Cloudera Community
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement
pnac03
user rank
Explorer

Re: Authorization issue between NiFi and NiFi Regi...

by Explorer in Support Questions
‎01-08-2026 02:44 AM
‎01-08-2026 02:44 AM
@MattWho Thanks for the clarifications. Here's the verbose output of the keystore used in the SSL Context Service for my NiFiFlowRegistryClient   Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-registry Creation date: Dec 20, 2025 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: O=3SCDemo, CN=nifi-registry Issuer: O=3SCDemo, CN=3SCDemo-CA Serial number:  Valid from: Sat Dec 20 19:51:52 UTC 2025 until: Sun Dec 20 19:51:52 UTC 2026 Certificate fingerprints: SHA1: SHA256:  Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions:  #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [                                        +... ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[   CA:false   PathLen: undefined ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [   serverAuth   clientAuth ] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [   DigitalSignature   Key_Encipherment ] #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [   DNSName: nifi-registry   DNSName: nifi-registry.dev   DNSName: nifi-registry.dev.svc   DNSName: nifi-registry.dev.svc.cluster.local   DNSName: localhost   IPAddress: 127.0.0.1 ] #6: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [                                        .... ] ] Certificate[2]: Owner: O=3SCDemo, CN=3SCDemo-CA Issuer: O=3SCDemo, CN=3SCDemo-CA Serial number:  Valid from: Sat Dec 20 19:51:51 UTC 2025 until: Sun Dec 20 19:51:51 UTC 2026 Certificate fingerprints: SHA1: SHA256:  Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions:  #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [                                         +... ] ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[   CA:true   PathLen: no limit ] #3: ObjectId: 2.5.29.15 Criticality=true KeyUsage [   DigitalSignature   Key_CertSign   Crl_Sign ] #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [                                     +... ] ] ******************************************* ******************************************* Please find the nifi-registry.properties file: # web properties # nifi.registry.web.war.directory=./lib nifi.registry.web.http.host= nifi.registry.web.http.port= nifi.registry.web.https.host=nifi-registry-0 nifi.registry.web.https.port=18443 nifi.registry.web.https.network.interface.default= nifi.registry.web.https.application.protocols=h2 http/1.1 nifi.registry.web.jetty.working.directory=./work/jetty nifi.registry.web.jetty.threads=200 nifi.registry.web.should.send.server.version=true # security properties # nifi.registry.security.keystore=/opt/certs/nifi-registry-keystore.jks nifi.registry.security.keystoreType=JKS nifi.registry.security.keystorePasswd=newps nifi.registry.security.keyPasswd=newps nifi.registry.security.truststore=/opt/certs/nifi-registry-truststore.jks nifi.registry.security.truststoreType=JKS nifi.registry.security.truststorePasswd=newps nifi.registry.security.needClientAuth=false nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml nifi.registry.security.authorizer=managed-authorizer nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml nifi.registry.security.identity.provider=ldap-identity-provider # providers properties # nifi.registry.providers.configuration.file=./conf/providers.xml # registry alias properties # nifi.registry.registry.alias.configuration.file=./conf/registry-aliases.xml # extensions working dir # nifi.registry.extensions.working.directory=./work/extensions # legacy database properties, used to migrate data from original DB to new DB below # NOTE: Users upgrading from 0.1.0 should leave these populated, but new installs after 0.1.0 should leave these empty nifi.registry.db.directory= nifi.registry.db.url.append= # database properties nifi.registry.db.url=jdbc:h2:./database/nifi-registry-primary;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE nifi.registry.db.driver.class=org.h2.Driver nifi.registry.db.driver.directory= nifi.registry.db.username=nifireg nifi.registry.db.password=nifireg nifi.registry.db.maxConnections=5 nifi.registry.db.sql.debug=false # extension directories # # Each property beginning with "nifi.registry.extension.dir." will be treated as location for an extension, # and a class loader will be created for each location, with the system class loader as the parent # #nifi.registry.extension.dir.1=/path/to/extension1 #nifi.registry.extension.dir.2=/path/to/extension2 nifi.registry.extension.dir.aws=./ext/aws/lib # Identity Mapping Properties # # These properties allow normalizing user identities such that identities coming from different identity providers # (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing # DNs from certificates and principals from Kerberos into a common identity string: # # nifi.registry.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ # nifi.registry.security.identity.mapping.value.dn=$1@$2 # nifi.registry.security.identity.mapping.transform.dn=NONE # nifi.registry.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ # nifi.registry.security.identity.mapping.value.kerb=$1@$2 # nifi.registry.security.identity.mapping.transform.kerb=UPPER # Group Mapping Properties # # These properties allow normalizing group names coming from external sources like LDAP. The following example # lowercases any group name. # # nifi.registry.security.group.mapping.pattern.anygroup=^(.*)$ # nifi.registry.security.group.mapping.value.anygroup=$1 # nifi.registry.security.group.mapping.transform.anygroup=LOWER # kerberos properties # nifi.registry.kerberos.krb5.file= nifi.registry.kerberos.spnego.principal= nifi.registry.kerberos.spnego.keytab.location= nifi.registry.kerberos.spnego.authentication.expiration=12 hours # OIDC # nifi.registry.security.user.oidc.discovery.url= nifi.registry.security.user.oidc.connect.timeout= nifi.registry.security.user.oidc.read.timeout= nifi.registry.security.user.oidc.client.id= nifi.registry.security.user.oidc.client.secret= nifi.registry.security.user.oidc.preferred.jwsalgorithm= nifi.registry.security.user.oidc.additional.scopes=${nifi.registry.security.user.oidc.additional.scopes} nifi.registry.security.user.oidc.claim.identifying.user=${nifi.registry.security.user.oidc.claim.identifying.user} nifi.registry.security.user.oidc.claim.groups=groups # revision management # # This feature should remain disabled until a future NiFi release that supports the revision API changes nifi.registry.revisions.enabled=false ... View more

