[jira] [Commented] (NIFI-11536) nifi.security.autoreload.enabled is broken since v1.17.0

Mon, 10 Jul 2023 09:10:23 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-11536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17741678#comment-17741678
 ] 

ASF subversion and git services commented on NIFI-11536:
--------------------------------------------------------

Commit 3649ade3c74eb88828cb59c7c8923acc7eb27f34 in nifi's branch 
refs/heads/support/nifi-1.x from Emilio Setiadarma
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=3649ade3c7 ]

NIFI-11536 Corrected Keystore and Truststore auto-reloading

- Replaced Jetty KeyStoreScanner and custom TrustStoreScanner with shared 
StoreScanner
- New StoreScanner uses TLS Configuration to reload SSLContext instead of 
relying on Jetty SslContextFactory properties

This closes #7446

Signed-off-by: David Handermann <[email protected]>
(cherry picked from commit a85ef2c1f49780be93b49ec6cb077a61c8cc063e)


> nifi.security.autoreload.enabled is broken since v1.17.0
> --------------------------------------------------------
>
>                 Key: NIFI-11536
>                 URL: https://issues.apache.org/jira/browse/NIFI-11536
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.17.0, 1.18.0, 1.19.0, 1.20.0
>         Environment: standalone
>            Reporter: Tan Luu
>            Assignee: Emilio Setiadarma
>            Priority: Major
>              Labels: critical
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> NiFi standalone with nifi.security.autoreload.enabled=true does not reload 
> TLS keystore after upgrade from 1.16.3 to 1.17.0 onward.
> Steps to reproduce:
> 1/ Generate truststore and 2 keystores for nifi standalone using nifi 
> toolkit. Two keystores should be generated at least 5 minutes apart from each 
> other since we use the certificate start time to verify if the new cert is 
> loaded later
> e.g.
> bin/tls-toolkit.sh standalone -n nifi.tmanet.com \
> --subjectAlternativeNames nifi.tmanet.com -P 
> TErbdTQutLvFVd3kunMcCL5/OG1K+t2l/Q1vSiJbJp8 \
> -S JaTxUVN+HK8+LyPCs9ruJXCiYq/zr1bYUxJBjEGnjpw
> 2/ Configure nifi standalone with generated truststore and one of the 
> keystore then start nifi (ensure nifi.security.autoreload.enabled=true in 
> your nifi.properties)
> 3/ Check the certificate start date return when calling nifi url e.g. 
> nifi.tmanet.com:9443
> curl -kv https://nifi.tmanet.com:9443 2>&1 | /bin/grep start
> 4/ Replace keystore.jks by another keystore generated above and wait for 
> nifi.security.autoreload.interval (default 10s) and recheck the nifi 
> certificate by 
> curl -kv https://nifi.tmanet.com:9443 2>&1 | /bin/grep start



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to