Ferenc Gerlits created MINIFICPP-1422:
-----------------------------------------
Summary: MiNiFi should be able to get certs from the Openssl
truststore on Linux
Key: MINIFICPP-1422
URL: https://issues.apache.org/jira/browse/MINIFICPP-1422
Project: Apache NiFi MiNiFi C++
Issue Type: New Feature
Reporter: Ferenc Gerlits
Minifi is able to read the server and client certificates necessary to connect
to the C2 server from the Windows truststore (MINIFICPP-1401), but this does
not work on Linux.
On Linux, the natural way would be to use Openssl's own truststore.
The server certificate works, to some degree: if {{server-cert.pem}} is the
server certificate, then you can install it like this:
{noformat}
$ cd ${OPENSSL_CACERT_DIR}
$ cp /path/to/server-cert.pem ./
$ CERTIFICATE_HASH=`openssl x509 -noout -hash -in server-cert.pem`
$ ln -s server-cert.pem ${CERTIFICATE_HASH}.0
$ chmod 755 ${OPENSSL_CACERT_DIR}
$ chmod 600 ${OPENSSL_CACERT_DIR}/server-cert.pem{noformat}
After this, if you unset {{nifi.security.client.ca.certificate}} and set
{{nifi.security.use.system.cert.store=true}}, then Minifi will read the server
certificate from {{OPENSSL_CACERT_DIR}}.
But the default {{OPENSSL_CACERT_DIR}} depends on where Minifi was compiled,
eg. it could be
{{/home/myuser/src/minifi/build/thirdparty/libressl-install/etc/ssl/certs}},
which is not nice. The default location should be changed to something more
sensible, and there needs to be a way to override it.
I don't know how to add the client certificate + key to the Openssl truststore,
so that will need to be investigated.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
