[
https://issues.apache.org/jira/browse/NIFI-2193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15405185#comment-15405185
]
ASF GitHub Bot commented on NIFI-2193:
--------------------------------------
Github user brosander commented on a diff in the pull request:
https://github.com/apache/nifi/pull/695#discussion_r73271149
--- Diff:
nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/BaseCertificateAuthorityCommandLine.java
---
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.nifi.toolkit.tls.service;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
+import org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException;
+import org.apache.nifi.toolkit.tls.commandLine.ExitCode;
+import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
+import org.apache.nifi.util.StringUtils;
+
+import java.io.File;
+
+public class BaseCertificateAuthorityCommandLine extends BaseCommandLine {
+ public static final String TOKEN_ARG = "token";
+ public static final String CONFIG_JSON_ARG = "configJson";
+ public static final String USE_CONFIG_JSON_ARG = "useConfigJson";
+ public static final String PORT_ARG = "PORT";
+
+ public static final String DEFAULT_CONFIG_JSON = new
File("config.json").getAbsolutePath();
+
+ private String token;
+ private String configJson;
+ private boolean onlyUseConfigJson;
+ private int port;
+ private String dn;
+
+ public BaseCertificateAuthorityCommandLine(String header) {
+ super(header);
+ addOptionWithArg("t", TOKEN_ARG, "The token to use to prevent MITM
(required and must be same as one used by CA)");
+ addOptionWithArg("f", CONFIG_JSON_ARG, "The place to write
configuration info", DEFAULT_CONFIG_JSON);
+ addOptionNoArg("F", USE_CONFIG_JSON_ARG, "Flag specifying that all
configuration is read from " + CONFIG_JSON_ARG + " to facilitate automated use
(otherwise "
+ + CONFIG_JSON_ARG + " will only be written to.");
+ addOptionWithArg("p", PORT_ARG, "The port to use to communicate
with the Certificate Authority", TlsConfig.DEFAULT_PORT);
+ addOptionWithArg("D", DN_ARG, "The dn to use for the certificate",
TlsConfig.calcDefaultDn(TlsConfig.DEFAULT_HOSTNAME));
+ }
+
+ @Override
+ protected CommandLine doParse(String[] args) throws
CommandLineParseException {
+ CommandLine commandLine = super.doParse(args);
+
+ token = commandLine.getOptionValue(TOKEN_ARG);
+ onlyUseConfigJson = commandLine.hasOption(USE_CONFIG_JSON_ARG);
+ if (StringUtils.isEmpty(token) && !onlyUseConfigJson) {
+ printUsageAndThrow(TOKEN_ARG + " argument must not be empty
unless " + USE_CONFIG_JSON_ARG + " set", ExitCode.ERROR_TOKEN_ARG_EMPTY);
+ }
+ configJson = commandLine.getOptionValue(CONFIG_JSON_ARG,
DEFAULT_CONFIG_JSON);
+ port = getIntValue(commandLine, PORT_ARG, TlsConfig.DEFAULT_PORT);
+ dn = commandLine.getOptionValue(DN_ARG,
TlsConfig.calcDefaultDn(getCertificateAuthorityHostname()));
--- End diff --
Usage:
The dn to use for the CA certificate (default: CN=localhost,OU=NIFI)
is there an implication that you can specify just a hostname for DN?
Trying to clarify by changing default to say CA_HOSTNAME and HOSTNAME for
CA and client respectively, this shouldn't be mandatory
> Command Line Keystore and Truststore utility
> --------------------------------------------
>
> Key: NIFI-2193
> URL: https://issues.apache.org/jira/browse/NIFI-2193
> Project: Apache NiFi
> Issue Type: New Feature
> Reporter: Bryan Rosander
> Assignee: Bryan Rosander
>
> In order to facilitate secure setup of NiFi, it would be useful to have a
> command line utility capable of generating the required keystores,
> truststore, and relevant configuration files.
> It should be able to generate keystores for each NiFi node, a truststore that
> they all use, and relevant passwords and configuration files for using the
> keystores and truststore.
> Additionally, in order to support distributed deployment, a web based
> certificate authority with corresponding client will allow for each NiFi
> instance to generate its own keypair and then request signing by the CA.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
