Cloudera Community
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement
pnac03
user rank
Explorer

Re: Authorization issue between NiFi and NiFi Regi...

by Explorer in Support Questions
‎01-08-2026 02:44 AM
‎01-08-2026 02:44 AM
@MattWho Thanks for the clarifications. Here's the verbose output of the keystore used in the SSL Context Service for my NiFiFlowRegistryClient   Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-registry Creation date: Dec 20, 2025 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: O=3SCDemo, CN=nifi-registry Issuer: O=3SCDemo, CN=3SCDemo-CA Serial number:  Valid from: Sat Dec 20 19:51:52 UTC 2025 until: Sun Dec 20 19:51:52 UTC 2026 Certificate fingerprints: SHA1: SHA256:  Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions:  #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [                                        +... ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[   CA:false   PathLen: undefined ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [   serverAuth   clientAuth ] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [   DigitalSignature   Key_Encipherment ] #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [   DNSName: nifi-registry   DNSName: nifi-registry.dev   DNSName: nifi-registry.dev.svc   DNSName: nifi-registry.dev.svc.cluster.local   DNSName: localhost   IPAddress: 127.0.0.1 ] #6: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [                                        .... ] ] Certificate[2]: Owner: O=3SCDemo, CN=3SCDemo-CA Issuer: O=3SCDemo, CN=3SCDemo-CA Serial number:  Valid from: Sat Dec 20 19:51:51 UTC 2025 until: Sun Dec 20 19:51:51 UTC 2026 Certificate fingerprints: SHA1: SHA256:  Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions:  #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [                                         +... ] ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[   CA:true   PathLen: no limit ] #3: ObjectId: 2.5.29.15 Criticality=true KeyUsage [   DigitalSignature   Key_CertSign   Crl_Sign ] #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [                                     +... ] ] ******************************************* ******************************************* Please find the nifi-registry.properties file: # web properties # nifi.registry.web.war.directory=./lib nifi.registry.web.http.host= nifi.registry.web.http.port= nifi.registry.web.https.host=nifi-registry-0 nifi.registry.web.https.port=18443 nifi.registry.web.https.network.interface.default= nifi.registry.web.https.application.protocols=h2 http/1.1 nifi.registry.web.jetty.working.directory=./work/jetty nifi.registry.web.jetty.threads=200 nifi.registry.web.should.send.server.version=true # security properties # nifi.registry.security.keystore=/opt/certs/nifi-registry-keystore.jks nifi.registry.security.keystoreType=JKS nifi.registry.security.keystorePasswd=newps nifi.registry.security.keyPasswd=newps nifi.registry.security.truststore=/opt/certs/nifi-registry-truststore.jks nifi.registry.security.truststoreType=JKS nifi.registry.security.truststorePasswd=newps nifi.registry.security.needClientAuth=false nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml nifi.registry.security.authorizer=managed-authorizer nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml nifi.registry.security.identity.provider=ldap-identity-provider # providers properties # nifi.registry.providers.configuration.file=./conf/providers.xml # registry alias properties # nifi.registry.registry.alias.configuration.file=./conf/registry-aliases.xml # extensions working dir # nifi.registry.extensions.working.directory=./work/extensions # legacy database properties, used to migrate data from original DB to new DB below # NOTE: Users upgrading from 0.1.0 should leave these populated, but new installs after 0.1.0 should leave these empty nifi.registry.db.directory= nifi.registry.db.url.append= # database properties nifi.registry.db.url=jdbc:h2:./database/nifi-registry-primary;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE nifi.registry.db.driver.class=org.h2.Driver nifi.registry.db.driver.directory= nifi.registry.db.username=nifireg nifi.registry.db.password=nifireg nifi.registry.db.maxConnections=5 nifi.registry.db.sql.debug=false # extension directories # # Each property beginning with "nifi.registry.extension.dir." will be treated as location for an extension, # and a class loader will be created for each location, with the system class loader as the parent # #nifi.registry.extension.dir.1=/path/to/extension1 #nifi.registry.extension.dir.2=/path/to/extension2 nifi.registry.extension.dir.aws=./ext/aws/lib # Identity Mapping Properties # # These properties allow normalizing user identities such that identities coming from different identity providers # (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing # DNs from certificates and principals from Kerberos into a common identity string: # # nifi.registry.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ # nifi.registry.security.identity.mapping.value.dn=$1@$2 # nifi.registry.security.identity.mapping.transform.dn=NONE # nifi.registry.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ # nifi.registry.security.identity.mapping.value.kerb=$1@$2 # nifi.registry.security.identity.mapping.transform.kerb=UPPER # Group Mapping Properties # # These properties allow normalizing group names coming from external sources like LDAP. The following example # lowercases any group name. # # nifi.registry.security.group.mapping.pattern.anygroup=^(.*)$ # nifi.registry.security.group.mapping.value.anygroup=$1 # nifi.registry.security.group.mapping.transform.anygroup=LOWER # kerberos properties # nifi.registry.kerberos.krb5.file= nifi.registry.kerberos.spnego.principal= nifi.registry.kerberos.spnego.keytab.location= nifi.registry.kerberos.spnego.authentication.expiration=12 hours # OIDC # nifi.registry.security.user.oidc.discovery.url= nifi.registry.security.user.oidc.connect.timeout= nifi.registry.security.user.oidc.read.timeout= nifi.registry.security.user.oidc.client.id= nifi.registry.security.user.oidc.client.secret= nifi.registry.security.user.oidc.preferred.jwsalgorithm= nifi.registry.security.user.oidc.additional.scopes=${nifi.registry.security.user.oidc.additional.scopes} nifi.registry.security.user.oidc.claim.identifying.user=${nifi.registry.security.user.oidc.claim.identifying.user} nifi.registry.security.user.oidc.claim.groups=groups # revision management # # This feature should remain disabled until a future NiFi release that supports the revision API changes nifi.registry.revisions.enabled=false ... View more

Re: Error connecting to NiFi Registry from NiFi UI...

by Explorer in Support Questions
‎12-20-2025 12:35 PM
‎12-20-2025 12:35 PM
@MattWho Apologies for the delay here. I could finally try using certificates with the EKU Extensions and I do not see a similar authentication issue anymore.  Thank you for the kind assistance!  ... View more
Contact Me
Online
Offline
Last Visited
‎01-10-2026 06:13 AM
Community Statistics
Member Since ‎10-14-2025 12:04 PM
Last Visited ‎01-10-2026 06:13 AM
Posts 9