Cloudera Community
Ashwani
user rank
Explorer

Re: unable o access nifi UI with certificate based...

by Explorer in Support Questions
‎09-08-2023 08:15 AM
‎09-08-2023 08:15 AM
Can I please get some help here ... View more

Re: unable o access nifi UI with certificate based...

by Explorer in Support Questions
‎08-31-2023 03:44 AM
‎08-31-2023 03:44 AM
Hi Matt,   Are you sure your NiFi even starts up completely when you reconfigure the nifi.properties file to use the managed authorizer? --> Yes it does without any exception   Do you see the log lines that state the UI is available at the following URLs? -->Yes    authorizers.xml following line is not a vlid line for the file-user-group-provider: --> true I was aware but in of the online articles it was mentioned so I was trying to check if that helps but now I have removed it as per your instructions.   Really not sure why you added your NiFi server's IP a SAN in a certificate you plan on loading in yoru browser for clientAuth authentication in to your NiFi? --> I am new to nifi and trying to learn it's installation process from scratch . Hence I am trying this on Ec2 instance which is on default public subnet.I planned to  access the nifi server with public for time being and then step by step change the configuration . In one of the post read below info hence I added the public IP as SAN and it worked with default single-user-authorizer     Today I have generated the certifacates with below command   bin/tls-toolkit.sh standalone -B  mycertificatepassword -C 'CN=admin, OU=NIFI' -n 'nifinode01' -K mycertificatepassword -P mycertificatepassword -S mycertificatepassword --subjectAlternativeNames '18.185.117.94'   Note : nifinode01 is the hostname of the server and it is mapped to private ip of EC2 instance in /etc/hosts file   Nifi.properties     Keystore.jks Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-key Creation date: Aug 31, 2023 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=nifinode01, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 18a4b170af200000000 Valid from: Thu Aug 31 10:15:15 UTC 2023 until: Wed Dec 03 10:15:15 UTC 2025 Certificate fingerprints: SHA1: 69:7C:C0:67:6C:70:30:76:1A:46:D9:B0:BE:A3:22:B1:97:97:76:8D SHA256: A1:3F:14:92:44:27:59:5D:17:96:DE:74:C0:0C:1C:4B:A2:3F:92:A4:8E:18:E7:ED:98:A3:30:21:4A:51:CC:6C Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 3E 81 32 13 3C 71 57 80 24 DE 8B BB 94 05 6D 01 >.2.<qW.$.....m. 0010: DF A4 7F 54 ...T ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment Key_Agreement ] #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: nifinode01 IPAddress: 18.185.117.94 ] #6: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 9D E3 E4 28 4C A6 5D 67 9B 86 C1 77 7F 5B DC B4 ...(L.]g...w.[.. 0010: 03 BA C4 63 ...c ] ] Certificate[2]: Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 18a4b1707c400000000 Valid from: Thu Aug 31 10:15:15 UTC 2023 until: Wed Dec 03 10:15:15 UTC 2025 Certificate fingerprints: SHA1: C5:8D:A6:DD:1A:27:71:A0:F8:A3:A2:9B:6C:DB:E7:D3:B7:3F:0C:6F SHA256: 55:16:0E:7A:90:86:9A:41:60:76:1B:E0:DC:1B:B1:E7:26:EB:87:A4:57:50:55:C0:2D:0A:3C:40:48:BF:5B:C7 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 3E 81 32 13 3C 71 57 80 24 DE 8B BB 94 05 6D 01 >.2.<qW.$.....m. 0010: DF A4 7F 54 ...T ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment Key_Agreement Key_CertSign Crl_Sign ] #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: localhost ] #6: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 3E 81 32 13 3C 71 57 80 24 DE 8B BB 94 05 6D 01 >.2.<qW.$.....m. 0010: DF A4 7F 54 ...T ] ]   ******************************************* *******************************************   truststore.jks   Keystore type: jks Keystore provider: SUN   Your keystore contains 1 entry   Alias name: nifi-cert Creation date: Aug 31, 2023 Entry type: trustedCertEntry   Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 18a4b1707c400000000 Valid from: Thu Aug 31 10:15:15 UTC 2023 until: Wed Dec 03 10:15:15 UTC 2025 Certificate fingerprints: SHA1: C5:8D:A6:DD:1A:27:71:A0:F8:A3:A2:9B:6C:DB:E7:D3:B7:3F:0C:6F SHA256: 55:16:0E:7A:90:86:9A:41:60:76:1B:E0:DC:1B:B1:E7:26:EB:87:A4:57:50:55:C0:2D:0A:3C:40:48:BF:5B:C7 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3   Extensions:    #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m. 0010: DF A4 7F 54                                        ...T ] ]   #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[   CA:true   PathLen:2147483647 ]   #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [   clientAuth   serverAuth ]   #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [   DigitalSignature   Non_repudiation   Key_Encipherment   Data_Encipherment   Key_Agreement   Key_CertSign   Crl_Sign ]   #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [   DNSName: localhost ]   #6: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m. 0010: DF A4 7F 54                                        ...T ] ]       ******************************************* *******************************************   client certificate   Keystore type: PKCS12 Keystore provider: SUN   Your keystore contains 1 entry   Alias name: nifi-key Creation date: Aug 31, 2023 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=admin, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 18a4b170bb700000000 Valid from: Thu Aug 31 10:15:16 UTC 2023 until: Wed Dec 03 10:15:16 UTC 2025 Certificate fingerprints: SHA1: AD:B3:46:C1:7B:5B:AE:D0:AC:77:50:A1:86:50:C9:EB:DA:C3:33:7D SHA256: 7A:7D:F2:44:A8:AD:63:5F:A0:1B:21:19:06:21:DE:AE:26:BE:82:78:71:4F:96:90:F5:BB:8F:31:EF:DB:51:6E Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3   Extensions:    #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m. 0010: DF A4 7F 54                                        ...T ] ]   #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[   CA:false   PathLen: undefined ]   #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [   clientAuth   serverAuth ]   #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [   DigitalSignature   Non_repudiation   Key_Encipherment   Data_Encipherment   Key_Agreement ]   #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 57 BE C0 24 0F F5 A5 4A   7F 64 4E 2B F1 C8 F4 93  W..$...J.dN+.... 0010: 32 ED 92 DC                                        2... ] ]   Certificate[2]: Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 18a4b1707c400000000 Valid from: Thu Aug 31 10:15:15 UTC 2023 until: Wed Dec 03 10:15:15 UTC 2025 Certificate fingerprints: SHA1: C5:8D:A6:DD:1A:27:71:A0:F8:A3:A2:9B:6C:DB:E7:D3:B7:3F:0C:6F SHA256: 55:16:0E:7A:90:86:9A:41:60:76:1B:E0:DC:1B:B1:E7:26:EB:87:A4:57:50:55:C0:2D:0A:3C:40:48:BF:5B:C7 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3   Extensions:    #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m. 0010: DF A4 7F 54                                        ...T ] ]   #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[   CA:true   PathLen:2147483647 ]   #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [   clientAuth   serverAuth ]   #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [   DigitalSignature   Non_repudiation   Key_Encipherment   Data_Encipherment   Key_Agreement   Key_CertSign   Crl_Sign ]   #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [   DNSName: localhost ]   #6: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 3E 81 32 13 3C 71 57 80   24 DE 8B BB 94 05 6D 01  >.2.<qW.$.....m. 0010: DF A4 7F 54                                        ...T ] ]       ******************************************* *******************************************   It would be really helpful Matt if you can help here          ... View more

