[
https://issues.apache.org/jira/browse/NIFI-7333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17081642#comment-17081642
]
Alex Resnick commented on NIFI-7333:
------------------------------------
I am using the NiFi docker image within kubernetes and tried updating the
truststore at /usr/local/openjdk-8/lib/security/cacerts but since the docker
image runs as a non-root user i didn't have the permissions. However i did
some hackiness using init containers to copy the cacerts file to a directory
where the nifi user had privs to write to the file and then mounted the file
into the final container using lubernetes volumeMounts. Definitely more
complicated than it needs to be so I will happy once this is resolved.
> OIDC provider should use NiFi keystore & truststore
> ---------------------------------------------------
>
> Key: NIFI-7333
> URL: https://issues.apache.org/jira/browse/NIFI-7333
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, Security
> Affects Versions: 1.11.4
> Reporter: Andy LoPresto
> Priority: Major
> Labels: keystore, oidc, security, tls
>
> The OIDC provider uses generic HTTPS requests to the OIDC IdP, but does not
> configure these requests to use the NiFi keystore or truststore. Rather, it
> uses the default JVM keystore and truststore, which leads to difficulty
> debugging PKIX and other TLS negotiation errors. It should be switched to use
> the NiFi keystore and truststore as other NiFi framework services do.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
