Modified: nifi/site/trunk/docs/nifi-docs/html/administration-guide.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/administration-guide.html?rev=1854109&r1=1854108&r2=1854109&view=diff ============================================================================== --- nifi/site/trunk/docs/nifi-docs/html/administration-guide.html (original) +++ nifi/site/trunk/docs/nifi-docs/html/administration-guide.html Fri Feb 22 01:03:44 2019 @@ -1,29 +1,29 @@ -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - --> - <!DOCTYPE html> -<html lang="en"> -<head> -<meta charset="UTF-8"> -<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]--> -<meta name="viewport" content="width=device-width, initial-scale=1.0"> -<meta name="generator" content="Asciidoctor 1.5.2"> -<meta name="author" content="Apache NiFi Team"> -<title>NiFi System Administrator’s Guide</title> -<style> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + <!DOCTYPE html> +<html lang="en"> +<head> +<meta charset="UTF-8"> +<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]--> +<meta name="viewport" content="width=device-width, initial-scale=1.0"> +<meta name="generator" content="Asciidoctor 1.5.2"> +<meta name="author" content="Apache NiFi Team"> +<title>NiFi System Administrator’s Guide</title> +<style> /* Asciidoctor default stylesheet | MIT License | http://asciidoctor.org */ /* Copyright (C) 2012-2015 Dan Allen, Ryan Waldron and the Asciidoctor Project @@ -441,8035 +441,6364 @@ body.book #toc,body.book #preamble,body. .hide-on-print{display:none!important} .print-only{display:block!important} .hide-for-print{display:none!important} -.show-for-print{display:inherit!important}} -</style> -<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.2.0/css/font-awesome.min.css";> -</head> -<body class="article"> -<div id="header"> -<h1>NiFi System Administrator’s Guide</h1> -<div class="details"> -<span id="author" class="author">Apache NiFi Team</span><br> -<span id="email" class="email"><a href="mailto:d...@nifi.apache.org";>d...@nifi.apache.org</a></span><br> -</div> -<div id="toc" class="toc"> -<div id="toctitle">Table of Contents</div> -<ul class="sectlevel1"> -<li><a href="administration-guide.html#system-requirements">System Requirements</a></li> -<li><a href="administration-guide.html#how-to-install-and-start-nifi">How to install and start NiFi</a></li> -<li><a href="administration-guide.html#port-configuration">Port Configuration</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#nifi">NiFi</a></li> -<li><a href="administration-guide.html#embedded-zookeeper">Embedded Zookeeper</a></li> -</ul> -</li> -<li><a href="administration-guide.html#configuration-best-practices">Configuration Best Practices</a></li> -<li><a href="administration-guide.html#security_configuration">Security Configuration</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#tls_generation_toolkit">TLS Generation Toolkit</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#potential-issues-with-wildcard-certificates">Potential issues with wildcard certificates</a></li> -<li><a href="administration-guide.html#standalone">Standalone</a></li> -<li><a href="administration-guide.html#client-server">Client/Server</a></li> -<li><a href="administration-guide.html#using-an-existing-intermediate-certificate-authority-ca">Using An Existing Intermediate Certificate Authority (CA)</a></li> -</ul> -</li> -</ul> -</li> -<li><a href="administration-guide.html#user_authentication">User Authentication</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#ldap_login_identity_provider">Lightweight Directory Access Protocol (LDAP)</a></li> -<li><a href="administration-guide.html#kerberos_login_identity_provider">Kerberos</a></li> -<li><a href="administration-guide.html#openid_connect">OpenId Connect</a></li> -<li><a href="administration-guide.html#apache_knox">Apache Knox</a></li> -</ul> -</li> -<li><a href="administration-guide.html#multi-tenant-authorization">Multi-Tenant Authorization</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#authorizer-configuration">Authorizer Configuration</a></li> -<li><a href="administration-guide.html#authorizers-setup">Authorizers.xml Setup</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#fileusergroupprovider">FileUserGroupProvider</a></li> -<li><a href="administration-guide.html#ldapusergroupprovider">LdapUserGroupProvider</a></li> -<li><a href="administration-guide.html#composite-implementations">Composite Implementations</a></li> -<li><a href="administration-guide.html#fileaccesspolicyprovider">FileAccessPolicyProvider</a></li> -<li><a href="administration-guide.html#standardmanagedauthorizer">StandardManagedAuthorizer</a></li> -<li><a href="administration-guide.html#fileauthorizer">FileAuthorizer</a></li> -<li><a href="administration-guide.html#initial-admin-identity">Initial Admin Identity (New NiFi Instance)</a></li> -<li><a href="administration-guide.html#legacy-authorized-users">Legacy Authorized Users (NiFi Instance Upgrade)</a></li> -<li><a href="administration-guide.html#cluster-node-identities">Cluster Node Identities</a></li> -</ul> -</li> -<li><a href="administration-guide.html#config-users-access-policies">Configuring Users & Access Policies</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#creating-users-groups">Creating Users and Groups</a></li> -<li><a href="administration-guide.html#access-policies">Access Policies</a></li> -<li><a href="administration-guide.html#viewing-policies-users">Viewing Policies on Users</a></li> -<li><a href="administration-guide.html#access-policy-config-examples">Access Policy Configuration Examples</a></li> -</ul> -</li> -</ul> -</li> -<li><a href="administration-guide.html#encryption">Encryption Configuration</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#key-derivation-functions">Key Derivation Functions</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#additional-resources">Additional Resources</a></li> -</ul> -</li> -<li><a href="administration-guide.html#salt-and-iv-encoding">Salt and IV Encoding</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#nifi-legacy">NiFi Legacy</a></li> -<li><a href="administration-guide.html#openssl-pkcs-5-v1-5-evp_bytestokey">OpenSSL PKCS#5 v1.5 EVP_BytesToKey</a></li> -<li><a href="administration-guide.html#bcrypt-scrypt-pbkdf2">Bcrypt, Scrypt, PBKDF2</a></li> -</ul> -</li> -<li><a href="administration-guide.html#java-cryptography-extension-jce-limited-strength-jurisdiction-policies">Java Cryptography Extension (JCE) Limited Strength Jurisdiction Policies</a></li> -<li><a href="administration-guide.html#allow-insecure-cryptographic-modes">Allow Insecure Cryptographic Modes</a></li> -</ul> -</li> -<li><a href="administration-guide.html#encrypted-passwords-in-configuration-files">Encrypted Passwords in Configuration Files</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#encrypt-config_tool">Encrypt-Config Tool</a></li> -<li><a href="administration-guide.html#sensitive-property-key-migration">Sensitive Property Key Migration</a></li> -<li><a href="administration-guide.html#existing-flow-migration">Existing Flow Migration</a></li> -<li><a href="administration-guide.html#encrypt-config_password">Password Key Derivation</a></li> -<li><a href="administration-guide.html#encrypt-config_secure_prompt">Secure Prompt</a></li> -</ul> -</li> -<li><a href="administration-guide.html#admin-toolkit">Administrative Tools</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#prerequisites-for-running-admin-toolkit-in-a-secure-environment">Prerequisites for Running Admin Toolkit in a Secure Environment</a></li> -<li><a href="administration-guide.html#notify">Notify</a></li> -<li><a href="administration-guide.html#node-manager">Node Manager</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#expected-behavior">Expected behavior</a></li> -</ul> -</li> -<li><a href="administration-guide.html#file-manager">File Manager</a></li> -<li><a href="administration-guide.html#expected-behavior-2">Expected Behavior</a></li> -</ul> -</li> -<li><a href="administration-guide.html#clustering">Clustering Configuration</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#zero-master-clustering">Zero-Master Clustering</a></li> -<li><a href="administration-guide.html#why-cluster">Why Cluster?