Alvin, The encrypted content repository feature is actively being worked on. As a rule, we cannot make claims about the delivery dates or versions of active development features. Hope this helps. If you have compliance requirements that sensitive data (such as PII, PCI/payment details, EPHI, etc.) is never stored on disk in plaintext, you can explore using the volatile content repository, but be aware there is the risk of data loss in the event of power failure, and this applies to all content objects, not just the sensitive records. With Apache NiFi 1.3.0, you can also use the RecordReader and RecordSetWriter approach -- while the EncryptedRecordReader and EncryptedRecordSetWriter controller services are not yet available, you could use a custom ScriptedRecordReader and ScriptedRecordSetWriter to decrypt and re-encrypt on the fly. The intermediate "record" object is never persisted to disk, so at no point would the plaintext data be written outside of volatile memory regardless of the content repository implementation. ... View more

What issue do you get when using openssl s_client ? You should definitely be able to connect using s_client, although you may need to provide -CAfile option to trust the issued server certificate and -cert and -key options to provide a client certificate as below: openssl s_client -connect nifi.nifi.apache.org:9443 -debug -state -CAfile conf/nifi-cert.pem -cert conf/client.pem -key conf/client.key As for the handshake_failure issue, this may be because: The certificate has expired or is invalid The provided keystore or key password is incorrect and the controller service cannot access the keystore The server and client cannot agree on a suitable cipher suite during negotiation Diagnosing with s_client is definitely the correct tool. You can also enable TLS debugging via the bootstrap.conf file with the line: java.arg.15=-Djavax.net.debug=ssl,handshake This output will be in logs/nifi-bootstrap.log . ... View more

The error is saying that one node in the cluster is attempting to make a heartbeat connection to the other node, but it is not providing a valid client certificate in order to authenticate itself during the TLS handshake negotiation. There are a few possible reasons for this error: The node is not sending the client certificate. Ensure that nifi.security.needClientAuth=true and nifi.cluster.protocol.is.secure=true are present in your nifi.properties file. The truststore on the receiving node does not contain the public key certificate of the connecting node. When you followed the instructions from that link, how did you generate the respective certificates? Using the Apache NiFi TLS Toolkit as described by Pierre should ensure that all node certificates are signed by the same CA and that the CA is imported into the common truststore. If you manually generated your certificates, ensure that they are trusted on each node (you can do this with OpenSSL's s_client tool). ... View more

Currently, NiFi supports encrypting/decrypting data through the EncryptContent processor, but the pre/post state of the data would still be stored in plaintext in the content repository. In general, transparent disk encryption/OS-level data encryption is recommended in conjunction with strict OS-level/POSIX access controls. There is a current effort to provide encrypted implementations of the flowfile (attribute), content, and provenance repositories. As Dan mentioned, a combination of encrypted payload and plaintext metadata for routing can work very well if the payload does not need to be processed/transformed inside NiFi. ... View more

Arun, Edit: Sorry, I got this confused with another question I was answering at the same time. To access dynamic properties in the script body, just reference them as a variable name. From Matt Burgess' blog: Dynamic Properties: Any dynamic properties defined in ExecuteScript are passed to the script engine as variables set to the string value of the property values. This means you must be aware of the variable naming properties for the chosen script engine. For example, Groovy does not allow periods (.) in variable names, so don't use something like "my.property" as a dynamic property name. Here is the example output from a LogAttribute processor following an ExecuteScript processor where I update the flowfile by adding an attribute with the content of a dynamic property on the ExecuteScript processor. Processor config: Groovy script (note casting dynamic to String because by default it is of type org.apache.nifi.attribute.expression.language.StandardPropertyValue 😞 def flowfile = session.get() if (!flowfile) return log.info("Dynamic property value: ${dynamic as String}") flowfile = session.putAttribute(flowfile, "dynamic", dynamic as String) session.transfer(flowfile, REL_SUCCESS) 2017-02-20 17:22:04,072 INFO [Timer-Driven Process Thread-3] o.a.n.processors.standard.LogAttribute LogAttribute[id=5e4107e1-015a-1000-5efa-735bf688a3d0] logging for flow file StandardFlowFileRecord[uuid=4edb12f2-a020-4c3e-b42b-0796b8e91031,claim=StandardContentClaim [resourceClaim=StandardResourceClaim[id=1487639391782-1, container=default, section=1], offset=725, length=29],offset=0,name=420715910236852,size=29] -------------------------------------------------- Standard FlowFile Attributes Key: 'entryDate' Value: 'Mon Feb 20 17:22:04 PST 2017' Key: 'lineageStartDate' Value: 'Mon Feb 20 17:22:04 PST 2017' Key: 'fileSize' Value: '29' FlowFile Attribute Map Content Key: 'dynamic' Value: 'This is the value of a dynamic processor property set by Andy.' Key: 'filename' Value: '420715910236852' Key: 'path' Value: './' Key: 'uuid' Value: '4edb12f2-a020-4c3e-b42b-0796b8e91031' -------------------------------------------------- This is the flowfile content. Original answer (referencing attributes): You extract them from the flowfile object and write them to the flowfile via the session object. flowfile.getAttribute(attribute_name) returns the attribute_value , and session.putAttribute(flowfile, attribute_name, attribute_value) returns the new flowfile instance. Example: flowFile = session.putAttribute(flowFile, "filename", flowFile.getAttribute('filename').split('.')[0]+'_translated.json') ... View more