Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

unable o access nifi UI with certificate based authentication enabled when installed on ec2 machine public subnet

avatar
Explorer

authorizer.xml

 

<authorizers>
 
 
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=admin, OU=NIFI</property>
        <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
        <property name="Initial User Identity 2"></property>
    </userGroupProvider>
 
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
 
</authorizers>
 
certificates are generated using below command.
bin/tls-toolkit.sh standalone -B mycertificatepassword -C 'CN=admin, OU=NIFI' -n '172.31.38.134' -K mycertificatepassword -P mycertificatepassword -S mycertificatepassword --subjectAlternativeNames '3.67.98.77'
 
 
Ashwani_0-1693321052385.png

 

 
 
 
7 REPLIES 7

avatar
Community Manager

@Ashwani Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @steven-matison  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Explorer

Thank you ,waiting for the response on this query

avatar
Explorer

The nifi version used is : nifi-1.23.1.

I am trying to access the UI with public IP of EC2 machine and the same has been added SAN while generating the certificates .

When I use  single-user-authorizer I am able to access NIFI  UI with same public IP and certificates but if I change it to managed authorizer in nifi.properties and doing the configuration in authorizers.xml I am unable to access UI.

 

I have imported the client certificates in the browser.

 

avatar
Master Mentor

@Ashwani 

Are you sure your NiFi even starts up completely when you reconfigure the nifi.properties file to use the managed authorizer?

If you check the nifi-app.log during startup, do you seen any exceptions?
Do you see the log lines that state the UI is available at the following URLs?

Looking at your authorizers.xml configuration shared, the following line is not a vlid line for the file-user-group-provider:

<property name="Initial Admin Identity">CN=admin, OU=NIFI</property>

It should be removed.

Really not sure why you added your NiFi server's IP a SAN in a certificate you plan on loading in yoru browser for clientAuth authentication in to your NiFi?

Can you share the verbose output of yoru NiFi keystore and truststore configured in the nifi.properties file?

keytool -v -list -keystore <keystore or truststore filename>

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt



avatar
Explorer

Hi Matt,

 

Are you sure your NiFi even starts up completely when you reconfigure the nifi.properties file to use the managed authorizer?

--> Yes it does without any exception

 

Do you see the log lines that state the UI is available at the following URLs?

-->Yes

Ashwani_0-1693478007521.png

 

 authorizers.xml following line is not a vlid line for the file-user-group-provider:

--> true I was aware but in of the online articles it was mentioned so I was trying to check if that helps but now I have removed it as per your instructions.

 

Really not sure why you added your NiFi server's IP a SAN in a certificate you plan on loading in yoru browser for clientAuth authentication in to your NiFi?

--> I am new to nifi and trying to learn it's installation process from scratch . Hence I am trying this on Ec2 instance which is on default public subnet.I planned to  access the nifi server with public for time being and then step by step change the configuration .

In one of the post read below info hence I added the public IP as SAN and it worked with default single-user-authorizer

 

Ashwani_1-1693478354016.png

 

Today I have generated the certifacates with below command

 

bin/tls-toolkit.sh standalone -B  mycertificatepassword -C 'CN=admin, OU=NIFI' -n 'nifinode01' -K mycertificatepassword -P mycertificatepassword -S mycertificatepassword --subjectAlternativeNames '18.185.117.94'

 

Note : nifinode01 is the hostname of the server and it is mapped to private ip of EC2 instance in /etc/hosts file

 

Nifi.properties

 

Ashwani_2-1693478510797.png

 

Keystore.jks

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: nifi-key
Creation date: Aug 31, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nifinode01, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 18a4b170af200000000
Valid from: Thu Aug 31 10:15:15 UTC 2023 until: Wed Dec 03 10:15:15 UTC 2025
Certificate fingerprints:
SHA1: 69:7C:C0:67:6C:70:30:76:1A:46:D9:B0:BE:A3:22:B1:97:97:76:8D
SHA256: A1:3F:14:92:44:27:59:5D:17:96:DE:74:C0:0C:1C:4B:A2:3F:92:A4:8E:18:E7:ED:98:A3:30:21:4A:51:CC:6C
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3E 81 32 13 3C 71 57 80 24 DE 8B BB 94 05 6D 01 >.2.<qW.$.....m.
0010: DF A4 7F 54 ...T
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifinode01
IPAddress: 18.185.117.94
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9D E3 E4 28 4C A6 5D 67 9B 86 C1 77 7F 5B DC B4 ...(L.]g...w.[..
0010: 03 BA C4 63 ...c
]
]

Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 18a4b1707c400000000
Valid from: Thu Aug 31 10:15:15 UTC 2023 until: Wed Dec 03 10:15:15 UTC 2025
Certificate fingerprints:
SHA1: C5:8D:A6:DD:1A:27:71:A0:F8:A3:A2:9B:6C:DB:E7:D3:B7:3F:0C:6F
SHA256: 55:16:0E:7A:90:86:9A:41:60:76:1B:E0:DC:1B:B1:E7:26:EB:87:A4:57:50:55:C0:2D:0A:3C:40:48:BF:5B:C7
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3E 81 32 13 3C 71 57 80 24 DE 8B BB 94 05 6D 01 >.2.<qW.$.....m.
0010: DF A4 7F 54 ...T
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3E 81 32 13 3C 71 57 80 24 DE 8B BB 94 05 6D 01 >.2.<qW.$.....m.
0010: DF A4 7F 54 ...T
]
]