Re: Authorization issue between NiFi and NiFi Regi...

by Explorer in Support Questions
‎01-06-2026 10:55 AM
‎01-06-2026 10:55 AM
@MattWho  Thanks for the quick reply! Thanks for the clarification on the proxying. I checked my setup and I have these three questions: 1) Do you need the verbose output from the tcpdump utility or from my NiFi Node's keystore ? I've shared the verbose output of my NiFi Node's keystore below. It does seem that my keystore has 2 aliases (or PrivateKeyEntries) indeed, one of them carrying the certificate involved i.e. CN=node-0-nifikop nifi@nifikop-0-node:/var/run/secrets/java.io/keystores/server$ keytool --list -v --keystore keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: ca Creation date: Nov 24, 2025 Entry type: trustedCertEntry Owner: CN=nifikop-ca.dev.cluster.local Issuer: CN=nifikop-ca.dev.cluster.local Serial number: f6b7c60ecee584faa4b5778b6667a7fb Valid from: Mon Oct 13 21:43:39 UTC 2025 until: Sun Jan 11 21:43:39 UTC 2026 Certificate fingerprints: SHA1: 56:05:68:C3:15:7F:82:A0:C8:90:6D:DF:BE:02:3E:10:7F:9D:C0:05 SHA256: 32:46:2C:84:04:D0:91:D9:A8:05:D3:8B:07:E2:09:1C:E3:AC:75:17:77:CB:86:EA:BE:90:9E:09:6F:77:4B:3A Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment Key_CertSign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 0C A4 00 26 2F 44 ED FF BD 2C 3F 76 8F 6C FA CB ...&/D...,?v.l.. 0010: 2A 48 0E A2 *H.. ] ] ******************************************* ******************************************* Alias name: certificate Creation date: Nov 24, 2025 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=node-0-nifikop Issuer: CN=nifikop-ca.dev.cluster.local Serial number: b15ef24eef5835b02b5921d40726a453 Valid from: Mon Nov 24 06:29:55 UTC 2025 until: Sun Feb 22 06:29:55 UTC 2026 Certificate fingerprints: SHA1: 80:60:7E:27:D9:8A:3D:10:C0:47:0E:72:C1:31:17:D7:7C:3E:3E:AF SHA256: 07:25:53:5B:05:00:5F:16:E6:12:B9:44:77:D6:A6:7C:83:F8:80:F7:4A:DB:F3:F6:DF:32:F6:31:56:AC:66:FF Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 0C A4 00 26 2F 44 ED FF BD 2C 3F 76 8F 6C FA CB ...&/D...,?v.l.. 0010: 2A 48 0E A2 *H.. ] ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] #4: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: nifikop-headless.dev.svc.cluster.local DNSName: nifikop-0-node.nifikop-headless.dev.svc.cluster.local DNSName: nifikop-headless.dev.svc DNSName: nifikop-0-node.nifikop-headless.dev.svc DNSName: nifikop-headless.dev DNSName: nifikop-0-node.nifikop-headless.dev DNSName: nifikop-headless DNSName: nifikop-0-node.nifikop-headless DNSName: nifikop-0-node DNSName: nifi-internal.3sc.com URIName: spiffe://nifikop/ns/dev/nifiuser/node-0-nifikop ] ******************************************* ******************************************* Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12". Note: My NiFi Cluster also has an Operator and this is all deployed inside a Kubernetes Cluster. Cert-manager is used to generate and manage these certificates. 2) Does the TLS Version matter in the SSL Context? Currently it's set to 'TLS' and I tried even with SSL and it hadn't worked. 3) Although I've referenced another working certificate (with clientAuth EKUs) in the SSL Context which has "O=3SCDemo, CN=nifi-registry" as the Subject Name and exactly one alias in that keystore, why is NiFi is still presenting the node's certificate referenced in nifi.properties to the registry (as I had confirmed using tcpdump). I didn't see any other CN Name except CN=node-0-nifikop).  ... View more