Re: unable o access nifi UI with certificate based...

by Explorer in Support Questions
‎08-30-2023 01:06 AM
‎08-30-2023 01:06 AM
The nifi version used is : nifi-1.23.1. I am trying to access the UI with public IP of EC2 machine and the same has been added SAN while generating the certificates . When I use  single-user-authorizer I am able to access NIFI  UI with same public IP and certificates but if I change it to managed authorizer in nifi.properties and doing the configuration in authorizers.xml I am unable to access UI.   I have imported the client certificates in the browser.   ... View more

Re: unable o access nifi UI with certificate based...

by Explorer in Support Questions
‎08-30-2023 01:02 AM
‎08-30-2023 01:02 AM
Thank you ,waiting for the response on this query ... View more

unable o access nifi UI with certificate based aut...

by Explorer in Support Questions
‎08-29-2023 07:58 AM
‎08-29-2023 07:58 AM
authorizer.xml   <authorizers>         <userGroupProvider>         <identifier>file-user-group-provider</identifier>         <class>org.apache.nifi.authorization.FileUserGroupProvider</class>         <property name="Users File">./conf/users.xml</property>         <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=admin, OU=NIFI</property>         <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>         <property name="Initial User Identity 2"></property>     </userGroupProvider>       <accessPolicyProvider>         <identifier>file-access-policy-provider</identifier>         <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>         <property name="User Group Provider">file-user-group-provider</property>         <property name="Authorizations File">./conf/authorizations.xml</property>         <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>         <property name="Legacy Authorized Users File"></property>         <property name="Node Identity 1"></property>         <property name="Node Group"></property>     </accessPolicyProvider>     <authorizer>         <identifier>managed-authorizer</identifier>         <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>         <property name="Access Policy Provider">file-access-policy-provider</property>     </authorizer>   </authorizers>   certificates are generated using below command. bin/tls-toolkit.sh standalone -B mycertificatepassword -C 'CN=admin, OU=NIFI' -n '172.31.38.134' -K mycertificatepassword -P mycertificatepassword -S mycertificatepassword --subjectAlternativeNames '3.67.98.77'             ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎09-11-2023 05:01 AM
Community Statistics
Member Since ‎08-29-2023 07:53 AM
Last Visited ‎09-11-2023 05:01 AM
Posts 16