</a></li> -<li><a href="administration-guide.html#terminology">Terminology</a></li> -<li><a href="administration-guide.html#communication-within-the-cluster">Communication within the Cluster</a></li> -<li><a href="administration-guide.html#managing_nodes">Managing Nodes</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#disconnect-nodes">Disconnect Nodes</a></li> -<li><a href="administration-guide.html#offload-nodes">Offload Nodes</a></li> -<li><a href="administration-guide.html#delete-nodes">Delete Nodes</a></li> -<li><a href="administration-guide.html#decommission-nodes">Decommission Nodes</a></li> -<li><a href="administration-guide.html#nifi-toolkit-node-commands">NiFi Toolkit Node Commands</a></li> -</ul> -</li> -<li><a href="administration-guide.html#flow-election">Flow Election</a></li> -<li><a href="administration-guide.html#basic-cluster-setup">Basic Cluster Setup</a></li> -<li><a href="administration-guide.html#troubleshooting">Troubleshooting</a></li> -</ul> -</li> -<li><a href="administration-guide.html#state_management">State Management</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#state_providers">Configuring State Providers</a></li> -<li><a href="administration-guide.html#embedded_zookeeper">Embedded ZooKeeper Server</a></li> -<li><a href="administration-guide.html#zk_access_control">ZooKeeper Access Control</a></li> -<li><a href="administration-guide.html#securing_zookeeper">Securing ZooKeeper</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#zk_kerberos_server">Kerberizing Embedded ZooKeeper Server</a></li> -<li><a href="administration-guide.html#zk_kerberos_client">Kerberizing NiFi’s ZooKeeper Client</a></li> -<li><a href="administration-guide.html#troubleshooting_kerberos">Troubleshooting Kerberos Configuration</a></li> -</ul> -</li> -<li><a href="administration-guide.html#zookeeper_migrator">ZooKeeper Migrator</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#zk_migrator_command_line_parameters">zk-migrator.sh Command Line Parameters</a></li> -<li><a href="administration-guide.html#migrating_between_source_destination_zookeepers">Migrating Between Source and Destination ZooKeepers</a></li> -</ul> -</li> -</ul> -</li> -<li><a href="administration-guide.html#bootstrap_properties">Bootstrap Properties</a></li> -<li><a href="administration-guide.html#notification_services">Notification Services</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#email-notification-service-br">Email Notification Service<br></a></li> -<li><a href="administration-guide.html#http-notification-service-br">HTTP Notification Service<br></a></li> -</ul> -</li> -<li><a href="administration-guide.html#proxy_configuration">Proxy Configuration</a></li> -<li><a href="administration-guide.html#kerberos_service">Kerberos Service</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#kerberos_service_notes">Notes</a></li> -</ul> -</li> -<li><a href="administration-guide.html#system_properties">System Properties</a> -<ul class="sectlevel2"> -<li><a href="administration-guide.html#core-properties-br">Core Properties<br></a></li> -<li><a href="administration-guide.html#state-management-br">State Management<br></a></li> -<li><a href="administration-guide.html#h2-settings">H2 Settings</a></li> -<li><a href="administration-guide.html#flowfile-repository">FlowFile Repository</a></li> -<li><a href="administration-guide.html#swap-management">Swap Management</a></li> -<li><a href="administration-guide.html#content-repository">Content Repository</a></li> -<li><a href="administration-guide.html#file-system-content-repository-properties">File System Content Repository Properties</a></li> -<li><a href="administration-guide.html#volatile-content-repository-properties">Volatile Content Repository Properties</a></li> -<li><a href="administration-guide.html#provenance-repository">Provenance Repository</a></li> -<li><a href="administration-guide.html#write-ahead-provenance-repository-properties">Write Ahead Provenance Repository Properties</a></li> -<li><a href="administration-guide.html#encrypted-write-ahead-provenance-repository-properties">Encrypted Write Ahead Provenance Repository Properties</a></li> -<li><a href="administration-guide.html#persistent-provenance-repository-properties">Persistent Provenance Repository Properties</a></li> -<li><a href="administration-guide.html#volatile-provenance-repository-properties">Volatile Provenance Repository Properties</a></li> -<li><a href="administration-guide.html#component-status-repository">Component Status Repository</a></li> -<li><a href="administration-guide.html#site_to_site_properties">Site to Site Properties</a></li> -<li><a href="administration-guide.html#site_to_site_reverse_proxy_properties">Site to Site Routing Properties for Reverse Proxies</a> -<ul class="sectlevel3"> -<li><a href="administration-guide.html#site-to-site-protocol-sequence">Site to Site protocol sequence</a></li> -<li><a href="administration-guide.html#reverse-proxy-configurations">Reverse Proxy Configurations</a></li> -<li><a href="administration-guide.html#site-to-site-and-reverse-proxy-examples">Site to Site and Reverse Proxy Examples</a></li> -</ul> -</li> -<li><a href="administration-guide.html#web-properties">Web Properties</a></li> -<li><a href="administration-guide.html#security_properties">Security Properties</a></li> -<li><a href="administration-guide.html#identity-mapping-properties">Identity Mapping Properties</a></li> -<li><a href="administration-guide.html#cluster_common_properties">Cluster Common Properties</a></li> -<li><a href="administration-guide.html#cluster_node_properties">Cluster Node Properties</a></li> -<li><a href="administration-guide.html#claim_management">Claim Management</a></li> -<li><a href="administration-guide.html#zookeeper-properties">ZooKeeper Properties</a></li> -<li><a href="administration-guide.html#kerberos_properties">Kerberos Properties</a></li> -<li><a href="administration-guide.html#custom_properties">Custom Properties</a></li> -</ul> -</li> -</ul> -</div> -</div> -<div id="content"> -<div class="sect1"> -<h2 id="system-requirements"><a class="anchor" href="administration-guide.html#system-requirements"></a>System Requirements</h2> -<div class="sectionbody"> -<div class="paragraph"> -<p>Apache NiFi can run on something as simple as a laptop, but it can also be clustered across many enterprise-class servers. Therefore, the amount of hardware and memory needed will depend on the size and nature of the dataflow involved. The data is stored