Member since
02-02-2024
3
Posts
2
Kudos Received
0
Solutions
02-05-2024
04:18 AM
1 Kudo
thanks, I have created a new post: https://community.cloudera.com/t5/Support-Questions/NiFi-SAN-IP-using-toolkit-NiFI-Registry/td-p/383130
... View more
02-05-2024
04:17 AM
how do use the NiFi toolkit to create an IP within the SAN as mentioned here: https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-tls-toolkit:~:text=Example%20parsed%20contents%3A I am using the following script: bash "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone -O -n "localhost,${NIFI_SAN_DNS}" -C "${cn}" --subjectAlternativeNames "${NIFI_SAN_DNS},IP:${NIFI_SAN_IP}" -o "${NIFI_HOME_DIR}"/key_trust my output is as follows from my bash script: tls-toolkit.sh: JAVA_HOME not set; results may vary
The TLS Toolkit is deprecated and targeted for removal in Apache NiFi 2.0.
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine - No nifiPropertiesFile specified, using embedded one.
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Running standalone certificate generation with output directory /var/mnt/NiFi/key_trust
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Generated new CA certificate /var/mnt/NiFi/key_trust/nifi-cert.pem and key /var/mnt/NiFi/key_trust/nifi-key.key
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Using alternate name nifi.server.home with hostname localhost.
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Writing new ssl configuration to /var/mnt/NiFi/key_trust/localhost
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated TLS configuration for localhost 1 in /var/mnt/NiFi/key_trust/localhost
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Using alternate name IP:192.168.1.2 with hostname nifi.server.home.
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Writing new ssl configuration to /var/mnt/NiFi/key_trust/nifi.server.home
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated TLS configuration for nifi.server.home 1 in /var/mnt/NiFi/key_trust/nifi.server.home
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Generating new client certificate /var/mnt/NiFi/key_trust/CN=sherloq_key_OU=NiFi_C=GB.p12
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - Successfully generated client certificate /var/mnt/NiFi/key_trust/CN=sherloq_key_OU=NiFi_C=GB.p12
[main] INFO org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone - tls-toolkit standalone completed successfully and when I look at the SAN in the cert all I see is the following: root@fedora:/var/mnt/NiFi/key_trust# openssl x509 -in nifi-cert.pem -text -noout | grep "DNS"
DNS:localhost and there is no IP or additional SAN and within chrome I have the following: my main issue is that we need the SAN IP to be able to talk to NiFi registry when using SSL but I cannot seem to get the communication to work here is my full build script for NiFi: #!/bin/bash
function info {
tput bold;
tput setaf 3;
echo $1;
tput sgr0;
}
# Check if the user has root privileges
if [[ $EUID -ne 0 ]]; then
echo "YOU MUST BE ROOT TO RUN THIS SCRIPT."
exit 1
fi
podman rm -f nifi
wait
info "=== Before we begin we need some information ==="
read -r -p "PRESS ENTER WHEN READY"
info "=== LINUX OS DETERMINATION ==="
# shellcheck disable=SC2155
# shellcheck disable=SC2002
export ID=$( cat /etc/os-release | awk -F= '$1=="ID" { print $2 ;}')
# shellcheck disable=SC2155
# shellcheck disable=SC2002
export VARIANT=$( cat /etc/os-release | awk -F= '$1=="VARIANT_ID" { print $2 ;}')
echo "${ID}" "${VARIANT}"
info "=== Setting up NiFI ==="
sleep 1
info "=== Add a Custom Root Directory Location for your Containers ==="
read -r -p "Enter Custom Directory [/var/mnt]: " rootDir
export ROOT_DIR=${rootDir:-/var/mnt}
export NIFI_HOME_DIR=${ROOT_DIR}/NiFi
sleep 1
info "=== Add a Custom CN Key Name ==="
read -r -p "Enter CN Key Name Here [nifi_key]: " keyName
export key_name=${keyName:-nifi_key}
# shellcheck disable=SC2140
export key="${NIFI_HOME_DIR}"/key_trust/"'CN=${key_name:-nifi_key}_OU=NiFi_C=GB.p12'"
export cn="CN=${key_name}, OU=NiFi, C=GB"
info "=== Add a Custom Port for your NiFi Container ==="
read -r -p "Enter Custom Port [default: 8181]: " nifiPort
export NIFI_PORT=${nifiPort:-8181}
# shellcheck disable=SC2155
export NIFI_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_PORT}")
if [[ "${NIFI_PORT_CHECK}" != "" ]]; then
info "=== PORT IN USE - WOULD YOU LIKE ME TO CHOOSE A PORT FOR YOU? ==="
read -r -p "Please Enter your Response [enter: Y/y or N/n]: " nifiAnswer
export NIFI_ANSWER=${nifiAnswer:-}
fi
if [[ "${NIFI_ANSWER}" =~ (Y|y) ]]; then
while [[ -n "${NIFI_PORT_CHECK}" ]]; do
echo "Port ${NIFI_PORT} is in use. Trying another port..."