Authorization issue between NiFi and NiFi Registry

by Explorer in Support Questions
‎01-05-2026 10:19 PM
‎01-05-2026 10:19 PM
I am trying to connect between NiFi and NiFi Registry. I'm able to authenticate with Registry from NiFi but I'm unable to see the buckets, not even the public ones. I've configured a SSL Context on NiFi that references a truststore containing Registry's Truststore and Keystore. I've imported NiFi's node certificates into the truststore on the registry's side. I've given the 'proxy and manage user bucket' permissions to the Node's identity in the Registry UI and Read Write and Execute permission to the same user on the Buckets. But I'm still unable to see the buckets on NiFi's UI. The API Responses also indicate that NiFi only has read permissions to the buckets. This is as if there is some anomaly during login..  Note: 1) I'm using a Clustered NiFi Setup. I have verified that my node identity is 'CN=node-0-nifikop'. 2) Both NiFi Cluster (NiFiKop) and the NiFi Registry (Helm Release) are running inside a Kubernetes Cluster Error Samples: The Error on NiFi UI:  Error.jpeg Registry Bucket Policies:  Bucket Policies.jpeg Registry User Permissions:  Registry User Permissions.jpeg The following is the Truststore referenced in NiFi's SSL Contexts ====================================== NOTE: SENSITIVE INFORMATION HAS BEEN OBFUSCATED ====================================== Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 4 entries Alias name: ca-cert Creation date: Jan 5, 2026 Entry type: trustedCertEntry Owner: O=3SCDemo, CN=3SCDemo-CA Issuer: O=3SCDemo, CN=3SCDemo-CA Serial number: 1745e28f179548d468a6ece0d0d497be8b15d74f Valid from: Sat Dec 20 19:51:51 UTC 2025 until: Sun Dec 20 19:51:51 UTC 2026 Certificate fingerprints: SHA1: SHA256: Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ +... ] ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] #3: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ +... ] ] ******************************************* ******************************************* Alias name: nifi-ca Creation date: Jan 5, 2026 Entry type: trustedCertEntry Owner: CN=nifikop-ca.dev.cluster.local Issuer: CN=nifikop-ca.dev.cluster.local Serial number: Valid from: Mon Dec 29 07:08:21 UTC 2025 until: Sun Mar 29 07:08:21 UTC 2026 Certificate fingerprints: SHA1: SHA256: Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment Key_CertSign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ .c.. ] ] ******************************************* ******************************************* Alias name: nifi-prod Creation date: Jan 5, 2026 Entry type: trustedCertEntry Owner: CN=node-0-nifikop Issuer: CN=nifikop-ca.dev.cluster.local Serial number: Valid from: Mon Dec 29 07:08:26 UTC 2025 until: Sun Mar 29 07:08:26 UTC 2026 Certificate fingerprints: SHA1: SHA256: Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ .c.. ] ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] #4: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: nifikop-headless.dev.svc.cluster.local DNSName: nifikop-0-node.nifikop-headless.dev.svc.cluster.local DNSName: nifikop-headless.dev.svc DNSName: nifikop-0-node.nifikop-headless.dev.svc DNSName: nifikop-headless.dev DNSName: nifikop-0-node.nifikop-headless.dev DNSName: nifikop-headless DNSName: nifikop-0-node.nifikop-headless DNSName: nifikop-0-node DNSName: adinifiapp.com URIName: spiffe://nifikop/ns/dev/nifiuser/node-0-nifikop ] ******************************************* ******************************************* Alias name: nifi-reg-keystore-import Creation date: Jan 5, 2026 Entry type: trustedCertEntry Owner: O=3SCDemo, CN=nifi-registry Issuer: O=3SCDemo, CN=3SCDemo-CA Serial number: Valid from: Sat Dec 20 19:51:52 UTC 2025 until: Sun Dec 20 19:51:52 UTC 2026 Certificate fingerprints: SHA1: SHA256: Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ +... ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: nifi-registry DNSName: nifi-registry.dev DNSName: nifi-registry.dev.svc DNSName: nifi-registry.dev.svc.cluster.local DNSName: localhost IPAddress: 127.0.0.1 ] #6: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ .... ] ] ******************************************* ******************************************* ====================================== NOTE: SENSITIVE INFORMATION HAS BEEN OBFUSCATED ====================================== The following is the truststore of NiFi Registry ====================================== NOTE: SENSITIVE INFORMATION HAS BEEN OBFUSCATED ====================================== Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 3 entries Alias name: ca-cert Creation date: Jan 5, 2026 Entry type: trustedCertEntry Owner: O=3SCDemo, CN=3SCDemo-CA Issuer: O=3SCDemo, CN=3SCDemo-CA Serial number: Valid from: Sat Dec 20 19:51:51 UTC 2025 until: Sun Dec 20 19:51:51 UTC 2026 Certificate fingerprints: SHA1: SHA256: Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ +... ] ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] #3: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ +... ] ] ******************************************* ******************************************* Alias name: nifi-ca Creation date: Jan 5, 2026 Entry type: trustedCertEntry Owner: CN=nifikop-ca.dev.cluster.local Issuer: CN=nifikop-ca.dev.cluster.local Serial number: Valid from: Mon Dec 29 07:08:21 UTC 2025 until: Sun Mar 29 07:08:21 UTC 2026 Certificate fingerprints: SHA1: SHA256: Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] #2: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment Key_CertSign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: EB 16 CA 18 17 7C 14 24 E3 FC 9D E7 EE CA A6 80 .......$........ 0010: A1 63 D1 BB .c.. ] ] ******************************************* ******************************************* Alias name: nifi-prod Creation date: Jan 5, 2026 Entry type: trustedCertEntry Owner: CN=node-0-nifikop Issuer: CN=nifikop-ca.dev.cluster.local Serial number: Valid from: Mon Dec 29 07:08:26 UTC 2025 until: Sun Mar 29 07:08:26 UTC 2026 Certificate fingerprints: SHA1: SHA256: Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ .c.. ] ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] #4: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: nifikop-headless.dev.svc.cluster.local DNSName: nifikop-0-node.nifikop-headless.dev.svc.cluster.local DNSName: nifikop-headless.dev.svc DNSName: nifikop-0-node.nifikop-headless.dev.svc DNSName: nifikop-headless.dev DNSName: nifikop-0-node.nifikop-headless.dev DNSName: nifikop-headless DNSName: nifikop-0-node.nifikop-headless DNSName: nifikop-0-node DNSName: adinifiapp.com URIName: spiffe://nifikop/ns/dev/nifiuser/node-0-nifikop ] ******************************************* ******************************************* ====================================== NOTE: SENSITIVE INFORMATION HAS BEEN OBFUSCATED ====================================== This is the kind of response i get when I hit this API: https://domain-name/context-path/nifi-api/flow/registries/9e779b09-0199-1000-ffff-ffffec7d027b/buckets { "buckets": [ { "id": "38257128-3406-4fe7-9a7e-967340552ca8", "bucket": { "id": "38257128-3406-4fe7-9a7e-967340552ca8", "name": "fddf", "description": "", "created": 1760507389992 }, "permissions": { "canRead": true, "canWrite": false } } ] } Another Clarification:  If I understand this right, in case of a clustered setup, the certificate referenced in the SSL Context is proxied via the Node's Identity while NiFi presents its own identity to Registry during the mTLS Handshake. So what registry would see in case of a clustered nifi setup would be the node's identity instead of that Certificate which is referenced in NiFi's SSL Contexts. I have verified the same even from Registry using tcpdump in my setup and I do see that the incoming CN name from nifi is CN=node-0-nifikop instead of what is referenced in the SSL Context.   ... View more
Labels:

