to import a cert to browser when nifi is secured?
i make a cert(keystore, truststore.. etc) with tls-toolkit.
and i wanna connect from many other computer to my nifi cluster, without cert!!!(authentication will be set by ldap.. probably)
i heard old version of nifi, it has a property nifi.security.needClientAuth. but my version, not.
So, i want secured cluster. and connect from many other computer(multi users) without cert ( https:// ~/nifi/login ), and login(authentication) with ldap!
am i miss-understanding? imported a cert to browser is required step for secured cluster?
is it necessary many other users have a cert to connect to my nifi server? i should be publishing a cert to users?
Created 12-24-2018 08:34 AM
Hi @hr pyo
This really depends and you will have to understand authentication with SSL to get all the details.
I am trying this in short here:
If you use self signed certificates or you sign the certificates by your own CA, you will experience browser warnings about unsecure connections. This means each time the user has to confirm he want to continue, until you install either the certificate of the server or the CA into the browser.
Anyway there are preinstalled 'root ca' in every browser. So if you get your certificate signed by one of those root cas you don't have to install the certificate itself. Due to the chain of trust the browser accepts the signed certificate without further steps needed. To get a free of charge signed certificate you can use 'Let's encrypt'.
In a enterprise level, you usually have an enterprise ca, that gets installed on all enterprise machines, and you let your certificate get signed by your enterprise ca.
Regards
Harald
Created 12-24-2018 08:34 AM
Hi @hr pyo
This really depends and you will have to understand authentication with SSL to get all the details.
I am trying this in short here:
If you use self signed certificates or you sign the certificates by your own CA, you will experience browser warnings about unsecure connections. This means each time the user has to confirm he want to continue, until you install either the certificate of the server or the CA into the browser.
Anyway there are preinstalled 'root ca' in every browser. So if you get your certificate signed by one of those root cas you don't have to install the certificate itself. Due to the chain of trust the browser accepts the signed certificate without further steps needed. To get a free of charge signed certificate you can use 'Let's encrypt'.
In a enterprise level, you usually have an enterprise ca, that gets installed on all enterprise machines, and you let your certificate get signed by your enterprise ca.
Regards
Harald
Created 12-26-2018 02:50 AM
this is really what i wanna know !! thanks!!!!!!!!!!