[
https://issues.apache.org/jira/browse/NIFI-5459?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Grey resolved NIFI-5459.
-----------------------------
Resolution: Won't Do
In a recent mailing list discussion [1], a consensus discussion was made to
deprecate the module "nifi-toolkit-tls". A set of tickets [2] [3] [4] was
opened and resolved to carry out this work.
In order to complete this effort, any open tickets in the NIFI project relating
to defects, enhancements, etc of "nifi-toolkit-tls" should be marked resolved.
[1] https://lists.apache.org/thread/vn1nzobtz4fh7fs461sgg8jj9zygrk0f
[2] NIFI-12169 - Documentation updates to provide alternatives to usage of TLS
Toolkit
[3] NIFI-12200 - Remove nifi-toolkit-tls module
[4] NIFI-12201 - Deprecation markings for nifi-toolkit-tls module in
support/nifi-1.x
> Integrate TLS Toolkit with external CA / certificate providers
> --------------------------------------------------------------
>
> Key: NIFI-5459
> URL: https://issues.apache.org/jira/browse/NIFI-5459
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Extensions, Security, Tools and Build
> Affects Versions: 1.7.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Major
> Labels: certificate, security, tls, tls-toolkit
>
> The TLS toolkit was designed to be a sandbox-level assistant for deployments
> which did not have access to a security team / dedicated certificate provider
> to replace manual generation of certificates with complicated {{openssl}} and
> {{keytool}} commands. It has grown to be depended on by many users, as well
> as Apache Ambari deployments.
> Because of these uses, it should be made more robust, including integration
> with external certificate providers. Multiple commercial certificate
> providers have APIs for automating the submission of CSRs and requesting
> issuance of signed certificates. In the *standalone* or *client*/*server*
> model, the toolkit should be able to define an external certificate provider,
> and if the proper "definition" (API mapping) is available, use provided
> credentials to request and receive a signed certificate. There should be an
> intermediate mapping between a "toolkit-standard communication method" and
> the communication with the external provider, so that the toolkit requestor
> (*standalone*/*client*) does not need to change; either the *server* maps the
> standard request to a specific provider, or the *standalone* component uses
> the pluggable mapping to do the same.
> Only two definitions should be required to mark this ticket as complete:
> * the internal NiFi provider (map toolkit commands to internal {{openssl}}
> generation commands)
> * an external provider (suggest
> [letsencrypt.org|https://letsencrypt.org/how-it-works/] as it is free,
> non-profit, and domain validation (DV) is automated)
> Additional definitions can be provided as follow-on tickets independent of
> this ticket. If internal organization/enterprise certificate providers are
> needed, they can follow the well-defined extension point which should result
> from this effort.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
