Re: UI is not opening after forming nifi 1.0.0 secure cluster in windows

2016-11-11 Thread Andy LoPresto 
Manojkumar,

Is this the same issue as [1]? Running the OpenSSL command I provided will give 
a lot of feedback about why the socket connection is actually failing (or if 
it’s only failing in the browser rather than via command-line).

To extract the CA cert, client cert, and client private key from the keystore 
and truststore, depending on how you generated them, you can use the following 
commands:

Did you use the provided TLS Toolkit [2] to generate the CA cert, server cert, 
and client cert?

If you used the TLS Toolkit, as described in the Admin Guide and in the article 
you referenced, you should have a CA certificate (nifi-cert.pem) and private 
key (nifi-key.key) as well as a client certificate and private key 
(CN=_OU=Apache NiFi.p12), and individual keystore and 
truststore for each NiFi node in respectively named directories. In this case, 
you just need to export the client certificate and key from the PKCS12 keystore 
and use them as follows:

Extract client certificate from keystore:

$ openssl pkcs12 -in CN=_OU=Apache NiFi.p12 -out 
client.der -nodes
$ openssl x509 -inform der -in client.der -out client.pem

Extract client private key from keystore:

$ openssl pkcs12 -in CN=_OU=Apache NiFi.p12 -nodes 
-nocerts -out client.key

Run the original command:

$ openssl s_client -connect  -debug -state -cert client.pem -key 
client.key -CAfile nifi-cert.pem


Did you do this manually?

If you did this manually, it is likely you did not create a client certificate, 
in which case if you have no other authentication platform configured 
(Kerberos, LDAP), NiFi will demand a client certificate on every connection in 
order to authenticate the user. If no client cert is provided, the connection 
will fail. You can temporarily use the server certificate as a client 
certificate to verify this is the case, but this is not a permanent solution 
and is very unsafe.

Extract server cert from keystore (necessary to identify “client” on 
connection):

$ keytool -export -alias  -file nifi.der -keystore 
$ openssl x509 -inform der in nifi.der -out nifi.pem

Extract server private key from keystore (necessary to authenticate “client” on 
connection):

$ keytool -importkeystore -srckeystore  -destkeystore 
keystore.p12 -deststoretype PKCS12
$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out nifi.key

Extract CA cert (likely the same as the server cert if you self-signed) from 
truststore (necessary to validate server certificate on connection):

$ keytool -export -alias  -file ca.der -keystore 
$ openssl x509 -inform der -in ca.der -out ca.pem

Then run the original command I provided:

$ openssl s_client -connect  -debug -state -cert nifi.pem -key 
nifi.key -CAfile ca.pem

[1] 
https://stackoverflow.com/questions/39659026/ui-not-opening-in-the-nifi-1-0-0-secure-cluster/39667772
 

[2] 
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit
 



Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Nov 10, 2016, at 10:54 PM, Manojkumar Ravichandran 
>  wrote:
> 
> Hi,
> 
> Thanks for your response,error I received in browser has been attached
> 
> I have generated the key store and truststore file using the java keytool,
> Is it necessary to generate the key file in open ssl ?
> 
> In nifi-app.log everything seems right,except this warning message
> 
> org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 
> protocol message in response to message type: CONNECTION_REQUEST due to 
> java.net.SocketException: Software caused connection abort: socket write error
>   at 
> org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:176)
>  ~[nifi-framework-cluster-protocol-1.0.0.jar:1.0.0]
>   at 
> org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) 
> [nifi-socket-utils-1.0.0.jar:1.0.0]
>   at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>  [na:1.8.0_91]
>   at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>  [na:1.8.0_91]
>   at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]
> 
> Regards,
> Manojkumar R
> 
> On Fri, Nov 11, 2016 at 11:14 AM, Andy LoPresto  > wrote:
> What is the error you receive in your browser when you try to navigate to the 
> UI? Are you connecting to the correct port?
> 
> Can you run an OpenSSL s_client command to try to connect via the command 
> line? You will need the CA cert, the client certificate, and the client 
> private key to attempt the connection below.
> 
> $ openssl s_client -connect  -debug -state -cert

Re: UI is not opening after forming nifi 1.0.0 secure cluster in windows

2016-11-10 Thread Andy LoPresto 
What is the error you receive in your browser when you try to navigate to the 
UI? Are you connecting to the correct port?

Can you run an OpenSSL s_client command to try to connect via the command line? 
You will need the CA cert, the client certificate, and the client private key 
to attempt the connection below.

$ openssl s_client -connect  -debug -state -cert 
 -key  -CAfile 


Are there any errors in $NIFI_HOME/logs/nifi-app.log or 
$NIFI_HOME/logs/nifi-bootstrap.log? Are there any entries in 
$NIFI_HOME/logs/nifi-user.log?

Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Nov 10, 2016, at 8:41 PM, Manojkumar Ravichandran  
> wrote:
> 
> Hi,
> 
> Tried to form a secure cluster in nifi 1.0.0 in windows by following the 
> instructions from the below link
> 
> http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
>  
> 
> It seems like in log file cluster has been formed and heart beats are 
> transferring successfully, everything has been settled fine and it shows in 
> log file that URL has been launched in the specified port number, but UI is 
> not opening in the browser of cluster machines.
> 
> To overcome this,I have turned off the firewall settings and but still UI is 
> not opening in the borwser
> 
> What will be reason for it ?
> 
> 
> 
> Regards,
> 
> Manojkumar R
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail