Member since
08-01-2023
7
Posts
0
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
6933 | 08-23-2023 12:49 PM |
08-23-2023
12:49 PM
@MattWho I was able to get this resolved. It didn't require adding any other certificates other than my CA server certificate to the truststore for each server. They share the same CA and so I used the same certificate in each truststore. First, I am not sure why, but, NiFi did not like using port 636 for LDAPS, so I set it up to use 3269 instead and the SAN error went away. Everything I tried prior did not resolve the error, it would give me an error that it couldn't find a SAN with my.network.com:636 along with partial LDAP result not being able to find my.network.com, which didn't make sense because all of the troubleshooting I did would come back good. I could even resolve SSL using my key entry from my truststore. Once I had it up and working after that, I had to figure out why the buckets weren't loading. So I combed through a bunch of posts and found one that you wrote to someone having a similar issue and mentions the node needs to exist in NiFi-Registry. So, I added the node as "CN=node.hostname.com" (how I have it on the certificate) as a user account in NiFi Registry with the ability to read buckets and proxy user requests and bam buckets showed up. Seems like everything is working great now. I appreciate your help.
... View more
08-18-2023
01:53 PM
Sorry I haven't responded I've been busy working on this and can still say I haven't gotten it working. Not sure what the problem is that I'm having. I even spun up a bran new Linux Server and put NiFi and NiFi Registry on the same server. Can't even NiFi to start with the certificates I've provided it. All I receive is: ==> nifi-bootstrap.log <== 2023-08-18 16:34:30,290 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: my.network.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching my.network.com found.]] Not really sure it is as difficult to do this as I am making it out to be but I can say it's frustrating. If there are any guides that show step-by-step how to setup SSL with LDAPS authentication (not using any user certificates or requiring browsers to import their certificates) I'd appreciate it. Everything I can find is either setting it up with Ranger, Ambari, or using standalone certificates.
... View more
08-09-2023
08:18 AM
@MattWho Thanks for that information, I think I have it partially figured out now. We only have 1 CA, so it is easier for me to sign certificates as needed while I work through this. So far this is what has been done: Each Server (NiFi and NiFi Registry) using Keystore Explorer, I generated a keypair in the Keyststore with the required extensions (ClientAuth, ServerAuth & SANs) Created a CSR and had it signed by the CA. Imported the CA reply back into the Keystore with the full chain In the Truststore, I imported the root certificate Each server has LDAPS authentication setup, with the same default admin account that is able to login using it's AD credentials Added the NiFi server to authorizations.xml for Node 1 using the full DN from AD There is still something I am struggling with though: The only way the NiFi and NiFi-Registry will authenticate with each other is through a mutual TLS exchange. The NiFi certificate DN(s) will need to be authorized within your NiFi-Registry and so will your NiFi user. The NiFi host(s) will proxy requests to NiFi-Registry on behalf of the authenticated user in NIFi. Even though the NiFi is acting as a proxy, the user will still need be properly authorized as the results form the proxy request will be for only the buckets and flows for which the proxied user is authorized against. How would I go about doing this? I've tried importing each server's certificate into the others truststore but I started receiving errors about certificate path not being found and the most recent error is certificate_unknown.
... View more
08-03-2023
07:15 AM
That would explain why I am seeing an error about an anonymous user now. Would this also be the reason that NiFi cannot see the buckets created in NiFi registry? Our setup NiFi and NiFi Registry on separate servers, with users authenticating through LDAPS (Active Directory) instead of using certificate authentication. The unfortunate part is that I was handed off this project with NiFi and Registry already installed and "configured" so I am not sure exactly how far they went into the secure setup; or if they actually did it at all so, I have been trying to find time to work through the secure configurations. When I change: nifi.registry.security.needClientAuth= to true I cannot even get the registry page to load, I see the error: Error code: SSL_ERROR_BAD_CERT_ALERT and longs don't show any errors that I can see. I think the problem I am struggling with is that I can't find any documentation on how I should be setting up NiFi and the Registry with an internal CA and using LDAP for user authentication. The documentation that I find seems to be geared towards generating user certificates to configure SSL and authentication with both products on the same server.
... View more
08-02-2023
08:22 AM
Hi, Thanks for your response. I believe I may have figured out what the issue was. I added false to nifi.registry.security.needClientAuth= since we are not using client authentication for users or systems.
... View more
08-01-2023
02:10 PM
Hello, I am trying to setup a HTTPS on NiFi Registry and am receiving SSL_ERROR_BAD_CERT_ALERT when attempting to access the URL after loading the certificates. The way I am setting it up is that I create a CSR, have the CA sign it (AD Domain Controller) and import that certificate into the keystore. I have generated the keystore, the truststore imported the certificates, and when I restart the NiFi Registry service the logs show no errors so I am not sure what I am doing wrong. Below are some sanitized outputs of some commands I've ran to show what I could potentially have done wrong. Curl Output: curl --cert-type P12 --cert ./keystore.p12:Password --cacert /root/ssl/ADcerts/ad1-ca.cer -v https://nifiregistry.our.network.com:8443/nifi-registry
* Trying 123.4.56.78:8443...
* Connected to nifiregistry.our.network.com (123.4.56.78) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /root/ssl/ADcerts/ad1-ca.cer
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=Country; ST=State; L=City; O=Org; OU=OrgUnit; CN=nifiregistry
* start date: Jul 31 20:04:43 2023 GMT
* expire date: Jul 6 17:37:31 2038 GMT
* subjectAltName: host "nifiregistry.our.network.com" matched cert's "nifiregistry.our.network.com"
* issuer: DC=com; DC=network; DC=our; CN=AD1-CA
* SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET /nifi-registry HTTP/1.1
> Host: nifiregistry.our.network.com:8443
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Tue, 01 Aug 2023 17:20:26 GMT
< Content-Security-Policy: frame-ancestors 'self'
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31540000
< Location: https://nifiregistry.our.network.com:8443/nifi-registry
< Content-Length: 0
<
* Connection #0 to host nifiregistry.our.network.com left intact Keystore -V curl --cert-type P12 --cert ./keystore.p12:Password --cacert /root/ssl/ADcerts/ad1-ca.cer -v https://nifiregistry.our.network.com:8443/nifi-registry
* Trying 123.4.56.78:8443...
* Connected to nifiregistry.our.network.com (123.4.56.78) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /root/ssl/ADcerts/ad1-ca.cer
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=Country; ST=State; L=City; O=Org; OU=OrgUnit; CN=nifiregistry
* start date: Jul 31 20:04:43 2023 GMT
* expire date: Jul 6 17:37:31 2038 GMT
* subjectAltName: host "nifiregistry.our.network.com" matched cert's "nifiregistry.our.network.com"
* issuer: DC=com; DC=network; DC=our; CN=AD1-CA
* SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET /nifi-registry HTTP/1.1
> Host: nifiregistry.our.network.com:8443
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Tue, 01 Aug 2023 17:20:26 GMT
< Content-Security-Policy: frame-ancestors 'self'
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31540000
< Location: https://nifiregistry.our.network.com:8443/nifi-registry
< Content-Length: 0
<
* Connection #0 to host nifiregistry.our.network.com left intact Nifi Properties # web properties #
nifi.registry.web.war.directory=./lib
nifi.registry.web.http.host=
nifi.registry.web.http.port=
nifi.registry.web.https.host=123.4.56.78
nifi.registry.web.https.port=8443
nifi.registry.web.https.application.protocols=http/1.1
nifi.registry.web.jetty.working.directory=./work/jetty
nifi.registry.web.jetty.threads=200
nifi.registry.web.should.send.server.version=true
# security properties #
nifi.registry.security.keystore=./conf/keystore.p12
nifi.registry.security.keystoreType=PKCS12
nifi.registry.security.keystorePasswd=Password
nifi.registry.security.keyPasswd=Password
nifi.registry.security.truststore=./conf/truststore.p12
nifi.registry.security.truststoreType=PKCS12
nifi.registry.security.truststorePasswd=Password
nifi.registry.security.needClientAuth=
nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
nifi.registry.security.authorizer=managed-authorizer
nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
nifi.registry.security.identity.provider=ldap-identity-provider
... View more
Labels:
- Labels:
-
NiFi Registry