[
https://issues.apache.org/jira/browse/NIFI-7333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17081636#comment-17081636
]
Andy LoPresto commented on NIFI-7333:
-------------------------------------
Alex, you can mitigate this by adding the necessary public certificate(s) for
the OIDC server to the default Java Virtual Machine truststore (located at
{{$JAVA_HOME/jre/lib/security/cacerts}}). This will bypass the current
certificate validation issue. When this Jira is resolved, the certificate
handling will be performed using the NiFi keystore & truststore as with the
other service integrations.
> OIDC provider should use NiFi keystore & truststore
> ---------------------------------------------------
>
> Key: NIFI-7333
> URL: https://issues.apache.org/jira/browse/NIFI-7333
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, Security
> Affects Versions: 1.11.4
> Reporter: Andy LoPresto
> Priority: Major
> Labels: keystore, oidc, security, tls
>
> The OIDC provider uses generic HTTPS requests to the OIDC IdP, but does not
> configure these requests to use the NiFi keystore or truststore. Rather, it
> uses the default JVM keystore and truststore, which leads to difficulty
> debugging PKIX and other TLS negotiation errors. It should be switched to use
> the NiFi keystore and truststore as other NiFi framework services do.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
