Hi Cannon, Understanding the SSLContextService [1] interface and the StandardSSLContextService [2] implementation would be a good starting point for considering a custom implementation.
The most important interface method is createContext(), which returns an instance of javax.net.ssl.SSLContext [3] based on configured properties. The SSLContextService has other methods for returning configured values, but most components use the createContext() method. Certain components may use the createTlsConfiguration() method, or other methods to retrieve specific values. Those other methods could be problematic to implement when attempting to develop a service that is not based on files. Throwing an UnsupportedOperationException may be one option, which would result in runtime errors for components that do not use the standard createContext() method. Interacting with HashiCorp Vault involves its own set of configuration options depending on how it is deployed, but understanding the file-based approach in the StandardSSLContextService should provide a helpful background. Regards, David Handermann [1] https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java [2] https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java [3] https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html On Tue, Jul 12, 2022 at 2:13 PM Cannon Palms <cpa...@influxdata.com> wrote: > We need to service up dynamic certificates to NiFi at runtime to enable > connection to remote hosts via certificate-based TLS. > > My understanding is that the existing implementations of SSLContextService > all require that the keystore/truststore be accessible through the > filesystem. > > What might an implementation based on third-party providers (namely vault) > look like? Can someone point me to any resources that might guide this > implementation? > > Thanks, > Cannon >