on disk while NiFi is processing it. So NiFi needs to have sufficient disk space allocated for its various repositories, particularly the content repository, flowfile repository, and provenance repository (see the <a href="administration-guide.html#system_properties">System Properties</a> section for more information about these repositories). NiFi has the following minimum system requirements:</p> -</div> -<div class="ulist"> -<ul> -<li> -<p>Requires Java 8 or newer</p> -</li> -<li> -<p>Supported Operating Systems:</p> -<div class="ulist"> -<ul> -<li> -<p>Linux</p> -</li> -<li> -<p>Unix</p> -</li> -<li> -<p>Windows</p> -</li> -<li> -<p>Mac OS X</p> -</li> -</ul> -</div> -</li> -<li> -<p>Supported Web Browsers:</p> -<div class="ulist"> -<ul> -<li> -<p>Microsoft Edge: Current & (Current - 1)</p> -</li> -<li> -<p>Mozilla FireFox: Current & (Current - 1)</p> -</li> -<li> -<p>Google Chrome: Current & (Current - 1)</p> -</li> -<li> -<p>Safari: Current & (Current - 1)</p> -</li> -</ul> -</div> -</li> -</ul> -</div> -<div class="paragraph"> -<p><strong>Note</strong> Under sustained and extremely high throughput the CodeCache settings may need to be tuned to avoid sudden performance loss. See the <a href="administration-guide.html#bootstrap_properties">Bootstrap Properties</a> section for more information.</p> -</div> -</div> -</div> -<div class="sect1"> -<h2 id="how-to-install-and-start-nifi"><a class="anchor" href="administration-guide.html#how-to-install-and-start-nifi"></a>How to install and start NiFi</h2> -<div class="sectionbody"> -<div class="ulist"> -<ul> -<li> -<p>Linux/Unix/OS X</p> -<div class="ulist"> -<ul> -<li> -<p>Decompress and untar into desired installation directory</p> -</li> -<li> -<p>Make any desired edits in files found under <code><installdir>/conf</code></p> -<div class="ulist"> -<ul> -<li> -<p>At a minimum, we recommend editing the <em>nifi.properties</em> file and entering a password for the <code>nifi.sensitive.props.key</code> (see <a href="administration-guide.html#system_properties">System Properties</a> below)</p> -</li> -</ul> -</div> -</li> -<li> -<p>From the <code><installdir>/bin</code> directory, execute the following commands by typing <code>./nifi.sh <command></code>:</p> -<div class="ulist"> -<ul> -<li> -<p>start: starts NiFi in the background</p> -</li> -<li> -<p>stop: stops NiFi that is running in the background</p> -</li> -<li> -<p>status: provides the current status of NiFi</p> -</li> -<li> -<p>run: runs NiFi in the foreground and waits for a Ctrl-C to initiate shutdown of NiFi</p> -</li> -<li> -<p>install: installs NiFi as a service that can then be controlled via</p> -<div class="ulist"> -<ul> -<li> -<p><code>service nifi start</code></p> -</li> -<li> -<p><code>service nifi stop</code></p> -</li> -<li> -<p><code>service nifi status</code></p> -</li> -</ul> -</div> -</li> -</ul> -</div> -</li> -</ul> -</div> -</li> -<li> -<p>Windows</p> -<div class="ulist"> -<ul> -<li> -<p>Decompress into the desired installation directory</p> -</li> -<li> -<p>Make any desired edits in the files found under <code><installdir>/conf</code></p> -<div class="ulist"> -<ul> -<li> -<p>At a minimum, we recommend editing the <em>nifi.properties</em> file and entering a password for the <code>nifi.sensitive.props.key</code> (see <a href="administration-guide.html#system_properties">System Properties</a> below)</p> -</li> -</ul> -</div> -</li> -<li> -<p>Navigate to the <code><installdir>/bin</code> directory</p> -</li> -<li> -<p>Double-click <code>run-nifi.bat</code>. This runs NiFi in the foreground and waits for a Ctrl-C to initiate shutdown of NiFi</p> -</li> -<li> -<p>To see the current status of NiFi, double-click <code>status-nifi.bat</code></p> -</li> -</ul> -</div> -</li> -</ul> -</div> -<div class="paragraph"> -<p>When NiFi first starts up, the following files and directories are created:</p> -</div> -<div class="ulist"> -<ul> -<li> -<p><code>content_repository</code></p> -</li> -<li> -<p><code>database_repository</code></p> -</li> -<li> -<p><code>flowfile_repository</code></p> -</li> -<li> -<p><code>provenance_repository</code></p> -</li> -<li> -<p><code>work</code> directory</p> -</li> -<li> -<p><code>logs</code> directory</p> -</li> -<li> -<p>Within the <code>conf</code> directory, the <em>flow.xml.gz</em> file is created</p> -</li> -</ul> -</div> -<div class="paragraph"> -<p>See the <a href="administration-guide.html#system_properties">System Properties</a> section of this guide for more information about configuring NiFi repositories and configuration files.</p> -</div> -</div> -</div> -<div class="sect1"> -<h2 id="port-configuration"><a class="anchor" href="administration-guide.html#port-configuration"></a>Port Configuration</h2> -<div class="sectionbody"> -<div class="sect2"> -<h3 id="nifi"><a class="anchor" href="administration-guide.html#nifi"></a>NiFi</h3> -<div class="paragraph"> -<p>The following table lists the default ports used by NiFi and the corresponding property in the <em>nifi.properties</em> file.</p> -</div> -<table class="tableblock frame-all grid-all spread"> -<colgroup> -<col style="width: 33%;"> -<col style="width: 33%;"> -<col style="width: 33%;"> -</colgroup> -<thead> -<tr> -<th class="tableblock halign-left valign-top">Function</th> -<th class="tableblock halign-left valign-top">Property</th> -<th class="tableblock halign-left valign-top">Default Value</th> -</tr> -</thead> -<tfoot> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock">Web HTTP Forwarding Port</p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.web.http.port.forwarding</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><em>none</em></p></td> -</tr> -</tfoot> -<tbody> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock">HTTP Port</p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.web.http.port</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>8080</code></p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock">HTTPS Port*</p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.web.https.port</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>9443</code></p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock">Remote Input Socket Port*</p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.remote.input.socket.port</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>10443</code></p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock">Cluster Node Protocol Port*</p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.cluster.node.protocol.port</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>11443</code></p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock">Cluster Node Load Balancing Port</p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.cluster.node.load.balance.port</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>6342</code></p></td> -</tr> -</tbody> -</table> -<div class="admonitionblock note"> -<table> -<tr> -<td class="icon"> -<i class="fa icon-note" title="Note"></i> -</td> -<td class="content"> -The ports marked with an asterisk (*) have property values that are blank by default in <em>nifi.properties</em>. The values shown in the table are the default values for these ports when <a href="administration-guide.html#tls_generation_toolkit">TLS Generation Toolkit</a> is used to generate <em>nifi.properties</em> for a secured NiFi instance. The default Certificate Authority Port used by TLS Toolkit is <code>8443</code>. -</td> -</tr> -</table> -</div> -</div> -<div class="sect2"> -<h3 id="embedded-zookeeper"><a class="anchor" href="administration-guide.html#embedded-zookeeper"></a>Embedded Zookeeper</h3> -<div class="paragraph"> -<p>The following table lists the default ports used by an <a href="administration-guide.html#embedded_zookeeper">Embedded ZooKeeper Server</a> and the corresponding property in the <em>zookeeper.properties</em> file.