NIFI_PORT=$((NIFI_PORT + 1))
NIFI_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_PORT}")
done
elif [[ "${NIFI_ANSWER}" =~ (N|n) ]]; then
while [[ -n "${NIFI_PORT_CHECK}" ]]; do
echo "Port ${NIFI_PORT} is in use. Trying another port..."
read -r -p "Enter a new port: " newNIFIPort
NIFI_PORT=${newNIFIPort}
NIFI_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_PORT}")
done
fi
info "=== Add a Custom Port for Protobuf ==="
read -r -p "Enter Custom Port [default: 8282]: " protobufPort
export PROTO_PORT=${protobufPort:-8282}
# shellcheck disable=SC2155
export PROTO_PORT_CHECK=$(lsof -i -P -n | grep "${PROTO_PORT}")
if [[ "${PROTO_PORT_CHECK}" != "" ]]; then
info "=== PORT IN USE - WOULD YOU LIKE ME TO CHOOSE A PORT FOR YOU? ==="
read -r -p "Please Enter your Response [enter: Y/y or N/n]: " protoAnswer
export PROTO_ANSWER=${protoAnswer:-}
fi
if [[ "${PROTO_ANSWER}" =~ (Y|y) ]]; then
while [[ -n "${PROTO_PORT_CHECK}" ]]; do
echo "Port ${PROTO_PORT} is in use. Trying another port..."
PROTO_PORT=$((PROTO_PORT + 1))
PROTO_PORT_CHECK=$(lsof -i -P -n | grep "${PROTO_PORT}")
done
elif [[ "${PROTO_ANSWER}" =~ (N|n) ]]; then
while [[ -n "${PROTO_PORT_CHECK}" ]]; do
echo "Port ${PROTO_PORT} is in use. Trying another port..."
read -r -p "Enter a new port: " newPROTOPort
PROTO_PORT=${newPROTOPort}
PROTO_PORT_CHECK=$(lsof -i -P -n | grep "${PROTO_PORT}")
done
fi
info "=== Add a Custom Port for Web Proxy for NiFi ==="
read -r -p "Enter Custom Port [default: 9191]: " nifiProxy
export NIFI_WEB_PROXY_PORT=${nifiProxy:-9191}
# shellcheck disable=SC2155
export PROXY_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_WEB_PROXY_PORT}")
if [[ "${PROXY_PORT_CHECK}" != "" ]]; then
info "=== PORT IN USE - WOULD YOU LIKE ME TO CHOOSE A PORT FOR YOU? ==="
read -r -p "Please Enter your Response [enter: Y/y or N/n]: " proxyAnswer
export PROXY_ANSWER=${proxyAnswer:-}
fi
if [[ "${PROXY_ANSWER}" =~ (Y|y) ]]; then
while [[ -n "${PROXY_PORT_CHECK}" ]]; do
echo "Port ${NIFI_WEB_PROXY_PORT} is in use. Trying another port..."
NIFI_WEB_PROXY_PORT=$((NIFI_WEB_PROXY_PORT + 1))
PROXY_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_WEB_PROXY_PORT}")
done
elif [[ "${PROXY_ANSWER}" =~ (N|n) ]]; then
while [[ -n "${PROXY_PORT_CHECK}" ]]; do
echo "Port ${NIFI_WEB_PROXY_PORT} is in use. Trying another port..."
read -r -p "Enter a new port: " newPROXYPort
NIFI_WEB_PROXY_PORT=${newPROXYPort}
PROXY_PORT_CHECK=$(lsof -i -P -n | grep "${NIFI_WEB_PROXY_PORT}")
done
fi
echo "Port ${NIFI_WEB_PROXY_PORT} is available."
