@pavanshettyg5 The TLS implementation for NiFi requires proper configuration of both keystore and truststore your organization's signed certificate with SAN entries to enable secure HTTPS access. Based on your description, you've received a signed certificate (nifi.crt ) but are experiencing issues with the complete TLS setup. Required Certificates & Files
Certificate Authority (CA) Certificate: The root certificate from your signing authority Truststore : Contains the Certificate Authority (CA) root/intermediate certificates that signed your NiFi certificate (for mutual TLS or cluster communication).Signed Certificate (nifi.crt): Your domain certificate with the SAN entriesPrivate Key: The private key used to generate the CSR1. Prepare Certificate Files
Ensure you have:
The signed certificate (nifi.crt ) Your private key The CA certificate (request from your CA if not available) Problem 1: Missing Private Key or Certificate Chain Problem 2: Improper Keystore/Truststore Format NiFi uses Java KeyStores (JKS or PKCS12). Ensure your keystore/truststore is in the correct format.
If your organization uses OpenSSL-based tools, convert the PEM files (nifi.crt + nifi.key + CA chain ) into a PKCS12/JKS keystore.
Problem 3: SAN Entries Not Recognized 3. Step-by-Step Solution A. Prepare the Keystore Combine Certificate and Private Key :
Spoiler (Highlight to read) openssl pkcs12 -export \ -in nifi.crt \ -inkey nifi.key \ -chain -CAfile ca_chain.crt \ # Include CA chain if needed -name "nifi" \ -out nifi-keystore.p12 -password pass:keystorepassword
openssl pkcs12 -export \-in nifi.crt \-inkey nifi.key \-chain -CAfile ca_chain.crt \ # Include CA chain if needed-name "nifi" \-out nifi-keystore.p12-password pass:keystorepassword
2. Convert to JKS (if required) Java Keystore from PKCS12
Spoiler (Highlight to read) keytool -importkeystore \ -srckeystore nifi-keystore.p12 \ -srcstoretype PKCS12 \ -destkeystore nifi-keystore.jks \ -deststoretype JKS
keytool -importkeystore \-srckeystore nifi-keystore.p12 \-srcstoretype PKCS12 \-destkeystore nifi-keystore.jks \-deststoretype JKS
B. Prepare the Truststore Import CA Certificates :
Spoiler (Highlight to read) keytool -import -trustcacerts \ -alias ca-root \ -file ca_root.crt \ -keystore nifi-truststore.jks
keytool -import -trustcacerts \-alias ca-root \-file ca_root.crt \-keystore nifi-truststore.jks
C. Configure NiFi Update nifi.properties
Spoiler (Highlight to read) # HTTPS Settings nifi.web.https.host=0.0.0.0 nifi.web.https.port=9443 nifi.web.https.network.interface.default=
# Security Properties # nifi.security.keystore=/path/to/keystore.jks nifi.security.keystoreType=JKS nifi.security.keystorePasswd=keystorepassword nifi.security.keyPasswd=keystorepassword nifi.security.truststore=/path/to/truststore.jks nifi.security.truststoreType=JKS nifi.security.truststorePasswd=truststorepassword
# Truststore (required for cluster nodes/ZooKeeper) nifi.security.truststore=./nifi-truststore.jks nifi.security.truststoreType=JKS nifi.security.truststorePasswd=truststorePassword
# Enable TLS for cluster nodes nifi.cluster.protocol.is.secure=true nifi.web.http.port= nifi.web.https.port=9443 nifi.zookeeper.connect.string=zookeepernode1.x.x.net:2181,zookeepernode2.x.x.net:2181,zookeepernode3.x.x.net:2181 nifi.zookeeper.client.secure=true
# HTTPS Settingsnifi.web.https.host=0.0.0.0nifi.web.https.port=9443nifi.web.https.network.interface.default=# Security Properties #nifi.security.keystore=/path/to/keystore.jks nifi.security.keystoreType=JKS nifi.security.keystorePasswd=keystorepassword nifi.security.keyPasswd=keystorepassword nifi.security.truststore=/path/to/truststore.jks nifi.security.truststoreType=JKS nifi.security.truststorePasswd=truststorepassword# Truststore (required for cluster nodes/ZooKeeper)nifi.security.truststore=./nifi-truststore.jksnifi.security.truststoreType=JKSnifi.security.truststorePasswd=truststorePassword# Enable TLS for cluster nodesnifi.cluster.protocol.is.secure=truenifi.web.http.port=nifi.web.https.port=9443nifi.zookeeper.connect.string=zookeepernode1.x.x.net:2181,zookeepernode2.x.x.net:2181,zookeepernode3.x.x.net:2181nifi.zookeeper.client.secure=true
2. Update authorizers.xml (for mutual TLS): Configure for Cluster Communication
Configure authorizers.xml and nifi-registry.properties for secure cluster communication using the same certificates.