Re: Error connecting to NiFi Registry from NiFi UI...

by Explorer in Support Questions
‎12-20-2025 12:35 PM
‎12-20-2025 12:35 PM
@MattWho Apologies for the delay here. I could finally try using certificates with the EKU Extensions and I do not see a similar authentication issue anymore.  Thank you for the kind assistance!  ... View more

Re: Error connecting to NiFi Registry from NiFi UI...

by Explorer in Support Questions
‎10-30-2025 12:36 AM
‎10-30-2025 12:36 AM
yes. I am using 'https' to reach the registry. I found out my registry's certificates really don't have the ExtendedKeyUsage Extensions. I will try recreating new certificates with the extensions and will get back.  Also, since I'm using LDAP to secure my Registry, I had set clientAuth to false. Will that not interfere while NiFi is trying to connect to the registry since we are using mTLS in this case and not LDAP credentials for authentication? So, is it mandatory that I configure a composite user group (filebased and LDAP) in my registry's authorizers for authentication? ... View more

Re: Error connecting to NiFi Registry from NiFi UI...

by Explorer in Support Questions
‎10-29-2025 02:55 AM
‎10-29-2025 02:55 AM
Please find my verbose keytool output for both my keystore and truststore of my NiFi Registry. The same keystore and truststores were copied over to my NiFi instances (via 'kubectl cp' utilities) and have been referenced via SSL Context nifi@nifi-registry-0:/opt/certs$ keytool -v -list -keystore nifi-registry-keystore.jks Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-registry Creation date: Sep 13, 2025 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: OU=3SCDemo, CN=nifi-registry Issuer: OU=3SCDemo, CN=3SCDemo-CA Serial number: 4c6bdbce9df169456145d320bd438808765291b Valid from: Sat Sep 13 18:35:02 UTC 2025 until: Sun Sep 13 18:35:02 UTC 2026 Certificate fingerprints: <fingerprints> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 1 ******************************************* ******************************************* nifi@nifi-registry-0:/opt/certs$ keytool -v -list -keystore nifi-registry-truststore.jks Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 2 entries Alias name: ca-cert Creation date: Oct 29, 2025 Entry type: trustedCertEntry Owner: OU=3SCDemo, CN=3SCDemo-CA Issuer: OU=3SCDemo, CN=3SCDemo-CA Serial number: 429a23e0a595c4721f6f7f0933e69ebcca616027 Valid from: Sat Sep 13 18:35:02 UTC 2025 until: Sun Sep 13 18:35:02 UTC 2026 Certificate fingerprints: <fingerprints> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ .. ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ .. ] ******************************************* ******************************************* Alias name: nifi-registry Creation date: Oct 29, 2025 Entry type: trustedCertEntry Owner: OU=3SCDemo, CN=nifi-registry Issuer: OU=3SCDemo, CN=3SCDemo-CA Serial number: 4c6bdbce9df169456145d320bd438808765291b Valid from: Sat Sep 13 18:35:02 UTC 2025 until: Sun Sep 13 18:35:02 UTC 2026 Certificate fingerprints: <fingerprints> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 1 ******************************************* ******************************************* In essence, NiFi Registry is essentially not recognizing certificates being presented from its own keystores and truststores via NiFi's SSL Context services ... View more

Re: Error connecting to NiFi Registry from NiFi UI...

by Explorer in Support Questions
‎10-23-2025 11:55 PM
‎10-23-2025 11:55 PM
@MattWho Thank you for the response.  I'm on a single node nifi setup. As you suggested, I tried verifying my certificates the other way round i.e. NiFi Node's server certificates from my NiFi Registry. As expected, it didn't verify succesfully. As I had previously mentioned, my NiFi Nodes are being signed by cert manager and I'm using a self signed central nifi registry to connect from different single-node NiFi Clusters. I have attached an illustration of my setup below. Since my NiFi Nodes are connecting from different environments and the fact that I use different cert-manager deployments to sign the certs for the respective Nodes, how can i connect to the registry without having to update the registry's truststore everytime I need to spin up a new nifi cluster in a new environment. If I understand this correctly, the SSL context management controller is supposed to exactly solve this kind of problem right? The SSL Context in my NiFi Node(s) should contain the paths to the keystore and the truststore of my NiFi Registry, on the NiFi Node's local filesystem, isn't it? If I had multiple registries to connect to, I could simply similarly configure additional SSL Contexts for the respective registries in NiFi's management controller services isn't it? Please correct me if I'm wrong.. ... View more