info "=== Please take note of port as you will need to login to NiFi ==="
read -r -p "PRESS ENTER WHEN READY"
# shellcheck disable=SC2155
export NIFI_WEB_PROXY_IP="$(ip route get 8.8.8.8 | grep -oP 'src \K[^ ]+')"
# shellcheck disable=SC2155
export NIFI_SAN_IP="${NIFI_WEB_PROXY_IP}"
# shellcheck disable=SC2155
export NIFI_NET_IP=$(ip ro | awk -v san_ip="${NIFI_SAN_IP}" '$0 ~ san_ip && $2 == "dev" {print $1; exit}')
export NIFI_NET_IP=${NIFI_NET_IP%/*}
export NIFI_SAN_DNS=nifi.server.home
export NIFI_WEB_PROXY_HOST=${NIFI_WEB_PROXY_IP}:${NIFI_WEB_PROXY_PORT}
info "=== INFLUX SNAPSHOT VERSION ==="
read -r -p "Enter Snapshot Version ..or.. ENTER TO ACCEPT DEFAULT [default:1.28.0-SNAPSHOT]: " snapshotVersion
export influx_version=${snapshotVersion:-1.28.0-SNAPSHOT}
info "=== NIFI VERSION ==="
read -r -p "Enter NIFI Version ..or.. ENTER TO ACCEPT CURRENT KNOWN WORKING [current known working:1.25.0]: " nifiVersion
export nifi_version=${nifiVersion:-1.25.0}
# shellcheck disable=SC2155
export work_dir=$(pwd)
if [[ ! -d ${NIFI_HOME_DIR} ]]; then
mkdir -p "${NIFI_HOME_DIR}"
elif [[ -d ${NIFI_HOME_DIR} ]]; then
rm -rf "${NIFI_HOME_DIR}"; mkdir "${NIFI_HOME_DIR}"
fi
mkdir -p "${NIFI_HOME_DIR}"/UID
touch "${NIFI_HOME_DIR}"/UID/admin
sleep 1
# shellcheck disable=SC2027
echo """${cn}""" > "${NIFI_HOME_DIR}"/UID/admin
podman pull docker.io/apache/nifi:"${nifi_version}"
podman run -d \
--name nifi_cp \
-p "${NIFI_PORT}":8080 \
nifi:"${nifi_version}"
podman run -d \
--name protobuf \
-p "${PROTOBUF_PORT}":8080 \
whiver/nifi-protobuf:latest
## influx ##
if [[ ! -e ${work_dir}/nifi-influx-database-nar-${influx_version}.nar ]]; then
wget https://github.com/influxdata/nifi-influxdb-bundle/releases/download/v"${influx_version}"/nifi-influx-database-nar-"${influx_version}".nar
fi
## apache iotdb ##
wget https://repo1.maven.org/maven2/org/apache/nifi/nifi-iotdb-nar/"${nifi_version}"/nifi-iotdb-nar-"${nifi_version}".nar
podman cp nifi_cp:/opt/nifi "${NIFI_HOME_DIR}"
podman cp protobuf:/opt/nifi/nifi-1.4.0/lib/nifi-protobuf-processor-0.2.0.nar "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/
# shellcheck disable=SC2086
mkdir ${NIFI_HOME_DIR}/nifi/certs && mkdir "${NIFI_HOME_DIR}"/nifi-registry && mkdir "${NIFI_HOME_DIR}"/nifi-registry/certs/
mv "${work_dir}"/nifi-influx-database-nar-"${influx_version}".nar "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/.
mv "${work_dir}"/nifi-iotdb-nar-"${nifi_version}".nar "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/.