</p> -</div> -<table class="tableblock frame-all grid-all spread"> -<colgroup> -<col style="width: 33%;"> -<col style="width: 33%;"> -<col style="width: 33%;"> -</colgroup> -<thead> -<tr> -<th class="tableblock halign-left valign-top">Function</th> -<th class="tableblock halign-left valign-top">Property</th> -<th class="tableblock halign-left valign-top">Default Value</th> -</tr> -</thead> -<tfoot> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock">Zookeeper Server Quorum and Leader Election Ports</p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>server.1</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><em>none</em></p></td> -</tr> -</tfoot> -<tbody> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock">Zookeeper Client Port</p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>clientPort</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>2181</code></p></td> -</tr> -</tbody> -</table> -<div class="admonitionblock note"> -<table> -<tr> -<td class="icon"> -<i class="fa icon-note" title="Note"></i> -</td> -<td class="content"> -Commented examples for the Zookeeper server ports are included in the <em>zookeeper.properties</em> file in the form <code>server.N=nifi-nodeN-hostname:2888:3888</code>. -</td> -</tr> -</table> -</div> -</div> -</div> -</div> -<div class="sect1"> -<h2 id="configuration-best-practices"><a class="anchor" href="administration-guide.html#configuration-best-practices"></a>Configuration Best Practices</h2> -<div class="sectionbody"> -<div class="paragraph"> -<p>If you are running on Linux, consider these best practices. Typical Linux defaults are not necessarily well-tuned for the needs of an IO intensive application like NiFi. For all of these areas, your distribution’s requirements may vary. Use these sections as advice, but -consult your distribution-specific documentation for how best to achieve these recommendations.</p> -</div> -<div class="dlist"> -<dl> -<dt class="hdlist1">Maximum File Handles</dt> -<dd> -<p>NiFi will at any one time potentially have a very large number of file handles open. Increase the limits by -editing <em>/etc/security/limits.conf</em> to add -something like</p> -</dd> -</dl> -</div> -<div class="listingblock"> -<div class="content"> -<pre>* hard nofile 50000 -* soft nofile 50000</pre> -</div> -</div> -<div class="dlist"> -<dl> -<dt class="hdlist1">Maximum Forked Processes</dt> -<dd> -<p>NiFi may be configured to generate a significant number of threads. To increase the allowable number, edit <em>/etc/security/limits.conf</em></p> -</dd> -</dl> -</div> -<div class="listingblock"> -<div class="content"> -<pre>* hard nproc 10000 -* soft nproc 10000</pre> -</div> -</div> -<div class="paragraph"> -<p>And your distribution may require an edit to <em>/etc/security/limits.d/90-nproc.conf</em> by adding</p> -</div> -<div class="listingblock"> -<div class="content"> -<pre>* soft nproc 10000</pre> -</div> -</div> -<div class="dlist"> -<dl> -<dt class="hdlist1">Increase the number of TCP socket ports available</dt> -<dd> -<p>This is particularly important if your flow will be setting up and tearing -down a large number of sockets in a small period of time.</p> -</dd> -</dl> -</div> -<div class="listingblock"> -<div class="content"> -<pre>sudo sysctl -w net.ipv4.ip_local_port_range="10000 65000"</pre> -</div> -</div> -<div class="dlist"> -<dl> -<dt class="hdlist1">Set how long sockets stay in a TIMED_WAIT state when closed</dt> -<dd> -<p>You don’t want your sockets to sit and linger too long given that you want to be -able to quickly setup and teardown new sockets. It is a good idea to read more about -it and adjust to something like</p> -</dd> -</dl> -</div> -<div class="listingblock"> -<div class="content"> -<pre>sudo sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait="1"</pre> -</div> -</div> -<div class="dlist"> -<dl> -<dt class="hdlist1">Tell Linux you never want NiFi to swap</dt> -<dd> -<p>Swapping is fantastic for some applications. It isn’t good for something like -NiFi that always wants to be running. To tell Linux you’d like swapping off, you -can edit <em>/etc/sysctl.conf</em> to add the following line</p> -</dd> -</dl> -</div> -<div class="listingblock"> -<div class="content"> -<pre>vm.swappiness = 0</pre> -</div> -</div> -<div class="paragraph"> -<p>For the partitions handling the various NiFi repos, turn off things like <code>atime</code>. -Doing so can cause a surprising bump in throughput. Edit the <code>/etc/fstab</code> file -and for the partition(s) of interest, add the <code>noatime</code> option.</p> -</div> -</div> -</div> -<div class="sect1"> -<h2 id="security_configuration"><a class="anchor" href="administration-guide.html#security_configuration"></a>Security Configuration</h2> -<div class="sectionbody"> -<div class="paragraph"> -<p>NiFi provides several different configuration options for security purposes. The most important properties are those under the -"security properties" heading in the <em>nifi.properties</em> file. In order to run securely, the following properties must be set:</p> -</div> -<table class="tableblock frame-all grid-all spread"> -<colgroup> -<col style="width: 50%;"> -<col style="width: 50%;"> -</colgroup> -<thead> -<tr> -<th class="tableblock halign-left valign-top">Property Name</th> -<th class="tableblock halign-left valign-top">Description</th> -</tr> -</thead> -<tfoot> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.truststorePasswd</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the Truststore.</p></td> -</tr> -</tfoot> -<tbody> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keystore</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Filename of the Keystore that contains the server’s private key.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keystoreType</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">The type of Keystore. Must be either <code>PKCS12</code> or <code>JKS</code>. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keystorePasswd</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the Keystore.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.keyPasswd</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">The password for the certificate in the Keystore. If not set, the value of <code>nifi.security.keystorePasswd</code> will be used.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.truststore</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Filename of the Truststore that will be used to authorize those connecting to NiFi. A secured instance with no Truststore will refuse all incoming connections.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>nifi.security.truststoreType</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">The type of the Truststore. Must be either <code>PKCS12</code> or <code>JKS</code>. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.