Re: Error connecting to NiFi Registry from NiFi UI...

by Explorer in Support Questions
‎10-16-2025 08:57 PM
‎10-16-2025 08:57 PM
Thank you for the quick reply @vafs ! As I have mentioned above, the truststore that I've referenced belongs to the NiFi Registry. I had copied the truststore from my NiFi Registry instance into my NiFi instance to eliminate any certificate mismatches. But yet it didn't work. I however tried reimporting the ca certificate into the truststore as you suggested, but I still encounter the same issue while trying to version my flows nifi@nifikop-0-node:/opt/nifi/nifi-current$ keytool -importcert -alias 3SCDemo-CA -file /tmp/ca-cert.pem -keystore /tmp/nifi-registry-truststore.jks Enter keystore password: Certificate already exists in keystore under alias <ca-cert> Do you still want to add it? [no]: yes Certificate was added to keystore nifi@nifikop-0-node:/opt/nifi/nifi-current$   ... View more

Error connecting to NiFi Registry from NiFi UI (ce...

by Explorer in Support Questions
‎10-14-2025 12:37 PM
‎10-14-2025 12:37 PM
I have multiple instances of nifi running and a central nifi registry is deployed. NiFi Registry is signed by an independent self-issued CA-signed certificate. I do have a copy of NiFi Registry's truststore and keystore inside my NiFi instance (Kubernetes Pod). And I have configured the registry client with my registry's internal k8s service URL and the associated SSL Context is referenced to the Registry's truststore and keystores. The SSL Context Controller enables fine (indicating the keystores are accessible and the passwords are correct) but then I get the following error message while trying to enable versioning on a process group: Unable to obtain listing of buckets: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I checked the other topics on this forum and on other forums on the Internet and found that this could be an issue with the validity of the registry's server certificate. The registry's server certificate is not being trusted by NiFi because it's unable to find matches in the referenced truststore. I have tried verifying this manually from within the instance. I copied the registry's CA PEM certificate (the same one used while generating the registry's truststore and keystore)into the NiFi instance and verified the upstream registry server's certificate with the CA. I can confirm the server is accessible and the server certificates are valid. The truststore shouldn't be an issue and NiFi should be able to interact with the registry. nifi@nifikop-0-node:/opt/nifi/nifi-current$ openssl s_client -connect nifi-registry.dev.svc.cluster.local:18443 -showcerts -CAfile /tmp/ca-cert.pem CONNECTED(00000003) depth=1 CN = 3SCDemo-CA, OU = 3SCDemo verify return:1 depth=0 CN = nifi-registry, OU = 3SCDemo verify return:1 --- Certificate chain 0 s:CN = nifi-registry, OU = 3SCDemo i:CN = 3SCDemo-CA, OU = 3SCDemo a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 13 18:35:02 2025 GMT; NotAfter: Sep 13 18:35:02 2026 GMT -----BEGIN CERTIFICATE----- .... -----END CERTIFICATE----- --- Server certificate subject=CN = nifi-registry, OU = 3SCDemo issuer=CN = 3SCDemo-CA, OU = 3SCDemo --- Acceptable client certificate CA names CN = 3SCDemo-CA, OU = 3SCDemo CN = nifi-registry, OU = 3SCDemo Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+S HA512 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RS A-PSS+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1432 bytes and written 451 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: C84E2BFD44167DA371468E366F7E62CE8A2457A88A5FABADCEBA5A182CB29A28 Session-ID-ctx: Resumption PSK: 57C3C840AF40C97DCA5E3C86C67ECC5943711E6D1CFD439DDDCDD30F8A599A620D89F0591288E0F7102C5031C266EFBC PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: ..ticket... Start Time: 1760469262 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK   Ideally, I understand it should've worked. But I'm not sure where the issue lies.. ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎01-10-2026 06:13 AM
Community Statistics
Member Since ‎10-14-2025 12:04 PM
Last Visited ‎01-10-2026 06:13 AM
Posts 9