podman stop nifi_cp && podman stop protobuf
wait
podman rm -f nifi_cp && podman rm -f protobuf
wait
cd "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/ || return
#bash "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone -O -n "${NIFI_SAN_IP}" -C "${cn}" -o "${NIFI_HOME_DIR}"/key_trust
# shellcheck disable=SC2027
bash "${NIFI_HOME_DIR}"/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone -O -n "localhost,${NIFI_SAN_DNS}" -C "${cn}" --subjectAlternativeNames "${NIFI_SAN_DNS},IP:192.168.1.2" -o "${NIFI_HOME_DIR}"/key_trust
mv "${NIFI_HOME_DIR}"/key_trust/localhost/*.jks "${NIFI_HOME_DIR}"/nifi/certs/ && chown 1000:1000 -R "${NIFI_HOME_DIR}" && cp "${NIFI_HOME_DIR}"/nifi/certs/* "${NIFI_HOME_DIR}"/nifi-registry/certs/
# shellcheck disable=SC2002
KEYSTORE_PASSWORD="$(cat "${NIFI_HOME_DIR}"/key_trust/localhost/nifi.properties | grep nifi.security.keystorePasswd)"
KEYSTORE_PASSWORD="$(echo -n "${KEYSTORE_PASSWORD//nifi.security.keystorePasswd=/""}")"
# shellcheck disable=SC2002
TRUSTSTORE_PASSWORD="$(cat "${NIFI_HOME_DIR}"/key_trust/localhost/nifi.properties | grep nifi.security.truststorePasswd)"
TRUSTSTORE_PASSWORD="$(echo -n "${TRUSTSTORE_PASSWORD//nifi.security.truststorePasswd=/""}")"
USER_ID="$(cat "${NIFI_HOME_DIR}"/UID/admin)"
## nifi config optimisation ##
sed -i 's/java.arg.2=-Xms512m/java.arg.2=-Xms10g/g' "${NIFI_HOME_DIR}"/nifi/nifi-current/conf/bootstrap.conf
sed -i 's/java.arg.3=-Xmx512m/java.arg.3=-Xmx10g/g' "${NIFI_HOME_DIR}"/nifi/nifi-current/conf/bootstrap.conf
##rm /home/NiFi/nifi/nifi-current/conf/authorizers.xml
podman run -d \
--name nifi \
--security-opt label=disable \
--privileged \
-v "${NIFI_HOME_DIR}"/nifi/certs:/opt/certs \
-v "${NIFI_HOME_DIR}"/nifi/nifi-current/lib:/opt/nifi/nifi-current/lib \
-p "${NIFI_WEB_PROXY_PORT}":8443 \
-e NIFI_WEB_PROXY_HOST="${NIFI_WEB_PROXY_HOST}" \
-e AUTH=tls \
-e KEYSTORE_PATH=/opt/certs/keystore.jks \
-e KEYSTORE_TYPE=JKS \
-e KEYSTORE_PASSWORD="$KEYSTORE_PASSWORD" \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_TYPE=JKS \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_PASSWORD="$TRUSTSTORE_PASSWORD" \
-e INITIAL_ADMIN_IDENTITY="$USER_ID" \
nifi:"${nifi_version}"
## remove for new approach ##
#-v "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/nifi-protobuf-processor-0.2.0.nar:/opt/nifi/nifi-current/lib/nifi-protobuf-processor-0.2.0.nar \
#-v "${NIFI_HOME_DIR}"/nifi/nifi-current/lib/nifi-influx-database-nar-"${influx_version}".nar:/opt/nifi/nifi-current/lib/nifi-influx-database-nar-"${influx_version}".nar \
if [[ ! -e /etc/systemd/system/nifi.service ]]; then
cat << EOF > /etc/systemd/system/nifi.service
[Unit]
Description=NiFi Container
After=firewalld.service
[Service]
Restart=always
ExecStart=/usr/bin/podman start -a nifi
ExecStop=/usr/bin/podman stop -t 2 nifi
[Install]
WantedBy=multi-user.target
EOF
systemctl enable nifi.service && systemctl start nifi.service
fi
info "=== DO YOU INTEND TO ACCESS NIFI FROM A REMOTE HOST? ==="
read -r -p "Please Enter your Response [enter: Y/y or N/n]: " hostAnswer
export HOST_ANSWER=${hostAnswer:-}
if [[ "${HOST_ANSWER}" =~ (Y|y) ]]; then
info "=== Set up Remote Host Details for NIFI Key ==="
sleep 1
info "=== NOTE: YOU NEED SSH ENABLED ON REMOTE HOST ==="
sleep 2
info "=== Add a SCP User ==="
read -r -p "Enter Remote User Name [insert user here]: " userName
export scp_user=${userName:-}
info "=== Add Remote User Password ===="
read -r -s -p "Enter Your User Password [insert password here]: " userPasswd
echo
echo "Re-enter Your User Password: "
read -r -s -p "" userPasswd2
# shellcheck disable=SC2053
while [[ $userPasswd != $userPasswd2 ]]; do
echo "Passwords do not match."
echo "Please try again."
read -r -s -p "Enter Your User Password: " userPasswd
echo
read -r -s -p "Please Re-Enter Your User Password: " userPasswd2
echo
done
echo "Passwords Match Hooray."
