@MattWho just want to let you know, i have generated certs using below, belive in this case no need to merge truststore, as it wll be same for all localhost[1-3]       sh tls-toolkit.sh standalone -n 'localhost(3)' -C 'CN=NifiAdmin, OU=ApacheNIfi' -o /opt/nifi-toolkit-1.9.2/certs/ssl   im still not sure why it is complaining about TLS ssl handshake An unexpected error has occurred home javax.net.ssl.SSLPeerUnverifiedException: Hostname ip-10-175-124-250.xxx.com not verified: certificate: sha256/paSWoCMWrMfMuhIjqgLJlyF5clz1RGvEHTDuwhHKeZo= DN: CN=localhost, OU=NIFI subjectAltNames: [localhost]     authorizers.xml , same for all 3 nodes    <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Users File">./conf/users.xml</property> <property name="Initial Admin Identity">CN=NifiAdmin, OU=ApacheNIfi</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=localhost, OU=NIFI</property> </authorizer>   users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234" identity="CN=localhost, OU=NIFI"/> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86" identity="CN=NifiAdmin, OU=ApacheNIfi"/> </users> </tenants>   Appreciate if you can help An unexpected error has occurred home javax.net.ssl.SSLPeerUnverifiedException: Hostname ip-10-175-124-250.ucsd.edu not verified: certificate: sha256/paSWoCMWrMfMuhIjqgLJlyF5clz1RGvEHTDuwhHKeZo= DN: CN=localhost, OU=NIFI subjectAltNames: [localhost] An unexpected error has occurred home javax.net.ssl.SSLPeerUnverifiedException: Hostname ip-10-175-124-250.ucsd.edu not verified: certificate: sha256/paSWoCMWrMfMuhIjqgLJlyF5clz1RGvEHTDuwhHKeZo= DN: CN=localhost, OU=NIFI subjectAltNames: [localhost] An unexpected error has occurred home javax.net.ssl.SSLPeerUnverifiedException: Hostname ip-10-175-124-250.ucsd.edu not verified: certificate: sha256/paSWoCMWrMfMuhIjqgLJlyF5clz1RGvEHTDuwhHKeZo= DN: CN=localhost, OU=NIFI subjectAltNames: [localhost]       ... View more

@MattWho i am on nifi 1.9.2 and nifi.property file updated nifi.security.user.authorizer=file-provider # security properties # nifi.sensitive.props.key= nifi.sensitive.props.key.protected= nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL nifi.sensitive.props.provider=BC nifi.sensitive.props.additional.keys= nifi.security.keystore=./conf/keystore.jks nifi.security.keystoreType=jks nifi.security.keystorePasswd=xxxx nifi.security.keyPasswd=xxxx nifi.security.truststore=./conf/truststore.jks nifi.security.truststoreType=jks nifi.security.truststorePasswd=xxxx nifi.security.needClientAuth=true #nifi.security.user.authorizer=managed-authorizer nifi.security.user.authorizer=file-provider #nifi.security.user.login.identity.provider=ldap-provider   the latest error is An unexpected error has occurred .  HOME   javax.net.ssl.SSLPeerUnverifiedException: Hostname ip-10-175-xxx-xxx.abc.com not verified: certificate: sha256/sYgF90RpxFPzPnZJD0jMl0jB/dwS/OgHWxTZ1Ba9TPs= DN: CN=localhost, OU=NIFI subjectAltNames: [localhost]   2020-01-30 05:35:03,465 INFO [NiFi Web Server-422441] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response. 2020-01-30 05:35:03,662 INFO [NiFi Web Server-377545] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response. 2020-01-30 05:35:03,766 INFO [NiFi Web Server-422441] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=NifiAdmin, OU=ApacheNIfi) GET https://localhost:9696/nifi-api/flow/current-user (source ip: 10.175.xxx.xxx) 2020-01-30 05:35:03,768 INFO [NiFi Web Server-422441] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=NifiAdmin, OU=ApacheNIfi       An unexpected error has occurred home javax.net.ssl.SSLPeerUnverifiedException: Hostname ip-10-175-124-250.ucsd.edu not verified: certificate: sha256/sYgF90RpxFPzPnZJD0jMl0jB/dwS/OgHWxTZ1Ba9TPs= DN: CN=localhost, OU=NIFI subjectAltNames: [localhost] An unexpected error has occurred home javax.net.ssl.SSLPeerUnverifiedException: Hostname ip-10-175-124-250.ucsd.edu not verified: certificate: sha256/sYgF90RpxFPzPnZJD0jMl0jB/dwS/OgHWxTZ1Ba9TPs= DN: CN=localhost, OU=NIFI subjectAltNames: [localhost]   An unexpected error has occurred home javax.net.ssl.SSLPeerUnverifiedException: Hostname ip-10-175-124-250.ucsd.edu not verified: certificate: sha256/sYgF90RpxFPzPnZJD0jMl0jB/dwS/OgHWxTZ1Ba9TPs= DN: CN=localhost, OU=NIFI subjectAltNames: [localhost] An unexpected error has occurred home javax.net.ssl.SSLPeerUnverifiedException: Hostname ip-10-175-124-250.ucsd.edu not verified: certificate: sha256/sYgF90RpxFPzPnZJD0jMl0jB/dwS/OgHWxTZ1Ba9TPs= DN: CN=localhost, OU=NIFI subjectAltNames: [localhost] ... View more

users.xml and authorizations.xml I even see <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86" identity="CN=NifiAdmin, OU=ApacheNIfi"/  is having polices in authorizations.xml file      cat authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="0c88c9dc-6b8c-3146-841a-491a43f4bb5e" resource="/data/process-groups/e5866460-016f-1000-642a-23196f1563d1" action="R"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> <user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/> </policy> <policy identifier="b47dc88e-58b2-34c3-a232-4def8d5cfac9" resource="/data/process-groups/e5866460-016f-1000-642a-23196f1563d1" action="W"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> <user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/> </policy> <policy identifier="6e975e1b-0e66-304e-b749-2d0d83b2b2b7" resource="/process-groups/e5866460-016f-1000-642a-23196f1563d1" action="R"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="ed129295-2501-3536-9280-616f7bbf8a5b" resource="/process-groups/e5866460-016f-1000-642a-23196f1563d1" action="W"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W"> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86"/> </policy> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W"> <user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234"/> </policy> </policies> </authorizations>    cat users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d234" identity="CN=localhost, OU=NIFI"/> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b86" identity="CN=NifiAdmin, OU=ApacheNIfi"/> </users> </tenants> ... View more

@MattWho still got the authorization issue [ No applicable policies could be found. Contact the system administrator. ]here is the cert prompt from browser   Issued to: CN=NifiAdmin,OU=ApacheNIfi Serial number: 01:6F:E9:2D:9F:5C:00:00:00:00 Valid from January 27, 2020, 4:44:38 PM GMT-6 to January 26, 2023, 4:44:38 PM GMT-6 Key Usages: Signing,Non-repudiation,Key Encipherment,Data Encipherment,Key Agreement Issued by: CN=localhost,OU=NIFI Stored on: Software Security Devic   tried from all nodes from the cluster, same error from all the nodes  but i have generated client cert 'CN=NifiAdmin, OU=ApacheNIfi_UCSD'   sh tls-toolkit.sh standalone -n 'localhost(3)' -C 'CN=NifiAdmin, OU=ApacheNIfi' -o /opt/nifi-toolkit-1.9.2/certs/   <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Users File">./conf/users.xml</property> <property name="Initial Admin Identity">CN=NifiAdmin, OU=ApacheNIfi</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=localhost, OU=NIFI</property> </authorizer>   users.log   2020-01-30 01:11:56,526 INFO [NiFi Web Server-36] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response. 2020-01-30 01:11:56,633 INFO [NiFi Web Server-28] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=NifiAdmin, OU=ApacheNIfi) GET https://localhost:9696/nifi-api/flow/current-user (source ip: 10.175.124.142) 2020-01-30 01:11:56,633 INFO [NiFi Web Server-28] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=NifiAdmin, OU=ApacheNIfi 2020-01-30 01:11:56,635 INFO [NiFi Web Server-28] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=NifiAdmin, OU=ApacheNIfi], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.   cat users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="c22273fa-7ed3-38a9-8994-3ed5fea5d23" identity="CN=localhost, OU=NIFI"/> <user identifier="5e87a461-6268-359c-97ba-b27d32bc2b" identity="CN=NifiAdmin, OU=ApacheNIfi"/> </users> </tenants>     i see client cert generated is updated correctly in authorzers.xml but still when I'm trying to log in, getting an authorization error  No applicable policies could be found. Contact the system administrator. ... View more

@MattWho you are correct, I have uncommented the authorizers file-provider part now, this time generated users.xml and authorizers.xml with content but still same authorization issue    from cert prompt : Issued to: CN=NifiAdmin,OU=ApacheNIfi   authorizers config : <property name="Initial Admin Identity">CN=NifiAdmin, OU=ApacheNIfi</property>   seems I have added space in config file , let me correct it  ... View more

@MattWho i also noticed users.xml and authorizations.xml empty   cat users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users/> </tenants>   cat authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies/> </authorizations>   ... View more

Hi @MattWho  thanks for the response  I have stopped nifi on all nodes, removed user.xml & authorizations.xml on all nodes started nifi back still the same message    though I have configured below CN user as initial admin not sure why I am seeing this message, it should allow login using the cert right    do I need to add any polices for the admin user initial admin    <property name="Initial Admin Identity">CN=NifiAdmin, OU=ApacheNIfi</property>   2020-01-28 22:41:02,927 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=NifiAdmin, OU=ApacheNIfi) GET https://localhost:9696/nifi-api/flow/current-user (source ip: 10.175.124.142) 2020-01-28 22:41:02,927 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=NifiAdmin, OU=ApacheNIfi 2020-01-28 22:41:02,929 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=NifiAdmin, OU=ApacheNIfi, groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response. ... View more

@MattWho  for some reason I'm unable to execute the command below,   tls-toolkit.sh standalone -B password -C 'CN=nifiadmin, OU=NIFI' -n 'ldxxx001.xx.xx.com,ldxx002.xx.x.com’ --nifiDnPrefix 'CN=' --nifiDnSuffix ',OU=NIFI' -o /tmp/certs/ -K password -P password -S password seems like  uncomplete ... View more

Hi @MattWho thanks for your help, really appreciate it. I'm kind of doing POC and thanks for helping me out    here is where I stand currently: POC only   -> generated certs standalone, will reuse the syntax shared by you for standardaition  sh tls-toolkit.sh standalone -n 'localhost(3)' -C 'CN=NifiAdmin, OU=ApacheNIfi' -o /opt/nifi-toolkit-1.9.2/certs/ssl -> copied keystore, truststore to corresponding hosts -> updated nifi.proprties on all hosts -> updated authorizers on all hosts <!-- <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Users File">./conf/users.xml</property> <property name="Initial Admin Identity">CN=NifiAdmin, OU=ApacheNIfi</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=localhost, OU=NIFI</property> </authorizer>   issue: while trying to access URL through cert, I'm getting an error    Insufficient Permissions home No applicable policies could be found. Contact the system administrator.   -> users.xml or authorizations.xml is empty -> i haven't merged the trust store as it generated by localhost  Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI     please help me what is missing here, why I'm seeing Insufficient Permissions, No applicable policies could be found. Contact the system administrator. ... View more

Thanks, @MattWho for providing details. i am little confused here on how to merge trust store on all nodes since I'm trying on standalone  mode . can you shared details, please          ... View more