Hi Akhil, It was helpful but I still do not have a solution for monitoring my NIFI instances. I will post a separate query. Thanks ... View more

Also, I am only after monitoring, not management. ... View more

Hi Akhil, Thanks for the prompt response. Is it possible to channel metrics from a standalone NiFi through an Ambari deployed Nifi to the Ambari dashboard? Thank you ... View more

Hi Andy, Just letting you know that I got this working. Thank you for your help. What I did was to exchange the two nifi-cert.pem files between the two nifi instances and import them in the opposing truststores. At that point the RPG's status became "Forbidden". I then looked at the nifi-users.log file on the target Nifi, and I could see that the there was a user with DN (CN=<Nifi Instance 1 IP>, OU=NIFI) that was trying to authenticate. So I added that user in the target nifi, added to the global S2S policy and the individual port policies and voila! cheers ... View more

Hi Andy, thanks for your persistence. Made the change to the URL to look at port 8443. Still same warning about the trust anchors. I don't think I am importing the private key to the truststore of either instances. The .p12 file that the TLS Toolkit produces should be a certificate with the public key. It's the same file I import to a browser for it to access the Nifi UI. I don't understand why the nifi instances themselves have trouble authenticating. is the root public key the .pem file that is created by the toolkit? the .key file appears to be the private key. Thank you ... View more

Because the error message was referencing a previous instance IP, I have re-done the keystore and truststore on both instances using the TLS Toolkit. The commands I used on each instance were /data/download/nifi-toolkit-1.4.0/bin/tls-toolkit.sh standalone -n '<Nifi Instance 1 IP>' -C 'CN=Admin1,OU=DevOU' -O -o /data/security /data/download/nifi-toolkit-1.4.0/bin/tls-toolkit.sh standalone -n '<Nifi Instance 2 IP>' -C 'CN=Admin2,OU=DevOU' -O -o /data/security This produced the standard files on each instance, which I have incorporated to the conf folder. The .p12 files I imported to my browser, and I can securely access the UI of the instances as Admin1 or Admin2 after modifying the authorizers.xml and authorzed-users.xml. (port 8443). The S2S comms however is still giving me a headache. The S2S properties are as follows. The difference between the two instances is the IP number. I understand that you shouldn't need to have the IP number on the RPG instance side, but it seemed to work with the numbers on both sides when I had Nifi unsecured, so i have left them in. nifi.remote.input.host=<Nifi instance IP> nifi.remote.input.secure=true nifi.remote.input.socket.port=8899 nifi.remote.input.http.enabled=true nifi.remote.input.http.transaction.ttl=30 sec # web properties # nifi.web.war.directory=./lib nifi.web.http.host= nifi.web.http.port=8080 nifi.web.http.network.interface.default= nifi.web.https.host= nifi.web.https.port=8443 nifi.web.https.network.interface.default= nifi.web.jetty.working.directory=./work/jetty nifi.web.jetty.threads=200 I am using the 8899 port to have secure RAW protocol. On instance 1 the RPG I have set the URL to be https://<instance 2 IP>:8899/nifi/ with RAW protocol. I then imported the .p12 generated on each instance to the truststore of the other, using the keytool command keytool -v -importkeystore -srckeystore CN=Admin1_OU=DevOU.p12 -srcstoretype PKCS12 -destkeystore truststore.jks -deststoretype JKS I now have an error on the RPG as follows: I'm pretty sure the issue is authentication. My thinking is that the truststore of instance 1 needs the private key of instance 2 imported and vice versa. I had thought if I imported the .p12 files this would do the trick but it has failed. I thought about the tutorial by Bryan and added users on both instances "CN=Admin1, OU=DevOU", "CN=Admin2, OU=DevOU" and even the one in the tutorial "CN=localhost, OU=NIFI" and gave each user policies for the site to site retrieval and added the users to the port policies too, but the error remains. I've tried different combination of RAW and HTTPS in the S2S properties but they don't seem to help. If I can get any further guidance, that would be appreciated. Thank you ... View more

Hi I have just had a go at the tutorial but there's a few aspects that is confusing me. The toolkit will generate nifi.property files for the two instances but their S2S properties are as follows: # Site to Site properties instance 1 nifi.remote.input.host=localhost nifi.remote.input.secure=true nifi.remote.input.socket.port=10443 nifi.remote.input.http.enabled=true ifi.remote.input.http.transaction.ttl=30 sec # Site to Site properties instance 2 nifi.remote.input.host=localhost nifi.remote.input.secure=true nifi.remote.input.socket.port=10444 nifi.remote.input.http.enabled=true nifi.remote.input.http.transaction.ttl=30 sec Would I be correct in saying if I set up an RPG on instance 2 to point to Instance 1, I'd have to set it up with https://<Instance 1 IP>:10443/nifi ? How does the instance know which user to use, to access the ports etc? if I set up more users with less privileges, how would the instance know which one to use? I am guessing that because the nifi.remote.input.secure is set to true, it is not possible to secure a RAW protocol? Thank you ... View more

Hi Andy thanks for the response, I'll try to adapt the Bryan's tutorial to my application and report back. His tutorial seems to be for two NiFi instances running on one machine. My application is two NiFis running on separate cloud machines. Not sure if it makes a big difference. In the meantime here's the errors I get on my RPG. It's interesting that it seems to be referencing the 5... IP address. That was used on an EC2 instance that I created an image from, and I created this instance from that image. Thank you ... View more