export ssh_pwd=${userPasswd:-}
info "=== Add Remote Host IP Address ==="
read -r -p "Enter Your IP Here [192.168.1.1]: " remoteIpAddress
export scp_ip=${remoteIpAddress:-192.168.1.1}
info "=== Add Remote Host SSH Port ==="
read -r -p "Enter Your Port Here [Default: 22]: " remotePort
export scp_port=${remotePort:-22}
info "=== Add Remote SCP Directory ==="
sleep 1
info "=== NOTE: TAKE THIS OPPORTUNITY TO SETUP A FOLDER ON REMOTE HOST ==="
read -r -p "PRESS ENTER WHEN READY"
read -r -p "Enter Remote Directory [example:/Users/${scp_user}/Desktop/p12]: " remoteDir
export remote_dir=${remoteDir:-/Users/${scp_user}/Desktop/p12}
sshpass -p "${ssh_pwd}" scp -P "${scp_port}" -o StrictHostKeyChecking=no "${key}" "${scp_user}"@"${scp_ip}":"${remote_dir}"
elif [[ "${HOST_ANSWER}" =~ (N|n) ]]; then
info "=== Add Local Directory for NiFI p12 key and pwd ==="
sleep 1
info "=== NOTE: TAKE THIS OPPORTUNITY TO SETUP A FOLDER ON YOUR HOST ==="
read -r -p "PRESS ENTER WHEN READY"
# shellcheck disable=SC2155
export local_user=$(who | awk 'NR==1 {print$1}')
read -r -p "Enter Local Directory [example:/var/home/${local_user}/Documents/p12]: " localDir
export local_dir=${localDir:-/var/home/${local_user}/Documents/p12}
cp "${NIFI_HOME_DIR}"/key_trust/CN* "${local_dir}"/.
chown 1000:1000 "${local_dir}"/*
fi
info "=== DETERMINING FIREWALL STATE ==="
if [[ "${ID}" = "fedora" ]]; then
# shellcheck disable=SC2155
export FIREWALL_STATE=$(firewall-cmd --state)
echo "${VARIANT}" "${ID}" "${FIREWALL_STATE}"
elif [[ "${ID}" == "debian" || "${ID}" == "ubuntu" ]]; then
# shellcheck disable=SC2155
export FIREWALL_STATE=$(ufw status | awk -F: '$1=="Status" { print $2;}')
echo "${VARIANT}" "${ID}" "${FIREWALL_STATE}"
fi
if [[ "${ID}" = "fedora" ]]; then
# shellcheck disable=SC2155
export ACTIVE_ZONE=$(firewall-cmd --get-active-zones | awk 'NR==1' | grep -o '^[^(]*')
echo "ACTIVE ZONE=""${ACTIVE_ZONE}"
fi
if [[ "${ID}" == "fedora" ]] && [[ "${FIREWALL_STATE}" == "running" ]]; then
echo "== FIREWALL IS RUNNING - APPLYING INFLUX PORTS TO FIREWALL =="
firewall-cmd --zone="${ACTIVE_ZONE}" --permanent --add-port="${NIFI_WEB_PROXY_PORT}"/tcp
firewall-cmd --reload
elif [[ "${ID}" == "debian" || "${ID}" == "ubuntu" ]] && [[ "${FIREWALL_STATE}" == "active" ]]; then
echo "== FIREWALL IS ACTIVE - APPLYING INFLUX PORTS TO FIREWALL =="
ufw allow "${NIFI_WEB_PROXY_PORT}"/tcp
ufw disable && ufw enable
fi
sleep 40
podman exec nifi sed -i 's/NIFI_ANALYTICS_PREDICT_ENABLED:-false/NIFI_ANALYTICS_PREDICT_ENABLED:-true/g' /opt/nifi/scripts/start.sh
podman exec nifi sed -i 's/NIFI_ANALYTICS_PREDICT_INTERVAL:-3 mins/NIFI_ANALYTICS_PREDICT_INTERVAL:-60 mins/g' /opt/nifi/scripts/start.sh
podman stop nifi
wait
podman start nifi
# shellcheck disable=SC2155
export CN_PASSWD=$(cat "${NIFI_HOME_DIR}"/key_trust/CN*.password)
echo "CN PASSWORD: ${CN_PASSWD}"
... View more
Labels:
- Labels:
-
Apache NiFi
-
NiFi Registry