Cloudera Community
zachary_atkinso
user rank
Contributor
My Accepted Solutions
Show All

Re: Signed SSL for ListenHTTP

by Contributor in Support Questions
‎08-15-2018 09:20 PM
‎08-15-2018 09:20 PM
Andy\Amarnath, My question was initially why my expected outcome was not working and why this other format did work. Along the way, I believe my question was answered, assuming my understanding is correct. I did't want to dive to deep as I thought it may be outside the scope of my initial post. Since the conversation has gone that way tho, Andy is correct. I did not understand the difference between 1-way SSL and 2-way SSL. Using 1-way SSL (keystore only) all HTTPS connections are accepted regardless if the source is who we are expecting or not. Using 2-way SSL only HTTPS connections are accepted but now we must verify who the source is by authenticating with a private key & server certificate that can be authenticated by my truststore. My use case for this knowledge, is we are promoting projects between our Dev & Prod clusters. I wanted to ensure we had the correct security in place to proceed. The developers are wanting 1-way SSL but I lacked the knowledge at the time to make it work and only had 2-way. They were upset because this required more data to be sent via REST protocol using 2-way. Now that I understand each protocol, I will not allow to them proceed to Production with their architecture without 2-way SSL. Originally, I was simply ignorant of how to setup 1-way SSL, without understanding the security hole it would make. Thank you both for your time and effort in reviewing this concept. ... View more

Re: Signed SSL for ListenHTTP

by Contributor in Support Questions
‎08-15-2018 06:58 PM
1 Kudo
‎08-15-2018 06:58 PM
1 Kudo
@amarnath reddy pappu I kept playing with this issue and found a solution. For my SSL SecurityContext service, I was setting both truststore and keystore. For my need I only want to accept HTTPS data and deny HTTP data. Additionally, I do not care where it comes from in this context. If I leave off the truststore it will work. However, now anyone can send data to my endpoint. Definitely a plus and minus situation but now the understanding is there and I know how to proceed as the need arises. ... View more

Re: Signed SSL for ListenHTTP

by Contributor in Support Questions
‎08-15-2018 05:14 PM
‎08-15-2018 05:14 PM
@amarnath reddy pappu, thank you for your reply. I agree that seems to be the logical path. What I see appears to differ from what the system is allowing. Attempting to perform this action fails. See the image below with verbose output. Any idea to explain this behavior? ... View more

Signed SSL for ListenHTTP

by Contributor in Support Questions
‎08-15-2018 04:27 PM
1 Kudo
‎08-15-2018 04:27 PM
1 Kudo
Hey guys, I am running a NiFi cluster with signed SSLs. I am trying to secure ListenHTTP processor using a secureContext service but I ran into some issues. Hopefully the community can show me the error of my ways. ListenHTTP setup: Non-secured works. I can post data with: curl -X POST --data 'Hello World!' URL:PORT/PATH Secured processor: Once the processor has been secured the only way I can send data to it is to include the certificate and privatekey. Otherwise, the POST will fail. A working curl would look like this for me. curl -X POST --data 'Hello World! SSL Worked!' 'https:HOST:PORT/PATH' --cert ./meyCert --key ./PrivateKey This functionality was not expected. Generally speaking, I expected to be able to send data to ListenHTTP using HTTPS without needing to include a certificate or privatekey. Is my configuration incorrect or is this functionality expected after securing ListenHTTP? NiFi Signed SSL Certificate Configuration I am including this as I think it may be part of the issue. To secure my NiFi cluster with signed SSL certs I requested signed certs from digicert. I combined my privatekey & server certificate into a single file. I then imported this file into a keystore. Next, combined my intermediate & root certificate into a single file, in this same order. I then imported the combined intermediate & root file into a truststore. This method successfully secured our NiFi in a clustered configuration. ... View more
Labels:

NiFi UnknowHostException in Cluster

by Contributor in Support Questions
‎04-11-2018 04:50 PM
‎04-11-2018 04:50 PM
Our group is experiencing issues in our Dev cluster (5 servers). The attached error has started kicking users out of the UI and we are having trouble identifying the underlying issue. Any help is appreciated. Symptoms: Server is working fine. After a couple hours this error ("javax.ws.rs.ProcessingException: java.net.UnknownHostException: (Hostname)") starts kicking users out of the webUI. Thanks ... View more
Labels:

Re: Solr, Adding a Javaagent

by Contributor in Support Questions
‎01-11-2018 06:40 PM
‎01-11-2018 06:40 PM
Hey Kevin, I have tried this syntax. It allows SOLR to load but it does not kick off the agent. I added my line to the JAVA_MEM variable in ambari and that seems to work. This issue is solved for me. Thank you for taking the time to comment. # Increase Java Min/Max Heap as needed to support your indexing / query needs SOLR_JAVA_MEM="-Xms{{solr_min_mem}}m -Xmx{{solr_max_mem}}m \ -javaagent:/data/solr_jmx_exporter/jmx_prometheus_javaagent-0.10.jar=7500:/data/solr_jmx_exporter/solr_jmx_exporter.yml \ " ... View more

Solr, Adding a Javaagent

by Contributor in Support Questions
‎01-11-2018 05:11 PM
‎01-11-2018 05:11 PM
Hi, Probably a simple question. I am attempting to run a javaagent in the form of the jmx metrics exporter to prometheus jar file. I can kick off the java agent manually on each server but it would be preferred if I could add the command to the Solr Env file so Ambari manages start/stop of it with Solr. Here is the working syntax I use when starting Solr not managed by Ambari. I am not sure where to add this on Solr's Ambari configuration as I have not been successful in getting it to work yet. -a "-javaagent:/incubate/solr_jmx/solr-7.1.0/jmx/jmx_prometheus_javaagent-0.1.0.jar=7500:/incubate/solr_jmx/solr-7.1.0/jmx/config.yml" Any help is appreciated! ... View more
Labels:

Re: Broken Pipes in NiFi

by Contributor in Support Questions
‎10-05-2017 04:50 PM
1 Kudo
‎10-05-2017 04:50 PM
1 Kudo
Not sure if this is considered a fix...but in my situation I think NiFi was accessing files on the script I called to quickly on the Linux box. There was no issue with output files data being incorrect so I just turned off errors on the ExecuteStreamCommand processor. Running without issue as far as I can tell. ... View more

Re: Broken Pipes in NiFi

by Contributor in Support Questions
‎10-05-2017 04:21 PM
1 Kudo
‎10-05-2017 04:21 PM
1 Kudo
I am having this same issue on ExecuteStreamCommand. Do you have recommendation on how to fix it? ... View more

ListHDFS - Hadoop User Login, Non-Kerberos

by Contributor in Support Questions
‎09-21-2017 05:28 PM
‎09-21-2017 05:28 PM
Hello, I am attempting to setup ListHDFS processor on our NiFi servers to pull back a file list from a directory in our Hadoop file system. I have configured the processor to include the following files stored on the NiFi servers: core-site.xml, hbase-site.xml, hdfs-site.xml Running the processor in debug mode I receive the information included in the picture. The processor appears to be trying to use the Linux user (nifi) running NiFi to access our Hadoop servers. Is there a different way to specify a user to login from the processor decides Kerberos? Thanks ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎10-29-2018 08:31 PM
Community Statistics
Member Since ‎08-25-2017 05:25 PM
Last Visited ‎10-29-2018 08:31 PM
Posts 15
Kudos received 4