@nifirequest  Welcome to the community! The Apache NiFi community decided to remove the trusted hostname property from InvokeHTTP back in the 1.10 release.  By having this property the processor allowed for an insecure connection because user could simply add the unverified hostname in this property and the InvokeHTTP processor would then allow the connection to be successful.  Thus allowing user to perhaps unknowingly be exposing themselves to unsecure connections. This option was removed in https://issues.apache.org/jira/browse/NIFI-6019 The purpose of hostname verification is to prevent man in the middle style attacks where client expects to connect to host ABC; however, the server that responded was not known as server ABC.   All the possible hostnames a server is known as need to be included as SubjectAlternativeName (SAN) entries in the server certificate.   The ERROR you received in your InvokeHTTP about "Hostname ABC not verified" should have also included the list of SubjectAltNames that came from the server's certificate.  You should be using one of those SAN entries in the URL you have configured in the InvokeHTTP processor or you  should address the certificate being used by the listenHTTP to include the additional SAN (IPs or hostnames) also used to access the MiNiFi listener. For one-way TLS connection the server side (ListenHTTP) must have a keystore and truststore.  The client side (InvokeHTTP) must have a truststore configured. For MutualTLS both the server side and client side need to have both a keystore and truststore.    You can't create a secured TLS enabled server without a serverAuth certificate. Hostname verification happens on the client side and not the server side. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@Zainers  Unfortunately I don't think there is enough information shared to make any suggestion here yet. Could you share your exact NiFi version and more details around what you are trying to accomplish?   Can you share the jython script you are using to restart NiFi? When you say it does not work using the NiFi executor, What executor are you talking about?  What NiFi processors are you using? How are they configured? Thank you, Matt ... View more

@gunlomboy  NiFi Site-To-Site (S2S) protocol was not designed for the use case you are trying to achieve. The ability to provide a comma separated list of hostnames in the Remote Process Group (RPG) exists simply to provide fault tolerance.   The RPG will attempt to use the first hostname provided to fetch the S2S detail about the NiFi cluster from that host.  These S2S details will include all the detail about the target NiFi cluster (This is why the RPG still distributed across all nodes in target cluster when only one hostname is provided).    The extra hostnames provide fault tolerance for example lets say the hostname you configured is down, the RPG will attempt the second host to fetch S2S details. The S2S details fetched from the contacted host will include things like hostnames of all nodes connected to cluster, RAW enabled status, Raw Port for each host, Secure enabled, individual target node workload, etc. site-to-site-protocol-sequence  By setting up firewall rules, you are not changing the S2S details being refreshed regularly and the RPG will continue to build a distribution algorithm that includes all the target host nodes.  This means very inefficient transfer of FlowFiles. You might consider redesigning your dataflows to utilize PostHTTP processor (one for each host in target NiFi cluster with failure routed to other PostHTTP).   Then setup a ListenHTTP on your receiving NIFi cluster.  The postHTTP processor can be configured to "Send as FlowFile" so the NiFi Cluster will still receive the FlowFile content and associated FlowFile attributes/metadata just like how RPG sends FlowFiles.  In Front of your ListenHTTP processor you could put a DistributeLoad processor to distribute FlowFiles being sent to your different target nodes.  The downside to a setup like this is if you add additional nodes in your zone1 or zone2 of the target NiFi Cluster, You'll need to update your dataflows to add more PostHTTP processors for those new target hosts.  You also lose the benefit of the workload based FlowFile distribution build into the S2S protocol.  That being said, there is no other options since you can't change the functionality of the S2S protocol.   Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt   ... View more

@ragshetty  I shared the Apache Jira which documented the removal of the encrypt-config toolkit in Apache NiFi 2.x releases.   There is no alternative solution offered directly in the Apache NiFi product.   NIFI-13414  Thank you, Matt ... View more

@IgorSpryzhkov  You have asked a new unrelated question in an older post which already has an accepted answer.   You would get better traction/visibility in the community of you were to start a new community question instead.   Thank you, Matt ... View more

@AlokKumar  Did the assistance/information provided in the response(s) to your community question in this thread assist you?  Please take a moment to accept the answer that provided the assisting information. Thank you, Matt ... View more

@AlokKumar  Did the assistance/information provided in the response(s) to your community question in this thread assist you?  Please take a moment to accept the answer that provided the assisting information. Thank you, Matt ... View more

@AlokKumar  Did the assistance/information provided in the response(s) to your community question in this thread assist you?  Please take a moment to accept the answer that provided the assisting information. Thank you, Matt ... View more