Spoiler (Highlight to read) <property name="Initial Admin Identity">CN=admin, OU=YourOrg</property> <property name="Node Identity 1">CN=nifinode1.x.x.net, OU=YourOrg</property>
<property name="Initial Admin Identity">CN=admin, OU=YourOrg</property><property name="Node Identity 1">CN=nifinode1.x.x.net, OU=YourOrg</property>
D. Validate the Setup After configurationTest Keystore/Truststore :
Spoiler (Highlight to read) # Verify keystore contents keytool -list -v -keystore keystore.jks -storepass keystorepassword
# Verify truststore contents keytool -list -v -keystore truststore.jks -storepass truststorepassword
# Test SSL configuration openssl s_client -connect nifi-dev.x.x.net:9443 -showcerts
# Verify keystore contentskeytool -list -v -keystore keystore.jks -storepass keystorepassword# Verify truststore contentskeytool -list -v -keystore truststore.jks -storepass truststorepassword# Test SSL configurationopenssl s_client -connect nifi-dev.x.x.net:9443 -showcerts
Troubleshooting Common Issues Certificate Chain Issues : Ensure your keystore includes the full certificate chainSpoiler (Highlight to read) # Concatenate certificates if needed cat nifi.crt intermediate.crt root.crt > fullchain.crt
# Concatenate certificates if neededcat nifi.crt intermediate.crt root.crt > fullchain.crt
SAN Validation : Verify certificate has correct SAN entriesSpoiler (Highlight to read) openssl x509 -in nifi.crt -text -noout | grep -A1 "Subject Alternative Name"
openssl x509 -in nifi.crt -text -noout | grep -A1 "Subject Alternative Name"
Java Compatibility : Ensure Java version compatibility with TLSSpoiler (Highlight to read) # Add to bootstrap.conf if using older Java versions java.arg.16=-Dhttps.protocols=TLSv1.2
# Add to bootstrap.conf if using older Java versions java.arg.16=-Dhttps.protocols=TLSv1.2
Cluster Communication : Set proper node identities for clusterSpoiler (Highlight to read) # In nifi.properties nifi.cluster.node.address=nifinode1.x.x.net nifi.cluster.node.protocol.port=11443 nifi.remote.input.secure=true
# In nifi.propertiesnifi.cluster.node.address=nifinode1.x.x.netnifi.cluster.node.protocol.port=11443nifi.remote.input.secure=true
ZooKeeper Security : Only if using secure ZooKeeper connectionsSpoiler (Highlight to read) # In zookeeper.properties secureClientPort=2281 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location=/path/to/keystore.jks ssl.keyStore.password=keystorepassword ssl.trustStore.location=/path/to/truststore.jks ssl.trustStore.password=truststorepassword
# In zookeeper.propertiessecureClientPort=2281 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location=/path/to/keystore.jks ssl.keyStore.password=keystorepassword ssl.trustStore.location=/path/to/truststore.jks ssl.trustStore.password=truststorepassword
Verify HTTPS Access :
2. Troubleshooting "SSL Peer Unauthenticated" :
"Certificate Doesn't Match Hostname" :
Keystore Password Mismatch :
Additional Recommendations Use strong, unique passwords for keystores and truststores Implement proper certificate rotation procedures Consider automating certificate management with tools like cert-manager Implement client certificate authentication for additional security Ensure proper DNS resolution for all SAN entries By following the above steps, you’ll enable HTTPS for NiFi with proper SAN support and resolve keystore/truststore issues Happy hadooping