</p></td> -</tr> -</tbody> -</table> -<div class="paragraph"> -<p>Once the above properties have been configured, we can enable the User Interface to be accessed over HTTPS instead of HTTP. This is accomplished -by setting the <code>nifi.web.https.host</code> and <code>nifi.web.https.port</code> properties. The <code>nifi.web.https.host</code> property indicates which hostname the server -should run on. If it is desired that the HTTPS interface be accessible from all network interfaces, a value of <code>0.0.0.0</code> should be used. To allow -admins to configure the application to run only on specific network interfaces, <code>nifi.web.http.network.interface*</code> or <code>nifi.web.https.network.interface*</code> -properties can be specified.</p> -</div> -<div class="admonitionblock note"> -<table> -<tr> -<td class="icon"> -<i class="fa icon-note" title="Note"></i> -</td> -<td class="content"> -It is important when enabling HTTPS that the <code>nifi.web.http.port</code> property be unset. NiFi only supports running on HTTP <strong>or</strong> HTTPS, not both simultaneously. -</td> -</tr> -</table> -</div> -<div class="paragraph"> -<p>NiFi’s web server will REQUIRE certificate based client authentication for users accessing the User Interface when not configured with an alternative -authentication mechanism which would require one way SSL (for instance LDAP, OpenId Connect, etc). Enabling an alternative authentication mechanism will -configure the web server to WANT certificate base client authentication. This will allow it to support users with certificates and those without that -may be logging in with credentials. See <a href="administration-guide.html#user_authentication">User Authentication</a> for more details.</p> -</div> -<div class="paragraph"> -<p>Now that the User Interface has been secured, we can easily secure Site-to-Site connections and inner-cluster communications, as well. This is -accomplished by setting the <code>nifi.remote.input.secure</code> and <code>nifi.cluster.protocol.is.secure</code> properties, respectively, to <code>true</code>. These communications -will always REQUIRE two way SSL as the nodes will use their configured keystore/truststore for authentication.</p> -</div> -<div class="sect2"> -<h3 id="tls_generation_toolkit"><a class="anchor" href="administration-guide.html#tls_generation_toolkit"></a>TLS Generation Toolkit</h3> -<div class="paragraph"> -<p>In order to facilitate the secure setup of NiFi, you can use the <code>tls-toolkit</code> command line utility to automatically generate the required keystores, truststore, and relevant configuration files. This is especially useful for securing multiple NiFi nodes, which can be a tedious and error-prone process.</p> -</div> -<div class="paragraph"> -<p>Wildcard certificates (i.e. two nodes <code>node1.nifi.apache.org</code> and <code>node2.nifi.apache.org</code> being assigned the same certificate with a CN or SAN entry of <code>*.nifi.apache.org</code>) are <strong>not officially supported</strong> and <strong>not recommended</strong>. There are numerous disadvantages to using wildcard certificates, and a cluster working with wildcard certificates has occurred in previous versions out of lucky accidents, not intentional support. Wildcard SAN entries are acceptable <strong>if</strong> each cert maintains an additional unique SAN entry and CN entry.</p> -</div> -<div class="sect3"> -<h4 id="potential-issues-with-wildcard-certificates"><a class="anchor" href="administration-guide.html#potential-issues-with-wildcard-certificates"></a>Potential issues with wildcard certificates</h4> -<div class="ulist"> -<ul> -<li> -<p>In many places throughout the codebase, cluster communications use certificate identities many times to identify a node, and if the certificate simply presents a wildcard DN, that doesnât resolve to a specific node</p> -</li> -<li> -<p>Admins may need to provide a custom node identity in <em>authorizers.xml</em> for <code>*.nifi.apache.org</code> because all proxy actions only resolve to the cert DN (see <a href="administration-guide.html#user_authentication">User Authentication</a>)</p> -</li> -<li> -<p>Admins have no traceability into which node performed an action because they all resolve to the same DN</p> -</li> -<li> -<p>Admins running multiple instances on the same machine using different ports to identify them can accidentally put <code>node1</code> hostname with <code>node2</code> port, and the address will resolve fine because itâs using the same certificate, but the host header handler will block it because the <code>node1</code> hostname is (correctly) not listed as an acceptable host for <code>node2</code> instance</p> -</li> -<li> -<p>If the wildcard certificate is compromised, all nodes are compromised</p> -</li> -</ul> -</div> -<div class="admonitionblock note"> -<table> -<tr> -<td class="icon"> -<i class="fa icon-note" title="Note"></i> -</td> -<td class="content"> -JKS keystores and truststores are recommended for NiFi. This tool allows the specification of other keystore types on the command line but will ignore a type of PKCS12 for use as the truststore because that format has some compatibility issues between BouncyCastle and Oracle implementations. -</td> -</tr> -</table> -</div> -<div class="paragraph"> -<p>The <code>tls-toolkit</code> command line tool has two primary modes of operation:</p> -</div> -<div class="olist arabic"> -<ol class="arabic"> -<li> -<p>Standalone — generates the certificate authority, keystores, truststores, and <em>nifi.properties</em> files in one command.</p> -</li> -<li> -<p>Client/Server mode — uses a Certificate Authority Server that accepts Certificate Signing Requests from clients, signs them, and sends the resulting certificates back. Both client and server validate the otherâs identity through a shared secret.</p> -</li> -</ol> -</div> -</div> -<div class="sect3"> -<h4 id="standalone"><a class="anchor" href="administration-guide.html#standalone"></a>Standalone</h4> -<div class="paragraph"> -<p>Standalone mode is invoked by running <code>./bin/tls-toolkit.sh standalone -h</code> which prints the usage information along with descriptions of options that can be specified.</p> -</div> -<div class="paragraph"> -<p>You can use the following command line options with the <code>tls-toolkit</code> in standalone mode:</p> -</div> -<div class="ulist"> -<ul> -<li> -<p><code>-a</code>,<code>--keyAlgorithm <arg></code> Algorithm to use for generated keys (default: <code>RSA</code>)</p> -</li> -<li> -<p><code>--additionalCACertificate <arg></code> Path to additional CA certificate (used to sign toolkit CA certificate) in PEM format if necessary</p> -</li> -<li> -<p><code>-B</code>,<code>--clientCertPassword <arg></code> Password for client certificate. Must either be one value or one for each client DN (auto-generate if not specified)</p> -</li> -<li> -<p><code>-c</code>,<code>--certificateAuthorityHostname <arg></code> Hostname of NiFi Certificate Authority (default: <code>localhost</code>)</p> -</li> -<li> -<p><code>-C</code>,<code>--clientCertDn <arg></code> Generate client certificate suitable for use in browser with specified DN (Can be specified multiple times)</p> -</li> -<li> -<p><code>-d</code>,<code>--days <arg></code> Number of days issued certificate should be valid for (default: <code>1095</code>)</p> -</li> -<li> -<p><code>-f</code>,<code>--nifiPropertiesFile <arg></code> Base <em>nifi.properties</em> file to update (Embedded file identical to the one in a default NiFi install will be used if not specified)</p> -</li> -<li> -<p><code>-g</code>,<code>--differentKeyAndKeystorePasswords</code> Use different generated password for the key and the keystore</p> -</li> -<li> -<p><code>-G</code>,<code>--globalPortSequence <arg></code> Use sequential ports that are calculated for all hosts according to the provided hostname expressions (Can be specified multiple times, MUST BE SAME FROM RUN TO RUN)</p> -</li> -<li> -<p><code>-h</code>,<code>--help</code> Print help and exit</p> -</li> -<li> -<p><code>-k</code>,<code>--keySize <arg></code> Number of bits for generated keys (default: <code>2048</code>)</p> -</li> -<li> -<p><code>-K</code>,<code>--keyPassword <arg></code> Key password to use. Must either be one value or one for each host (auto-generate if not specified)</p> -</li> -<li> -<p><code>-n</code>,<code>--hostnames <arg></code> Comma separated list of hostnames</p> -</li> -<li> -<p><code>--nifiDnPrefix <arg></code> String to prepend to hostname(s) when determining DN (default: <code>CN=</code>)</p> -</li> -<li> -<p><code>--nifiDnSuffix <arg></code> String to append to hostname(s) when determining DN (default: <code>, OU=NIFI</code>)</p> -</li> -<li> -<p><code>-o</code>,<code>--outputDirectory <arg></code> The directory to output keystores, truststore, config files (default: <code>../bin</code>)</p> -</li> -<li> -<p><code>-O</code>,<code>--isOverwrite</code> Overwrite existing host output</p> -</li> -<li> -<p><code>-P</code>,<code>--trustStorePassword <arg></code> Keystore password to use. Must either be one value or one for each host (auto-generate if not specified)</p> -</li> -<li> -<p><code>-s</code>,<code>--signingAlgorithm <arg></code> Algorithm to use for signing certificates (default: <code>SHA256WITHRSA</code>)</p> -</li> -<li> -<p><code>-S</code>,<code>--keyStorePassword <arg></code> Keystore password to use. Must either be one value or one for each host (auto-generate if not specified)</p> -</li> -<li> -<p><code>--subjectAlternativeNames <arg></code> Comma-separated list of domains to use as Subject Alternative Names in the certificate</p> -</li> -<li> -<p><code>-T</code>,<code>--keyStoreType <arg></code> The type of keystores to generate (default: <code>jks</code>)</p> -</li> -</ul> -</div> -<div class="paragraph"> -<p>Hostname Patterns:</p> -</div> -<div class="ulist"> -<ul> -<li> -<p>Square brackets can be used in order to easily specify a range of hostnames. Example: <code>[01-20]</code></p> -</li> -<li> -<p>Parentheses can be used in order to specify that more than one NiFi instance will run on the given host(s). Example: <code>(5)</code></p> -</li> -</ul> -</div> -<div class="paragraph"> -<p>Examples:</p> -</div> -<div class="paragraph"> -<p>Create 4 sets of keystore, truststore, <em>nifi.properties</em> for localhost along with a client certificate with the given DN:</p> -</div> -<div class="listingblock"> -<div class="content"> -<pre>bin/tls-toolkit.sh standalone -n 'localhost(4)' -C 'CN=username,OU=NIFI'</pre> -</div> -</div> -<div class="paragraph"> -<p>Create keystore, truststore, <em>nifi.properties</em> for 10 NiFi hostnames in each of 4 subdomains:</p> -</div> -<div class="listingblock"> -<div class="content"> -<pre>bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain'</pre> -</div> -</div> -<div class="paragraph"> -<p>Create 2 sets of keystore, truststore, <em>nifi.properties</em> for 10 NiFi hostnames in each of 4 subdomains along with a client certificate with the given DN:</p> -</div> -<div class="listingblock"> -<div class="content"> -<pre>bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI'</pre> -</div> -</div> -</div> -<div class="sect3"> -<h4 id="client-server"><a class="anchor" href="administration-guide.html#client-server"></a>Client/Server</h4> -<div class="paragraph"> -<p>Client/Server mode relies on a long-running Certificate Authority (CA) to issue certificates. The CA can be stopped when youâre not bringing nodes online.</p> -</div> -<div class="sect4"> -<h5 id="server"><a class="anchor" href="administration-guide.html#server"></a>Server</h5> -<div class="paragraph"> -<p>The CA server is invoked by running <code>./bin/tls-toolkit.sh server -h</code> which prints the usage information along with descriptions of options that can be specified.</p> -</div> -<div class="paragraph"> -<p>You can use the following command line options with the <code>tls-toolkit</code> in server mode:</p> -</div> -<div class="ulist"> -<ul> -<li> -<p><code>-a</code>,<code>--keyAlgorithm <arg></code> Algorithm to use for generated keys (default: <code>RSA</code>)</p> -</li> -<li> -<p><code>--configJsonIn <arg></code> The place to read configuration info from (defaults to the value of configJson), implies useConfigJson if set (default: <code>configJson</code> value)</p> -</li> -<li> -<p><code>-d</code>,<code>--days <arg></code> Number of days issued certificate should be valid for (default: <code>1095</code>)</p> -</li> -<li> -<p><code>-D</code>,<code>--dn <arg></code> The dn to use for the CA certificate (default: <code>CN=YOUR_CA_HOSTNAME,OU=NIFI</code>)</p> -</li> -<li> -<p><code>-f</code>,<code>--configJson <arg></code> The place to write configuration info (default: <code>config.json</code>)</p> -</li> -<li> -<p><code>-F</code>,<code>--useConfigJson</code> Flag specifying that all configuration is read from <code>configJson</code> to facilitate automated use (otherwise <code>configJson</code> will only be written to)</p> -</li> -<li> -<p><code>-g</code>,<code>--differentKeyAndKeystorePasswords</code> Use different generated password for the key and the keystore</p> -</li> -<li> -<p><code>-h</code>,<code>--help</code> Print help and exit</p> -</li> -<li> -<p><code>-k</code>,<code>--keySize <arg></code> Number of bits for generated keys (default: <code>2048</code>)</p> -</li> -<li> -<p><code>-p</code>,<code>--PORT <arg></code> The port for the Certificate Authority to listen on (default: <code>8443</code>)</p> -</li> -<li> -<p><code>-s</code>,<code>--signingAlgorithm <arg></code> Algorithm to use for signing certificates (default: <code>SHA256WITHRSA</code>)</p> -</li> -<li> -<p><code>-T</code>,<code>--keyStoreType <arg></code> The type of keystores to generate (default: <code>jks</code>)</p> -</li> -<li> -<p><code>-t</code>,<code>--token <arg></code> The token to use to prevent MITM (required and must be same as one used by clients)</p> -</li> -</ul> -</div> -</div> -<div class="sect4"> -<h5 id="client"><a class="anchor" href="administration-guide.html#client"></a>Client</h5> -<div class="paragraph"> -<p>The client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running <code>./bin/tls-toolkit.sh client -h</code> which prints the usage information along with descriptions of options that can be specified.</p> -</div> -<div class="paragraph"> -<p>You can use the following command line options with the <code>tls-toolkit</code> in client mode:</p> -</div> -<div class="ulist"> -<ul> -<li> -<p><code>-a</code>,<code>--keyAlgorithm <arg></code> Algorithm to use for generated keys (default: <code>RSA</code>)</p> -</li> -<li> -<p><code>-c</code>,<code>--certificateAuthorityHostname <arg></code> Hostname of NiFi Certificate Authority (default: <code>localhost</code>)</p> -</li> -<li> -<p><code>-C</code>,<code>--certificateDirectory <arg></code> The directory to write the CA certificate (default: <code>.