Hi everyone, I am trying to secure communication between two NiFi-instances (V1.7.1) on my local PC. (In the end from minifi to nifi on cloud) I am using the tls-toolkit and was able to get it to work with domain names (localhost, PC-Name). However it doesn't work with IP adresses. The Remote Process Group has for example the following exception for "https://172.18.61.254:12443/nifi": javax.net.ssl.SSLPeerUnverifiedException: Certificate for <172.18.61.254> doesn't match any of the subject alternative names: [172.18.61.254] Additional SANs to localhost or PC-name did not help. Is secure communication over IP impossible to do in general? Since we wanted to use RPGs to get through an industrial firewall (which works with static IPs), dependency for a DNS is not prefered. Kind regards, Frank --Update-- Maybe the question isn't clear enough, so I will try to add additional information: Since the comments are invisible by default, I will upload the screenshot again which highlights the error. For a quick test case (on Windows): - Download NiFi and TLS-Toolkit - Unzip NiFi to two different folders (client, server) - Unzip TLS-Toolkit - Create the files: - tls-toolkit.bat standalone -B "password1" -c myFirm -C "CN=myFirm, L=SomePlace, ST=SomePlace2, O=yeah, OU=what, C=US, EMAILADDRESS=myemail@mail.com" -d 1095 -K "password2" -n localhost,PC-Name -P "password3" -S "password4" -o ../output - Import the pk12-file from the tls-toolkit into your browser (password is the -B parameter) - Copy the results from localhost and "PC-Name" to your corresponding nifi-conf-folder - Add the C-parameter to "conf/authorizers.xml" between the >< for "Initial Admin Identity" and "Initial User Identity 1 - Change the ports in nifi.properties to avoid port conflicts between server and client - Start instances - Access Web-UI - Give your initial admin some rights to access the components (the key-symbol in the "Operate"-panel) - Create user "CN=localhost, OU=NIFI" on server - Create global access policy to receive site-to-site-details and add the new user - Create input and output ports on server - Click on them and add access rights for your new user (manage access policies -> receive/send data via site-to-site -> create -> add user) - Create Remote Process Group on Client (Web-UI-address of server, change protocol to http) - Add simple flow on client (Generate Flow File, UpdateAttribute, ..) You now have a working secure site-to-site configuration. Now on how to receive the errors: - Create new files with TLS-toolkit - tls-toolkit.bat standalone -d 1095 -K "password2" -n 127.0.0.1,externalIP -P "password3" -S "password4" --subjectAlternativeNames addSomeStuff,seperatedByComma -o ../output - Update server and client (you might have to delete authorizations.xml and user.xml) or unzip new instances - Create flow and configure the RPG to use the external IP - Get errors 😕 ... View more

Hi folks, I cannot send data from my local pc to a remote process group on an azure vm (Ubuntu 18.04) and back. Both nifi instances are unsecured. I try to send with http. The local nifi-rpg sees the remote input and output ports and it is able to visualize their current states (Running, Stopped). However I am unable to send data from or to the rpg. I assume the fault lies withing the localhost property of the vm. Setting it to the public ip or domain name will result in a crash of nifi. Setting it to the internal ip does not change the behaviour of the rpg. Sadly I cannot ping the public IP address from within the VM and I do not see a way for port forwarding. Does someone know how to enable remote process groups on an azure linux vm? It seems more like an azure than a nifi issue, but the lack of messages I find online tells me that I am missing something simple. Should it usually work with setting the localhost to the public (or strangely private) ip? Should an azure vm usually be able to ping it's own public ip? Is it common for nifi to fail in startup if the localhost property is set to an unreachable ip? Greetings Frank ... View more