Hi Nathan, Please subscribe to the developers mailing list in order to receive further replies. See the NiFi Mailing Lists page for details on subscribing:
https://nifi.apache.org/mailing_lists.html Regarding the decryption problem described, either the Sensitive Properties Key (nifi.sensitive.props.key) or the Sensitive Properties Algorithm (nifi.sensitive.props.algorithm) in nifi.properties does not match the value used when NiFi previously saved flow.xml.gz. It is difficult to provide additional details given the custom configuration described, but as a starting point, all NiFi nodes must have the same value for both the Sensitive Properties Key and Sensitive Properties Algorithm in the copy of nifi.properties. When nifi.sensitive.props.key is empty and NiFi is configured to run in standalone mode, NiFi will generate a random key on startup. If you were previously running NiFi 1.12.1 without a value for nifi.sensitive.props.key, then you need to use either encrypt-config.sh or nifi.sh set-sensitive-properties-key to set a new value. Unless you used the encrypt-config.sh command, you need to retain the previous algorithm value set in nifi.sensitive.props.algorithm. The following post provides some additional background on sensitive properties, as well as the changes introduced in NiFi 1.14.0: https://exceptionfactory.com/posts/2021/07/29/deciphering-apache-nifi-component-property-encryption/ Regards, David Handermann On Wed, May 11, 2022 at 5:07 PM <nathan.a.velasquez....@nga.mil.invalid> wrote: > Classification: UNCLASSIFIED > ====================================================== > > Good afternoon, > > Our team is in the midst of a Nifi upgrade from 1.12.1 to 1.15.3 and we > are encountering issues installing our 1.12.1 flow.xml.gz to 1.15.3 via > cloud formation template. > > Our process of starting up Nifi is a bit different than what I've seen > online, in that we have the Nifi 1.15.3 tar in S3 along with it's > corresponding /conf files and /lib folder holding our custom nar file. The > cloud formation script pulls a install script from S3 that pulls and > installs Nifi in an EC2 instance. Once installed, we sync the S3 folders > holding our /conf and /lib files into the Nifi EC2's conf and lib folder, > set ownership to local user nifi, and start Nifi. > > For the upgrade from 1.12.1 to 1.15.3, we have to account for the > encryption update that was introduced in 1.14.0. What we did to mitigate > the upgrade was decrypt the sensitive values in the 1.12.1 flow.xml.gz file > w/ the old algorithm and key, and encrypt the same sensitive values using > the new algorithm and key generated inside the nifi.properties file from a > flow-less Nifi 1.15.3. Once we've set the sensitive values to the new > algorithm, we place the newly modified flow.xml.gz into a new S3 bucket, > copy over the conf files and lib nar into a new 1.15.3 bucket, and stand up > a new cloud formation template pointing to the new location of the conf and > lib files. > > While this worked on my local machine and in the dedicated developer test > environment, we are having issues trying to apply the same logic in our > staging environment. For some reason, we've noticed that when we pull the > conf folder containing our new 1.15.3 flow, some or all encrypted sensitive > values in flow.xml.gz were different than what we've set it up prior to > sending it up to S3, causing a [AES/GES/NoPadding] error right after it > starts the flow controller in the nifi-app logs. > > We also had the approach of using an existing nifi.properties file w/ key, > placing it into S3 and running the same encryption steps to set the > flow.xml.gz to the current algorithm and while this worked locally, it also > failed with the same decryption error. > > Looking online, the encrypt-config.sh approach did not work despite > defining the correct parameters. We plan on utilizing templates tomorrow to > see if that approach will work. > > Any assistance is much appreciated, > - Nathan Velasquez > ====================================================== > Classification: UNCLASSIFIED > >
