Hi Daniel — I’m currently going through the same setup but it doesn’t seem to be working for me. I’ve done everything you’ve mentioned apart from add the username and password into the username/password boxes but NiFi is complaining that it cannot find a user… If I add a user into the box it complains that it cannot find a password. The reason I do not want to add a username and password is because my understanding was that by using Kerberos you could instead just tickets/keytabs to authenticate on the underlying OS… Am I wrong? ... View more

Hi Matt, Thank you for taking the time to reply/help. Certificate chains look ok to me. On the NiFi nodes when I output the keystore information I get the following under ExtendedKeyUsage: ExtendedKeyUsages [ serverAuth ] On the NiFi nodes when I output the truststore information I get the following for the root and intermediate CA's under Entry type: Entry type: trustedCertEntry On the NiFi Registry node when I output the truststore information I get the following for the root and intermediate CA's under Entry type: Entry type: trustedCertEntry I have setup NiFi Registry to allow users to login using LDAP (including group sync) and have setup a composite-configurable-user-group-provider <userGroupProvider> <identifier>composite-configurable-user-group-provider</identifier><class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class> <property name="User Group Provider 1">file-user-group-provider</property> <property name="User Group Provider 2">ldap-user-group-provider</property> </userGroupProvider> So that I have the ability to add the NiFi nodes under the file-user-group-provider <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">###hidden full dn###</property> <property name="Initial User Identity 2">###hidden full dn###</property> <property name="Initial User Identity 3">###hidden full dn###</property> </userGroupProvider> And within NiFi I have granted each node all permissions. ... View more

I'm currently having the same issue and need some help if possible... I have generated all certs using our internal CA (not the tls-toolkit) and have been working with NiFi successfully now for a few weeks. We are only now looking at integrating NiFi Registry and have run into some issues. I have: Added all certs into relevant truststores Added the nodes into initial users in authorizers.xml on Registry and given them full permissions Added the users that we are logging in as on NiFi to NiFi registry and given them full permissions Created a bucket and added the users/nodes I'm getting the following error messages: Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown or Unable to obtain listing of buckets: java.net.SocketException: Broken pipe (Write failed) ... View more