</code>)</p> -</li> -<li> -<p><code>--configJsonIn <arg></code> The place to read configuration info from, implies <code>useConfigJson</code> if set (default: <code>configJson</code> value)</p> -</li> -<li> -<p><code>-D</code>,<code>--dn <arg></code> The DN to use for the client certificate (default: <code>CN=<localhost name>,OU=NIFI</code>) (this is auto-populated by the tool)</p> -</li> -<li> -<p><code>-f</code>,<code>--configJson <arg></code> The place to write configuration info (default: <code>config.json</code>)</p> -</li> -<li> -<p><code>-F</code>,<code>--useConfigJson</code> Flag specifying that all configuration is read from <code>configJson</code> to facilitate automated use (otherwise <code>configJson</code> will only be written to)</p> -</li> -<li> -<p><code>-g</code>,<code>--differentKeyAndKeystorePasswords</code> Use different generated password for the key and the keystore</p> -</li> -<li> -<p><code>-h</code>,<code>--help</code> Print help and exit</p> -</li> -<li> -<p><code>-k</code>,<code>--keySize <arg></code> Number of bits for generated keys (default: <code>2048</code>)</p> -</li> -<li> -<p><code>-p</code>,<code>--PORT <arg></code> The port to use to communicate with the Certificate Authority (default: <code>8443</code>)</p> -</li> -<li> -<p><code>--subjectAlternativeNames <arg></code> Comma-separated list of domains to use as Subject Alternative Names in the certificate</p> -</li> -<li> -<p><code>-T</code>,<code>--keyStoreType <arg></code> The type of keystores to generate (default: <code>jks</code>)</p> -</li> -<li> -<p><code>-t</code>,<code>--token <arg></code> The token to use to prevent MITM (required and must be same as one used by CA)</p> -</li> -</ul> -</div> -<div class="paragraph"> -<p>After running the client you will have the CAâs certificate, a keystore, a truststore, and a <code>config.json</code> with information about them as well as their passwords.</p> -</div> -<div class="paragraph"> -<p>For a client certificate that can be easily imported into the browser, specify: <code>-T PKCS12</code>.</p> -</div> -</div> -</div> -<div class="sect3"> -<h4 id="using-an-existing-intermediate-certificate-authority-ca"><a class="anchor" href="administration-guide.html#using-an-existing-intermediate-certificate-authority-ca"></a>Using An Existing Intermediate Certificate Authority (CA)</h4> -<div class="paragraph"> -<p>In some enterprise scenarios, a security/IT team may provide a signing certificate that has already been signed by the organization’s certificate authority (CA). This <strong>intermediate CA</strong> can be used to sign the <strong>node</strong> (sometimes referred to as <strong>leaf</strong>) certificates that will be installed on each NiFi node, or the <strong>client certificates</strong> used to identify users. In order to inject the existing signing certificate into the toolkit process, follow these steps:</p> -</div> -<div class="olist arabic"> -<ol class="arabic"> -<li> -<p>Generate or obtain the signed intermediate CA keys in the following format (see additional commands below):</p> -<div class="ulist"> -<ul> -<li> -<p>Public certificate in PEM format: <code>nifi-cert.pem</code></p> -</li> -<li> -<p>Private key in PEM format: <code>nifi-key.key</code></p> -</li> -</ul> -</div> -</li> -<li> -<p>Place the files in the <strong>toolkit working directory</strong>. This is the directory where the tool is configured to output the signed certificates. <strong>This is not necessarily the directory where the binary is located or invoked</strong>.</p> -<div class="ulist"> -<ul> -<li> -<p>For example, given the following scenario, the toolkit command can be run from its location as long as the output directory <code>-o</code> is <code>../hardcoded/</code>, and the existing <code>nifi-cert.pem</code> and <code>nifi-key.key</code> will be used.</p> -<div class="ulist"> -<ul> -<li> -<p>e.g. <code>$ ./toolkit/bin/tls-toolkit.sh standalone -o ./hardcoded/ -n 'node4.nifi.apache.org' -P thisIsABadPassword -S thisIsABadPassword -O</code> will result in a new directory at <code>./hardcoded/node4.nifi.apache.org</code> with a keystore and truststore containing a certificate signed by <code>./hardcoded/nifi-key.key</code></p> -</li> -</ul> -</div> -</li> -<li> -<p>If the <code>-o</code> argument is not provided, the default working directory (<code>.</code>) must contain <code>nifi-cert.pem</code> and <code>nifi-key.key</code></p> -<div class="ulist"> -<ul> -<li> -<p>e.g. <code>$ cd ./hardcoded/ && ../toolkit/bin/tls-toolkit.sh standalone -n 'node5.nifi.apache.org' -P thisIsABadPassword -S thisIsABadPassword -O</code></p> -</li> -</ul> -</div> -</li> -</ul> -</div> -</li> -</ol> -</div> -<div class="listingblock"> -<div class="content"> -<pre class="highlight"><code># Example directory structure *before* commands above are run - -ð 0s @ 18:07:58 $ tree -L 2 -. -âââ hardcoded -â  âââ CN=myusername.hardcoded_OU=NiFi.p12 -â  âââ CN=myusername.hardcoded_OU=NiFi.password -â  âââ nifi-cert.pem -â  âââ nifi-key.key -â  âââ node1.nifi.apache.org -â  âââ node2.nifi.apache.org -â  âââ node3.nifi.apache.org -âââ toolkit -   âââ LICENSE -   âââ NOTICE -   âââ README -   âââ bin -   âââ conf -   âââ docs -   âââ lib</code></pre> -</div> -</div> -<div class="sect4"> -<h5 id="additional-commands"><a class="anchor" href="administration-guide.html#additional-commands"></a>Additional Commands</h5> -<div class="paragraph"> -<p>The <code>nifi-cert.pem</code> and <code>nifi-key.key</code> files should be ASCII-armored (Base64-encoded ASCII) files containing the CA public certificate and private key respectively. Here are sample files of each to show the expected format:</p> -</div> -<div class="sect5"> -<h6 id="nifi-cert-pem"><a class="anchor" href="administration-guide.html#nifi-cert-pem"></a>nifi-cert.pem</h6> -<div class="listingblock"> -<div class="content"> -<pre class="highlight"><code># The first command shows the actual content of the encoded file, and the second parses it and shows the internal values - -.../certs $ more nifi-cert.pem ------BEGIN CERTIFICATE----- -MIIDZTCCAk2gAwIBAgIKAWTeM3kDAAAAADANBgkqhkiG9w0BAQsFADAxMQ0wCwYD -VQQLDAROSUZJMSAwHgYDVQQDDBduaWZpLWNhLm5pZmkuYXBhY2hlLm9yZzAeFw0x -ODA3MjgwMDA0MzJaFw0yMTA3MjcwMDA0MzJaMDExDTALBgNVBAsMBE5JRkkxIDAe -BgNVBAMMF25pZmktY2EubmlmaS5hcGFjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEAqkVrrC+AkFbjnCpupSy84tTFDsRVUIWYj/k2pVwC145M -3bpr0pRCzLuzovAjFCmT5L+isTvNjhionsqif07Ebd/M2psYE/Rih2MULsX6KgRe -1nRUiBeKF08hlmSBMGDFPj39yDzE/V9edxV/KGjRqVgw/Qy0vwaS5uWdXnLDhzoV -4/Mz7lGmYoMasZ1uexlH93jjBl1+EFL2Xoa06oLbEojJ9TKaWhpG8ietEedf7WM0 -zqBEz2kHo9ddFk9yxiCkT4SUKnDWkhwc/o6us1vEXoSw+tmufHY/A3gVihjWPIGz -qyLFl9JuN7CyJepkVVqTdskBG7S85G/kBlizUj5jOwIDAQABo38wfTAOBgNVHQ8B -Af8EBAMCAf4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUKiWBKbMMQ1zUabD4gI7L -VOWOcy0wHwYDVR0jBBgwFoAUKiWBKbMMQ1zUabD4gI7LVOWOcy0wHQYDVR0lBBYw -FAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQAxfHFIZLOw -mwIqnSI/ir8f/uzDMq06APHGdhdeIKV0HR74BtK95KFg42zeXxAEFeic98PC/FPV -tKpm2WUa1slMB+oP27cRx5Znr2+pktaqnM7f2JgMeJ8bduNH3RUkr9jwgkcJRwyC -I4fwHC9k18aizNdOf2q2UgQXxNXaLYPe17deuNVwwrflMgeFfVrwbT2uPJTMRi1D -FQyc6haF4vsOSSRzE6OyDoc+/1PpyPW75OeSXeVCbc3AEAvRuTZMBQvBQUqVM51e -MDG+K3rCeieSBPOnGNrEC/PiA/CvaMXBEog+xPAw1SgYfuCz4rlM3BdRa54z3+oO -lc8xbzd7w8Q3 ------END CERTIFICATE----- -.../certs $ openssl x509 -in nifi-cert.pem -text -noout -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 01:64:de:33:79:03:00:00:00:00 - Signature Algorithm: sha256WithRSAEncryption - Issuer: OU=NIFI, CN=nifi-ca.nifi.apache.org - Validity - Not Before: Jul 28 00:04:32 2018 GMT - Not After : Jul 27 00:04:32 2021 GMT - Subject: OU=NIFI, CN=nifi-ca.nifi.apache.