This is not related to your issue here, but 1024 bits is no longer recommended as a secure RSA key length. You should use at least 2048, as explained here. You also have some inconsistent spacing in your Distinguished Name field, which can lead to identity verification issues depending on the client. ... View more

@Shu Thankyou ... View more

Andy\Amarnath, My question was initially why my expected outcome was not working and why this other format did work. Along the way, I believe my question was answered, assuming my understanding is correct. I did't want to dive to deep as I thought it may be outside the scope of my initial post. Since the conversation has gone that way tho, Andy is correct. I did not understand the difference between 1-way SSL and 2-way SSL. Using 1-way SSL (keystore only) all HTTPS connections are accepted regardless if the source is who we are expecting or not. Using 2-way SSL only HTTPS connections are accepted but now we must verify who the source is by authenticating with a private key & server certificate that can be authenticated by my truststore. My use case for this knowledge, is we are promoting projects between our Dev & Prod clusters. I wanted to ensure we had the correct security in place to proceed. The developers are wanting 1-way SSL but I lacked the knowledge at the time to make it work and only had 2-way. They were upset because this required more data to be sent via REST protocol using 2-way. Now that I understand each protocol, I will not allow to them proceed to Production with their architecture without 2-way SSL. Originally, I was simply ignorant of how to setup 1-way SSL, without understanding the security hole it would make. Thank you both for your time and effort in reviewing this concept. ... View more

@Andy Gisbo Yes, that guide is accurate example of using OpenID with google. ... View more

@Andy LoPresto Thanks a lot, appreciate it ... View more

Hello @Andy LoPresto, Thank you very much for the detailed answer. 1. Got it. I will try the Decrypt part and verify that. 2. I understand that, it is not the recommended practice, but yes, this is what I was looking for. I will re-evaluate and raise JIRA for requesting a dynamic property for this. 3. What I meant was, the Key is being derived/decrypted using Standard PBE and that Key is used for Encryption/Decryption. 4. Yes, I am able to use the EncryptContent successfully. It is just that, since the data is shared, I had to make sure I replicate the same logic across. Thanks & Regards, Prakash ... View more

Pierre Villard has written multiple tutorials about securing your NiFi instances with various authorizers. I would recommend following this Guide to Integrating NiFi and LDAP and refer to Secure Cluster Setup if necessary. The guide you were following originally was not designed to handle the LDAP certificates in your NiFi truststore, which is why you cannot make a secure connection to the LDAP server. ... View more

@Joe P did you set up https i.e. did you enable SSL on the server? ... View more

Thanks @Andy LoPresto. This helps. ... View more

@Andy LoPresto i have generated all the .pems as you suggested and tried to test from openssl command line. It looks like it is able to do the hand shake , but showing a alert\warning towards the end..i am attaching the log from openssl ... View more