[jira] [Commented] (NIFI-2943) tls-toolkit pkcs12 truststore 0 entries

Tue, 25 Oct 2016 11:28:24 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-2943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15606076#comment-15606076
 ] 

Andy LoPresto commented on NIFI-2943:
-------------------------------------

Thanks for the research, [[email protected]]. My feelings are that we 
should aim to be as cross-compatible as possible, so to that end:

* The TLS toolkit should not export truststores as PKCS12, even if the keystore 
type is specified as such (can print a log {{INFO}} message explaining this 
during toolkit execution). 
* NiFi should detect if the provided truststore type is PKCS12, and explicitly 
use BouncyCastle to load the truststore. It should print a log {{WARN}} message 
indicating that PKCS12 truststores are deprecated and JKS is preferred. 
* If BouncyCastle is not available on the system (we have bigger problems) or 
loading the truststore with BouncyCastle fails, it should print a log {{ERROR}} 
message indicating that the provided truststore could not be loaded and {{0}} 
trusted certificate authorities are available. Client certificate 
authentication and TLS mutual authentication to other servers will fail, and we 
will need a quick way to detect this issue during debug. 

The documentation for both the toolkit and NiFi Admin Guide security 
configuration section should be updated with this information. 

> tls-toolkit pkcs12 truststore 0 entries
> ---------------------------------------
>
>                 Key: NIFI-2943
>                 URL: https://issues.apache.org/jira/browse/NIFI-2943
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Bryan Rosander
>            Assignee: Bryan Rosander
>            Priority: Minor
>
> When pkcs12 is used by the tls-toolkit, the resulting truststore has no 
> entries when inspected by the keytool and the tls-toolkit certificate 
> authority certificate is not trusted by NiFi.
> This seems to be due to the Java pkcs12 provider not supporting certificate 
> entries:
> http://stackoverflow.com/questions/3614239/pkcs12-java-keystore-from-ca-and-user-certificate-in-java#answer-3614405
> The Bouncy Castle provider does seem to support certificates but we may not 
> want to explicitly use that provider from within NiFi.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to