@TN08  The InvokeHTTP processor supports HTTP methods for connecting to a target server.  The InvokeHTTP processor does not establish a listener for inbound http connections. The properties for Basic Authentication Username and Password on this processor are used when the target endpoint supports basic auth and the username and password would need to provided by that target endpoint.  If basic auth is not supported by target endpoint, TLS is also supported. If you want to setup a listener in NiFi for inbound HTTP you would use either ListenHTTP processor or the newer HandleHttpRequest/HandleHttpResponse processors.   NiFi processors do not support basic auth for inbound connections.  So to connect with these processors the source systems would need to pass a client/user certificate in a mutual TLS handshake as a way to identify the client.  This means the processor would need to have a StandardRestrictedSSLContextService controller service that is configured with a keystore (containing a serverAuth certificate the client system can trust) and truststore (containing the complete trust chain for the clientAuth certificate presented by your client). If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post. Thank you, Matt ... View more

Can't proceed to NiFi UI after the browser error. I will attempt the actions you mention. I did list with keytool but will do so again looking for the specifics you mentioned as well. Thanks. ... View more

@Jarinek, Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.  ... View more

@Griggsy  If you can share a source json, it may help with more specific guidance in the community. Thanks, Matt ... View more

@Ilaya    This is not an issue with NiFi service itself.  Chrome for some reason does not like the new certificates being used. I would start by comparing your old certificate with the new and make sure things like ExtendedKeyUsage (EKU) (needs clientAuth and serverAuth) and SubjectAlternativeName (SAN) entries are compete and accurate.  Make sure that the complete authority trust chain for your new certificate is present in you browser. Perhaps this resource maybe helpful as well: https://thegeekpage.com/bad-ssl-client-auth-cert/   If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post. Thank you, Matt ... View more

@Clarfim @tiagot    Neither NiFi or NiFi-Registry support creating locally managed users for the purpose of authentication in to services. NiFi provides numerous methods for authenticating a user/client.  The default which is always enabled is client/user based authentication via a Mutual TLS handshake. Other methods which can be configured in addition toTLS can be found here: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication NOTE: As of Apache NiFi 1.14, a new Single User authentication method was introduced so that NiFi could be secure by default out-of-the-box.  If you choose to use this provider, it will be the ONLY user that can access this NiFi and will have full admin access.  If full multi-user access is desired, you must use another method of user authentication.   The "Users" UI that you see in NiFi is used so that NiFi authorization policies can be assigned to users and group strings. It is not used for creating local users with passwords within NiFi that can be used to authenticate into NiFi.  It also will not be present in UI if using the Single User authentication provider mentioned in previous note. When you configured the initial admin user string, it is used to by the authorizers.xml (depending on configuration) to initially construct a users.xml (contains user strings and group strings along with established association between them) and authorizations.xml (contains policies assigned to user and group strings) file.   Keep in mind that if the users.xml and authorizations.xml files already exist, they will not be updated if you make changes to your initial admin.  They are only generated f these files do not already exist. Above example that results in a users.xml if you are using the file-user-group-provider or legacy FileAuthorizer provider in your authorizers.xml. None of the other providers will produce a users.xml and none of the other providers will allow you to manually add new user strings or group strings.  The other providers are all used to pull user and group strings from an external source.  The File-Access-Policy-provider is used to construct the authorizations.xml file.  The Initial admin string set in this provider allows NiFi to seed the authorizations.xml file when generated with the NiFi policies needed for that user to function as an Admin (reminder: file is only generated if it does not already exist). More info on setting up authorization in NiFi can be found here: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization   If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post. Thank you, Matt ... View more

@toninghaywi    The exception is implying that your NiFi is trying to connect to Zookeeper server for state management and your zookeeper is using TLS; however, your NiFi has not been configured to be able to establish that secure connection needed to your zookeeper. Apache NiFi support for TLS enabled zookeeper server was added in Apache NiFi version 1.13. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#zk_tls_client https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#embedded-zookeeper-with-tls   The Apache NiFi jira related to this feature improvement are below: https://issues.apache.org/jira/browse/NIFI-7203 https://issues.apache.org/jira/browse/NIFI-7115 https://issues.apache.org/jira/browse/NIFI-7819  <-- This one is specific to state management If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post. Thank you, Matt     ... View more

@MattWho    You were right, the missing rootCA and intermediate certificates missed in the nifi nodes truststore were the cause of the problem(s)! As soon as I added them in each nifi node truststore, it solved my problem and the node were able to communicate and transmit heartbeat through port 11443! Thanks a lot for your time and your help!   Best regards   Emmanuel ... View more