Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

setup SSL to secure NIFI Cluster

setup SSL to secure NIFI Cluster

New Contributor

All,i have 3 node nifi cluster to secure SSL , do i need to generate 2 way ssl certs for all nodes in the cluster ?

appreciate if someone share steps to setup the ssl in cluster and configs to update in nifi proprties to reflect the cluster ssl

2 REPLIES 2
Highlighted

Re: setup SSL to secure NIFI Cluster

New Contributor

Re: setup SSL to secure NIFI Cluster

Master Guru

@venkii 

Yes Mutual Authentication is used for Node to Node communications, load balanced connections, and Site-to-Site communications.  All of these communications utilize the default keystore and truststore configured in the nifi.properties file.

 

NiFi has the following requirements for the keystore.jks file and its contents:
1. Keystore.jks can only contain ONE PrivateKeyEntry

2. The PrivateKeyEntry must support both the "clientAuth" and "serverAuth" extended key usage

3. The PrivateKeyEntry must include at least one Subject Alternative Name (SAN) entry that matches the hostname of the server on which the keystore will be used.
4. NiFi does not support wildcards in the PrivateKeyEntry.

 

The truststore.jks must contain the complete trust chain for any client certificate presented to NiFi for authentication.  All inbound connections to secure NiFi endpoints will use mutual TLS authentication (2-way TLS).  Each certificate will have an "Owner" and an "Issuer".  When the Owner and Issuer Distinguished Names (DN) are identical, that certificate is self-signed.  The issuer of every certificate must exist as a TrustedCertEntry in the truststore.jks in order to have the complete trust chain.  

For example, Consider a node PrivateKeyEntry with the following:

Owner: CN=node01, ou=nifi   
Issuer: CN=nifiintermediateCA, ou=nifi

This means your truststore needs to have a TrustedCertEntry which would look something like:

Owner: CN=nifiintermediateCA, ou=nifi   
Issuer: CN=nifirootCA, ou=nifi

As you can see here this cert was also signed/issued by another CA.  So you will need another TrustedCertEntry in your truststore for this cert as well.

Owner: CN=nifirootCA, ou=nifi
Issuer: CN=nifirootCA, ou=nifi

Here we see the Owner and Issuer are the same thus we have reached the end of this trust chain.

Thanks,

Matt

Don't have an account?
Coming from Hortonworks? Activate your account here