Cloudera Community
Announcements
We’ve updated our product names and community labels - click here for full details
DivyaKaki
user rank
Explorer
My Accepted Solutions
Show All

Re: HDF 3.4.1 NIFI 1.9 - NIFI Provenance Repositor...

by Explorer in Support Questions
‎10-22-2020 11:18 AM
‎10-22-2020 11:18 AM
Thanks, Tim, my whole Idea is, developers should be able to replay the message from the provenance for at least 5 days as per the requirements I'm assuming the only solution is BUMP up the provenance storage to achieve replay capability. please let me know your thoughts!.  ... View more

Re: HDF 3.4.1 NIFI 1.9 - NIFI Provenance Repositor...

by Explorer in Support Questions
‎10-22-2020 10:56 AM
‎10-22-2020 10:56 AM
Hi Tim, Are you recommending to role nifi provenance? could you provide more pointers?  ... View more

Re: HDF 3.4.1 NIFI 1.9 - NIFI Provenance Repositor...

by Explorer in Support Questions
‎10-22-2020 09:32 AM
‎10-22-2020 09:32 AM
@TimothySpann thanks for the update. restarted the cluster 2 weeks back after making changes.  but still, the Provenance repo is piling up. surprised to see that huge disc being filled by provenance  ... View more

HDF 3.4.1 NIFI 1.9 - NIFI Provenance Repository fi...

by Explorer in Support Questions
‎10-22-2020 09:14 AM
‎10-22-2020 09:14 AM
HDF 3.4.1  NIFI 1.9 - NIFI Provenance Repository filling disc 500GB   I have a requirement to retain provenance for 5 days and made necessary changes    - provenance retaining hardly - 2 days and less content_repo - 500GB   utilization 10% Provenence_repo - 500GB Utilization 98%  flowfile_repo - 500GB   utilization 10%   below are the configs    @MattWho @TimothySpann   Please advice  ... View more
Labels:

Re: Integrate NIFI , NIFI Registry

by Explorer in Support Questions
‎08-04-2020 09:41 PM
‎08-04-2020 09:41 PM
@sunile_manjee  i have generated certs for bothe cluster nifi, nifi registrty using below commands   do i need to add jks from cluster A nifi to cluster B registry sh /usr/hdf/current/nifi-toolkit/bin/tls-toolkit.sh standalone -B  myTokenTouse -C 'CN=nifiadmin, OU=NIFI' -n 'nifi-pb-amb-01.its-streaming,nifi-pb-nifi-01.its-streaming,nifi-pb-nifi-02.its-streaming,nifi-pb-nifi-03.its-streaming,nifi-pb-nreg-01.its-streaming'  --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o /data/nifi_certs/ -K myTokenTouse -P myTokenTouse -S myTokenTouse ... View more

Re: Integrate NIFI , NIFI Registry

by Explorer in Support Questions
‎08-04-2020 02:44 PM
‎08-04-2020 02:44 PM
Thanks @sunile_manjee   cluster A NIfi & Registry are managed by Ranger, working well. hence I added cluster B nifi node cert to cluster A Ranger user and then added to Registry policy.   clusterB nifi user logs: 2020-08-04 21:40:37,824 INFO [NiFi Web Server-333] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for divya 2020-08-04 21:40:37,833 INFO [NiFi Web Server-333] o.a.n.w.a.config.NiFiCoreExceptionMapper org.apache.nifi.web.NiFiCoreException: Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors. Returning Conflict response.   NIFI GUI exception:     any advice      ... View more

Integrate NIFI , NIFI Registry

by Explorer in Support Questions
‎08-04-2020 09:52 AM
‎08-04-2020 09:52 AM
Hello all, I have HDF 3.4 cluster A with nifi and nifi registry integrated, cluster B with NIFI. both are tls/ssl secured. now I'm trying to use the cluster A NIFI registry for NIFI running on cluster B.   noticing below error when trying to version a flow from cluster B NIFI  integrated with cluster A registry    I have added cluster B nifi node cert to registry users list but still same error CN=its-nifi-node-dev-nifipoc1-01, OU=NIFI   @alim @MattWho @sunile_manjee please advice  ... View more
Labels:

Re: How to Generate Certs to secure 3 node nifi cl...

by Explorer in Support Questions
‎02-18-2020 07:36 PM
‎02-18-2020 07:36 PM
@MattWho really appreciate you for educating me on this. Thanks! ... View more

Re: How to Generate Certs to secure 3 node nifi cl...

by Explorer in Support Questions
‎02-03-2020 08:08 PM
‎02-03-2020 08:08 PM
Hi @MattWho one last question    since i have generated certs as per hostnames with proper cn & san.. to configure truststore, do i need to merge the truststore.jks generated for both the hosts or can i use one truststore for both hosts?    sh /opt/nifi-toolkit-1.9.2/bin/tls-toolkit.sh standalone -B  mypasswd -C 'CN=nifiadmin, OU=NIFI' -n 'ip-10-175-12x-xx.abc.com,ip-10-175-12x-xxx.abc.com' --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o /tmp/certs_divya/ -K mypasswd -P mypasswd -S mypasswd   -rw-------. 1 root root 3437 Feb 3 04:46 CN=nifiadmin_OU=NIFI.p12 -rw-------. 1 root root 29 Feb 3 04:46 CN=nifiadmin_OU=NIFI.password drwx------. 2 root root 71 Feb 3 04:46 ip-10-175-12x-xxx.abc.com drwx------. 2 root root 71 Feb 3 04:46 ip-10-175-12x-xxx.abc.com -rw-------. 1 root root 1200 Feb 3 04:46 nifi-cert.pem -rw-------. 1 root root 1675 Feb 3 04:46 nifi-key.key ... View more

Re: How to Generate Certs to secure 3 node nifi cl...

by Explorer in Support Questions
‎02-02-2020 09:05 PM
‎02-02-2020 09:05 PM
thanks, @MattWho  for helping me on this, really helped for learning this stuff. I am now working on using the queries you shared with Harden the security.   sh /opt/nifi-toolkit-1.9.2/bin/tls-toolkit.sh standalone -B  mypasswd -C 'CN=nifiadmin, OU=NIFI' -n 'ip-10-175-12x-xx.abc.com,ip-10-175-12x-xxx.abc.com' --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o /tmp/certs_divya/ -K mypasswd -P mypasswd -S mypasswd   -rw-------. 1 root root 3437 Feb 3 04:46 CN=nifiadmin_OU=NIFI.p12 -rw-------. 1 root root 29 Feb 3 04:46 CN=nifiadmin_OU=NIFI.password drwx------. 2 root root 71 Feb 3 04:46 ip-10-175-12x-xxx.abc.com drwx------. 2 root root 71 Feb 3 04:46 ip-10-175-12x-xxx.abc.com -rw-------. 1 root root 1200 Feb 3 04:46 nifi-cert.pem -rw-------. 1 root root 1675 Feb 3 04:46 nifi-key.key   quick question  1) validate Keystore of 1 host: i am seeing two certs in a Keystore as below  but the issuer is localhost whereas CN is a hostname  is this correct . ? 2) can I use one truststore from any host and copy to others or do I need to still merge the truststores    Certificate[1]: Owner: CN=ip-10-175-12x-xxx.abc.com, OU=NIFI Issuer: CN=localhost, OU=NIFI   Certificate[2]: Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI -------- keytool -list -v -keystore keystore.jks Enter keystore password: Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-key Creation date: Feb 3, 2020 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=ip-10-175-12x-xxx.abc.com, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 170095f43a400000000 Valid from: Mon Feb 03 04:46:43 UTC 2020 until: Thu Feb 02 04:46:43 UTC 2023 Certificate fingerprints: MD5: B0:FC:09:D3:A3:40:67:AD:38:EC:30:56:A6:CB:53:89 SHA1: A1:0E:F9:AC:20:B7:9A:AF:D2:C1:B2:DB:1B:80:3F:3C:01:1C:80:3F SHA256: 8F:18:EC:DD:2D:DC:B9:70:32:07:6B:60:66:7E:21:E5:66:6A:79:FF:65:5E:66:DD:D0:16:F8:C0:8F:87:03:3A Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: A4 D7 F2 A6 D0 76 CF 42 9E 78 D0 78 20 DF 63 7B .....v.B.x.x .c. 0010: FA E8 F2 BC .... ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment Key_Agreement ] #5: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: ip-10-175-124-182.ucsd.edu ] #6: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 32 1C 2E 86 0C CA 3A E9 1A B8 FD 8E B0 F7 D5 52 2.....:........R 0010: A9 25 EB 74 .%.t ] ] Certificate[2]: Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 170095f420d00000000 Valid from: Mon Feb 03 04:46:42 UTC 2020 until: Thu Feb 02 04:46:42 UTC 2023 Certificate fingerprints: MD5: 8A:13:63:54:E7:E7:E3:E6:FC:16:9E:3B:D0:9D:41:58 SHA1: F5:D0:31:33:5C:AD:9A:39:B5:BF:33:6D:5E:52:A4:F0:5F:99:4C:10 SHA256: 70:1A:ED:41:B7:9C:51:62:B5:26:42:A0:31:9D:D7:04:79:78:FF:9B:89:26:DF:74:24:62:EF:EF:85:4C:E1:E5 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: A4 D7 F2 A6 D0 76 CF 42 9E 78 D0 78 20 DF 63 7B .....v.B.x.x .c. 0010: FA E8 F2 BC .... ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment Key_Agreement Key_CertSign Crl_Sign ] #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: A4 D7 F2 A6 D0 76 CF 42 9E 78 D0 78 20 DF 63 7B .....v.B.x.x .c. 0010: FA E8 F2 BC .... ] ]   ******************************************* *******************************************   Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12" ... View more
Contact Me
Online
Offline
Last Visited
‎11-03-2020 12:36 PM
Community Statistics
Member Since ‎01-22-2020 02:21 PM
Last Visited ‎11-03-2020 12:36 PM
Posts 29