All,i have 3 node nifi cluster to secure SSL , do i need to generate 2 way ssl certs for all nodes in the cluster ?
appreciate if someone share steps to setup the ssl in cluster and configs to update in nifi proprties to reflect the cluster ssl
Yes Mutual Authentication is used for Node to Node communications, load balanced connections, and Site-to-Site communications. All of these communications utilize the default keystore and truststore configured in the nifi.properties file.
NiFi has the following requirements for the keystore.jks file and its contents:
1. Keystore.jks can only contain ONE PrivateKeyEntry
2. The PrivateKeyEntry must support both the "clientAuth" and "serverAuth" extended key usage
3. The PrivateKeyEntry must include at least one Subject Alternative Name (SAN) entry that matches the hostname of the server on which the keystore will be used.
4. NiFi does not support wildcards in the PrivateKeyEntry.
The truststore.jks must contain the complete trust chain for any client certificate presented to NiFi for authentication. All inbound connections to secure NiFi endpoints will use mutual TLS authentication (2-way TLS). Each certificate will have an "Owner" and an "Issuer". When the Owner and Issuer Distinguished Names (DN) are identical, that certificate is self-signed. The issuer of every certificate must exist as a TrustedCertEntry in the truststore.jks in order to have the complete trust chain.
For example, Consider a node PrivateKeyEntry with the following:
Owner: CN=node01, ou=nifi Issuer: CN=nifiintermediateCA, ou=nifi
This means your truststore needs to have a TrustedCertEntry which would look something like:
Owner: CN=nifiintermediateCA, ou=nifi Issuer: CN=nifirootCA, ou=nifi
As you can see here this cert was also signed/issued by another CA. So you will need another TrustedCertEntry in your truststore for this cert as well.
Owner: CN=nifirootCA, ou=nifi Issuer: CN=nifirootCA, ou=nifi
Here we see the Owner and Issuer are the same thus we have reached the end of this trust chain.