[
https://issues.apache.org/jira/browse/NIFI-2974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15626222#comment-15626222
]
Andy LoPresto commented on NIFI-2974:
-------------------------------------
That's a fair point. I was ambivalent about this feature, as revealed by
marking it Trivial and my weasel words "could be auto-populated". I understand
TLS setup is not a familiar or well-explained process to many users. The
keystore file will only be different when someone has manually generated a
keystore, and in that scenario, I think it is fair to expect they will know the
location. For any TLS use in a processor (e.g. connecting to an external HTTPS
resource via {{GetHTTP}}, etc.), the truststore should either be
{{$NIFI_HOME/conf/truststore.jks}} for communicating with other internal
servers (other NiFi instances or organizational resources signed by the same
CA) or {{$JAVA_HOME/jre/lib/security/cacerts}} for using the default JRE
truststore to validate publicly available certificates. There is an existing
ticket [NIFI-1477] to possibly import the contents of {{cacerts}} to the local
truststore by default, but this would have unintended side effects for user
authentication via client certificates. The truststores used for external
connections and user authentication must be separated for this to be
successful.
For the keystore value, it is very unlikely to be any other file. The keystore
containing the server certificate and private key identifying this NiFi node is
the logical identifier of the application for almost every possible connection
and use, and a non-standard solution would almost exclusively be used by
advanced users who should be very familiar with the process. Using a
{{ListenHTTP}} with the NiFi server certificate or {{InvokeHTTP}} with TLS
mutual authentication (in which the NiFi instance provides its certificate as a
client certificate), even to communicate with non-NiFi resources, would both
use the default {{keystore.jks}} successfully.
> Populate default values in SSLContextService creation dialog
> ------------------------------------------------------------
>
> Key: NIFI-2974
> URL: https://issues.apache.org/jira/browse/NIFI-2974
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core UI
> Affects Versions: 1.0.0
> Reporter: Andy LoPresto
> Priority: Trivial
> Labels: beginner, tls, ui
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> When users create a {{SSLContextService}}, some common default values could
> be auto-populated:
> * {{Keystore location}} - {{$NIFI_HOME/conf/keystore.jks}}
> * {{Keystore Type}} - {{JKS}}
> * {{Truststore location}} - {{$NIFI_HOME/conf/truststore.jks}}
> * {{Truststore Type}} - {{JKS}}
> These are the default values when using the TLS Toolkit and safe defaults for
> manual generation as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