 

*******************************************
*******************************************

 

truststore.jks

 

Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: nifi-cert
Creation date: Aug 31, 2023
Entry type: trustedCertEntry
 
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 18a4b1707c400000000
Valid from: Thu Aug 31 10:15:15 UTC 2023 until: Wed Dec 03 10:15:15 UTC 2025
Certificate fingerprints:
SHA1: C5:8D:A6:DD:1A:27:71:A0:F8:A3:A2:9B:6C:DB:E7:D3:B7:3F:0C:6F
SHA256: 55:16:0E:7A:90:86:9A:41:60:76:1B:E0:DC:1B:B1:E7:26:EB:87:A4:57:50:55:C0:2D:0A:3C:40:48:BF:5B:C7
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions: 
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m.
0010: DF A4 7F 54                                        ...T
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  serverAuth
]
 
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
  Key_Agreement
  Key_CertSign
  Crl_Sign
]
 
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
]
 
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m.
0010: DF A4 7F 54                                        ...T
]
]
 
 
 
*******************************************
*******************************************
 
client certificate
 
Keystore type: PKCS12
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: nifi-key
Creation date: Aug 31, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=admin, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 18a4b170bb700000000
Valid from: Thu Aug 31 10:15:16 UTC 2023 until: Wed Dec 03 10:15:16 UTC 2025
Certificate fingerprints:
SHA1: AD:B3:46:C1:7B:5B:AE:D0:AC:77:50:A1:86:50:C9:EB:DA:C3:33:7D
SHA256: 7A:7D:F2:44:A8:AD:63:5F:A0:1B:21:19:06:21:DE:AE:26:BE:82:78:71:4F:96:90:F5:BB:8F:31:EF:DB:51:6E
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions: 
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m.
0010: DF A4 7F 54                                        ...T
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]
 
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  serverAuth
]
 
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
  Key_Agreement
]
 
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 57 BE C0 24 0F F5 A5 4A   7F 64 4E 2B F1 C8 F4 93  W..$...J.dN+....
0010: 32 ED 92 DC                                        2...
]
]
 
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 18a4b1707c400000000
Valid from: Thu Aug 31 10:15:15 UTC 2023 until: Wed Dec 03 10:15:15 UTC 2025
Certificate fingerprints:
SHA1: C5:8D:A6:DD:1A:27:71:A0:F8:A3:A2:9B:6C:DB:E7:D3:B7:3F:0C:6F
SHA256: 55:16:0E:7A:90:86:9A:41:60:76:1B:E0:DC:1B:B1:E7:26:EB:87:A4:57:50:55:C0:2D:0A:3C:40:48:BF:5B:C7
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions: 
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m.
0010: DF A4 7F 54                                        ...T
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
  serverAuth
]
 
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
  Key_Agreement
  Key_CertSign
  Crl_Sign
]
 
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
]
 
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m.
0010: DF A4 7F 54                                        ...T
]
]
 
 
 
*******************************************
*******************************************
 
It would be really helpful Matt if you can help here 

 

 

 

 

avatar
Explorer

Can I please get some help here

avatar
Master Mentor

@Ashwani 

This could be a Proxy configuration issue, could be SAN issue, or something else.

I'd suggest enabling developer tools in your browser and observe the network transactions when you attempt to access your NiFi.

There is no correlation between you current setup and the fact that it worked when using the Single User authentication.  Single User utilizes a local username and Password to authenticate your user.

When you have the single user provider configured authentication and then try to access NiFi, NiFi will "WANT" a client certificate.  If the Client does not provide a trusted clientAuth certificate in that TLS exchange, NiFi will try the next configured user authentication method.  In that setup that would be the single user provider.

I am not sure the complete setup you have in place now, but if TLS is only method configured for user authentication, NiFi will "Require" a trusted clientAuth certificate is presented.  If a trusted certificate can not be provided, NiFi simply closes the connection.

It is the responsibility of the Proxy to facilitate the passing of the clientAuth certificate to the NiFi.  

I see from your shared images numerous IP addresses.  
The screenshot from your browser shows a 3.x.x.x address, the configured proxy.host is a 18.x.x.x address, and your NiFi node is a 172.x.x.x address.  What is this 3.x.x.x address for?

I suggest adding the address you use in your browser as a SAN entry as well.

The shared certificates all look correct except for possibly needing that additional 3.x.x.x address as a SAN entry.

Have you tried using openssl to observer the TLS exchange (serverHello) response when you try to initiate a connection to the NiFi?

openssl s_client -connect <ipaddress or hostname>:<port> -showcerts


I'd expect in the serverHello a listed of trusted authorities (localhost from your NiFi truststore). If you are not getting that but some other list, your Proxy is trying to negotiate a TLS exchange instead of proxying the exchange with the NiFi endpoint maybe.  

Also possible your proxy is not passing the clientAuth certificate to your NiFi or the proxy is trying to establish its own TLS handshake with NiFi to which a successful mutualTLS handshake is not successful.

And just for completeness, you did load your client certificate in to your browser?

Hope this helps you with your journey.

If you found any of the suggestion/solution provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt