Member since
11-01-2021
4
Posts
0
Kudos Received
0
Solutions
01-03-2022
11:43 PM
I was trying to set up NiFi cluster, version 1.15.1, using NiFi-toolkit certificates in server/client mode with two nodes on two different AWS EC2 instances using nifi.security.user.authorizer=managed-authorizer instead of default single-user-authorizer and commenting out the the Single User Authorizer definition from login-identity-providers.xml but NiFi fails to start on both nodes and throws following exception in the nifi-app.log: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is org.springframework.beans.factory.BeanExpressionException: Expression parsing failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setJwtAuthenticationProvider' parameter 0 Exactly same configuration works fine on NiFi 1.13.2 version.
... View more
Labels:
- Labels:
-
Apache NiFi
11-11-2021
05:41 AM
Hi @MattWho , Sorry for the delayed response as I was off work for last few days. Thanks for sharing the keytool command to check all the details you had asked to check in your first response. Below are the findings after running the command for the configured keystore and truststore in NiFi: For NiFi's keystore (configured in nifi.properties file), make sure the following are correct: 1. keystore contains 1 and only 1 PrivateKeyEntry --> That's true. 2. Make sure the PrivateKeyEntry ExtendedKeyUsage (EKU) contains clientAuth and serverAuth --> That's true 3. Make sure that the PrivateKeyEntry contains a SAN entry that matches the hostname of the host where NiFi is running. --> That's true. For the user certificate loaded in the browser being used to authenticate with this NiFi: 1. verify certificate issuer. Is it an intermediate CA or the root CA? --> We have one IssuingCA and another root CA. We had combined them to form one certificate and then follow steps in the NiFi documentation. 2. Verify the NiFi's truststore.jks (configured in nifi.properties file) contains a TrustedCertEntry for the complete trust chain that goes with your certificate and the certificate found in the keystore.jks. A complete trust chain means that the truststore has the public keys for the issuer of each of the above certificates and if that issuer is and intermediate CA, you also have the public certificate for the CA that signed that intermediate CA in the truststore. You'll know when you have reached the root CA when the TrustedCertEntry has the same DN for both owner and issuer. --> NiFi's Truststore contains a TrustedCertEntry and the TrustedCertEntry has the same DN for both owner and issuer. I cleared browser cache and site cookies but still same issue. I even tried "thisisunsafe" trick in chrome, but it's reloading the page with same issue. Thanks, Sandip
... View more
11-05-2021
03:40 AM
Hi Matt, Thank you very much for the detailed response. As I don't have much knowledge about these security configurations, I have set the keystore and truststore password to be same and without the hostname. Would you able to provide the reference to the lines in the nifi.properties file which refer to the three things you mentioned in your response: For NiFi's keystore (configured in nifi.properties file), make sure the following are correct: 1. keystore contains 1 and only 1 PrivateKeyEntry 2. Make sure the PrivateKeyEntry ExtendedKeyUsage (EKU) contains clientAuth and serverAuth 3. Make sure that the PrivateKeyEntry contains a SAN entry that matches the hostname of the host where NiFi is running. Kind regards, Sandip
... View more
11-01-2021
04:08 AM
Hi, I was able to setup a secure NiFi cluster with two nodes on two different AWS EC2 linux instances using the certificate generated using NiFi toolkit but I am not able to secure it with company provided certificates. I followed this article - https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-provided-certificates and was able to execute all steps on one of the nodes and tried to access the UI shutting down the other node but still I get below error - <server name> didn't accept your login certificate, or a login certificate may not have been provided. ERR_BAD_SSL_CLIENT_AUTH_CERT Can you please suggest what can be done to address this issue or point to some walkthrough article other than the link I mentioned above where the enterprise provided certificate has been deployed successfully.
... View more
Labels:
- Labels:
-
Apache NiFi