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:aa:45:6b:ac:2f:80:90:56:e3:9c:2a:6e:a5:2c: - bc:e2:d4:c5:0e:c4:55:50:85:98:8f:f9:36:a5:5c: - 02:d7:8e:4c:dd:ba:6b:d2:94:42:cc:bb:b3:a2:f0: - 23:14:29:93:e4:bf:a2:b1:3b:cd:8e:18:a8:9e:ca: - a2:7f:4e:c4:6d:df:cc:da:9b:18:13:f4:62:87:63: - 14:2e:c5:fa:2a:04:5e:d6:74:54:88:17:8a:17:4f: - 21:96:64:81:30:60:c5:3e:3d:fd:c8:3c:c4:fd:5f: - 5e:77:15:7f:28:68:d1:a9:58:30:fd:0c:b4:bf:06: - 92:e6:e5:9d:5e:72:c3:87:3a:15:e3:f3:33:ee:51: - a6:62:83:1a:b1:9d:6e:7b:19:47:f7:78:e3:06:5d: - 7e:10:52:f6:5e:86:b4:ea:82:db:12:88:c9:f5:32: - 9a:5a:1a:46:f2:27:ad:11:e7:5f:ed:63:34:ce:a0: - 44:cf:69:07:a3:d7:5d:16:4f:72:c6:20:a4:4f:84: - 94:2a:70:d6:92:1c:1c:fe:8e:ae:b3:5b:c4:5e:84: - b0:fa:d9:ae:7c:76:3f:03:78:15:8a:18:d6:3c:81: - b3:ab:22:c5:97:d2:6e:37:b0:b2:25:ea:64:55:5a: - 93:76:c9:01:1b:b4:bc:e4:6f:e4:06:58:b3:52:3e: - 63:3b - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: critical - Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign - X509v3 Basic Constraints: - CA:TRUE - X509v3 Subject Key Identifier: - 2A:25:81:29:B3:0C:43:5C:D4:69:B0:F8:80:8E:CB:54:E5:8E:73:2D - X509v3 Authority Key Identifier: - keyid:2A:25:81:29:B3:0C:43:5C:D4:69:B0:F8:80:8E:CB:54:E5:8E:73:2D - - X509v3 Extended Key Usage: - TLS Web Client Authentication, TLS Web Server Authentication - Signature Algorithm: sha256WithRSAEncryption - 31:7c:71:48:64:b3:b0:9b:02:2a:9d:22:3f:8a:bf:1f:fe:ec: - c3:32:ad:3a:00:f1:c6:76:17:5e:20:a5:74:1d:1e:f8:06:d2: - bd:e4:a1:60:e3:6c:de:5f:10:04:15:e8:9c:f7:c3:c2:fc:53: - d5:b4:aa:66:d9:65:1a:d6:c9:4c:07:ea:0f:db:b7:11:c7:96: - 67:af:6f:a9:92:d6:aa:9c:ce:df:d8:98:0c:78:9f:1b:76:e3: - 47:dd:15:24:af:d8:f0:82:47:09:47:0c:82:23:87:f0:1c:2f: - 64:d7:c6:a2:cc:d7:4e:7f:6a:b6:52:04:17:c4:d5:da:2d:83: - de:d7:b7:5e:b8:d5:70:c2:b7:e5:32:07:85:7d:5a:f0:6d:3d: - ae:3c:94:cc:46:2d:43:15:0c:9c:ea:16:85:e2:fb:0e:49:24: - 73:13:a3:b2:0e:87:3e:ff:53:e9:c8:f5:bb:e4:e7:92:5d:e5: - 42:6d:cd:c0:10:0b:d1:b9:36:4c:05:0b:c1:41:4a:95:33:9d: - 5e:30:31:be:2b:7a:c2:7a:27:92:04:f3:a7:18:da:c4:0b:f3: - e2:03:f0:af:68:c5:c1:12:88:3e:c4:f0:30:d5:28:18:7e:e0: - b3:e2:b9:4c:dc:17:51:6b:9e:33:df:ea:0e:95:cf:31:6f:37: - 7b:c3:c4:37</code></pre> -</div> -</div> -</div> -<div class="sect5"> -<h6 id="nifi-key-key"><a class="anchor" href="administration-guide.html#nifi-key-key"></a>nifi-key.key</h6> -<div class="listingblock"> -<div class="content"> -<pre class="highlight"><code># The first command shows the actual content of the encoded file, and the second parses it and shows the internal values - -.../certs $ more nifi-key.key ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAqkVrrC+AkFbjnCpupSy84tTFDsRVUIWYj/k2pVwC145M3bpr -0pRCzLuzovAjFCmT5L+isTvNjhionsqif07Ebd/M2psYE/Rih2MULsX6KgRe1nRU -iBeKF08hlmSBMGDFPj39yDzE/V9edxV/KGjRqVgw/Qy0vwaS5uWdXnLDhzoV4/Mz -7lGmYoMasZ1uexlH93jjBl1+EFL2Xoa06oLbEojJ9TKaWhpG8ietEedf7WM0zqBE -z2kHo9ddFk9yxiCkT4SUKnDWkhwc/o6us1vEXoSw+tmufHY/A3gVihjWPIGzqyLF -l9JuN7CyJepkVVqTdskBG7S85G/kBlizUj5jOwIDAQABAoIBAAdWRnV89oVBuT0Z -dvsXGmyLzpH8U9DMcO6DRp+Jf3XaY+WKCutgCCDaVbtHrbtIr17EAzav5QOifGGb -SbVCp6Q0aJdi5360oSpEUrJRRZ5Z4dxL1vimSwUGG+RnIEn9YYJ1GWJve+2PFnr7 -KieLnL03V6UPzxoMJnhcnJNdTp+dBwzSazVQwye2csSJlVMk49t2lxBwce7ohuh+ -9fL7G3HU5S9d08QT1brknMHahcw1SYyJd0KSjRJCB6wAxnAZmJYJ1jQCI8YICq0j -RX2rhxEXuEMXQcaiFQXzCrmQEXreKUISDvNeu/h7YU9UvJWPZSFGnEGgnMP2XvQm -EjK3rQECgYEA5+OkpLsiLNMHGzj72PiBkq82sTLQJ2+8udYp6PheOGkhjjXoBse5 -YynyHlQt6CnVpJQ33mQUkJ+3ils0SMFtmI3rz3udzleek1so2L2J3+CI4kt7fFCb -FFbVXv+dLNrm+tOw68J48asyad8kEnHYq9Us+/3MLDmFJYTthkgzCpECgYEAu/ml -lQaWaZAQcQ8UuVeasxMYoN8zMmzfrkxc8AfNwKxF9nc44ywo4nJr+u/UVRGYpRgM -rdll5vz0Iq68qk03spaW7vDJn8hJQhkReQw1it9Fp/51r9MHzGTVarORJGa2oZ0g -iNe8LNizD3bQ19hEvju9mn0x9Q62Q7dapVpffwsCgYEAtC1TPpQQ59dIjERom5vr -wffWfTTIO/w8HgFkKxrgyuAVLJSCJtKFH6H1+M7bpKrsz6ZDCs+kkwMm76ASLf3t -lD2h3mNkqHG4SzLnuBD90jB666pO1rci6FjYDap7i+DC3F4j9+vxYYXt9Aln09UV -z94hx+LaA/rlk9OHY3EyB6ECgYBA/cCtNNjeaKv2mxM8PbjD/289d85YueHgfpCH -gPs3iZiq7W+iw8ri+FKzMSaFvw66zgTcOtULtxulviqG6ym9umk29dOQRgxmKQqs -gnckq6uGuOjxwJHqrlZHjQw6vLSaThxIk+aAzu+iAh+U8TZbW4ZjmrOiGdMUuJlD -oGpyHwKBgQCRjfqQjRelYVtU7j6BD9BDbCfmipwaRNP0CuAGOVtS+UnJuaIhsXFQ -QGEBuOnfFijIvb7YcXRL4plRYPMvDqYRNObuI6A+1xNtr000nxa/HUfzKVeI9Tsn -9AKMWnXS8ZcfStsVf3oDFffXYRqCaWeuhpMmg9TwdXoAuwfpE5GCmw== ------END RSA PRIVATE KEY----- -.../certs $ openssl rsa -in nifi-key.key -text -noout -Private-Key: (2048 bit) -modulus: - 00:aa:45:6b:ac:2f:80:90:56:e3:9c:2a:6e:a5:2c: - bc:e2:d4:c5:0e:c4:55:50:85:98:8f:f9:36:a5:5c: - 02:d7:8e:4c:dd:ba:6b:d2:94:42:cc:bb:b3:a2:f0: - 23:14:29:93:e4:bf:a2:b1:3b:cd:8e:18:a8:9e:ca: - a2:7f:4e:c4:6d:df:cc:da:9b:18:13:f4:62:87:63: - 14:2e:c5:fa:2a:04:5e:d6:74:54:88:17:8a:17:4f: - 21:96:64:81:30:60:c5:3e:3d:fd:c8:3c:c4:fd:5f: - 5e:77:15:7f:28:68:d1:a9:58:30:fd:0c:b4:bf:06: - 92:e6:e5:9d:5e:72:c3:87:3a:15:e3:f3:33:ee:51: - a6:62:83:1a:b1:9d:6e:7b:19:47:f7:78:e3:06:5d: - 7e:10:52:f6:5e:86:b4:ea:82:db:12:88:c9:f5:32: - 9a:5a:1a:46:f2:27:ad:11:e7:5f:ed:63:34:ce:a0: - 44:cf:69:07:a3:d7:5d:16:4f:72:c6:20:a4:4f:84: - 94:2a:70:d6:92:1c:1c:fe:8e:ae:b3:5b:c4:5e:84: - b0:fa:d9:ae:7c:76:3f:03:78:15:8a:18:d6:3c:81: - b3:ab:22:c5:97:d2:6e:37:b0:b2:25:ea:64:55:5a: - 93:76:c9:01:1b:b4:bc:e4:6f:e4:06:58:b3:52:3e: - 63:3b -publicExponent: 65537 (0x10001) -privateExponent: - 07:56:46:75:7c:f6:85:41:b9:3d:19:76:fb:17:1a: - 6c:8b:ce:91:fc:53:d0:cc:70:ee:83:46:9f:89:7f: - 75:da:63:e5:8a:0a:eb:60:08:20:da:55:bb:47:ad: - bb:48:af:5e:c4:03:36:af:e5:03:a2:7c:61:9b:49: - b5:42:a7:a4:34:68:97:62:e7:7e:b4:a1:2a:44:52: - b2:51:45:9e:59:e1:dc:4b:d6:f8:a6:4b:05:06:1b: - e4:67:20:49:fd:61:82:75:19:62:6f:7b:ed:8f:16: - 7a:fb:2a:27:8b:9c:bd:37:57:a5:0f:cf:1a:0c:26: - 78:5c:9c:93:5d:4e:9f:9d:07:0c:d2:6b:35:50:c3: - 27:b6:72:c4:89:95:53:24:e3:db:76:97:10:70:71: - ee:e8:86:e8:7e:f5:f2:fb:1b:71:d4:e5:2f:5d:d3: - c4:13:d5:ba:e4:9c:c1:da:85:cc:35:49:8c:89:77: - 42:92:8d:12:42:07:ac:00:c6:70:19:98:96:09:d6: - 34:02:23:c6:08:0a:ad:23:45:7d:ab:87:11:17:b8: - 43:17:41:c6:a2:15:05:f3:0a:b9:90:11:7a:de:29: - 42:12:0e:f3:5e:bb:f8:7b:61:4f:54:bc:95:8f:65: - 21:46:9c:41:a0:9c:c3:f6:5e:f4:26:12:32:b7:ad: - 01 -prime1: - 00:e7:e3:a4:a4:bb:22:2c:d3:07:1b:38:fb:d8:f8: - 81:92:af:36:b1:32:d0:27:6f:bc:b9:d6:29:e8:f8: - 5e:38:69:21:8e:35:e8:06:c7:b9:63:29:f2:1e:54: - 2d:e8:29:d5:a4:94:37:de:64:14:90:9f:b7:8a:5b: - 34:48:c1:6d:98:8d:eb:cf:7b:9d:ce:57:9e:93:5b: - 28:d8:bd:89:df:e0:88:e2:4b:7b:7c:50:9b:14:56: - d5:5e:ff:9d:2c:da:e6:fa:d3:b0:eb:c2:78:f1:ab: - 32:69:df:24:12:71:d8:ab:d5:2c:fb:fd:cc:2c:39: - 85:25:84:ed:86:48:33:0a:91 -prime2: - 00:bb:f9:a5:95:06:96:69:90:10:71:0f:14:b9:57: - 9a:b3:13:18:a0:df:33:32:6c:df:ae:4c:5c:f0:07: - cd:c0:ac:45:f6:77:38:e3:2c:28:e2:72:6b:fa:ef: - d4:55:11:98:a5:18:0c:ad:d9:65:e6:fc:f4:22:ae: - bc:aa:4d:37:b2:96:96:ee:f0:c9:9f:c8:49:42:19: - 11:79:0c:35:8a:df:45:a7:fe:75:af:d3:07:cc:64: - d5:6a:b3:91:24:66:b6:a1:9d:20:88:d7:bc:2c:d8: - b3:0f:76:d0:d7:d8:44:be:3b:bd:9a:7d:31:f5:0e: - b6:43:b7:5a:a5:5a:5f:7f:0b -exponent1: - 00:b4:2d:53:3e:94:10:e7:d7:48:8c:44:68:9b:9b: - eb:c1:f7:d6:7d:34:c8:3b:fc:3c:1e:01:64:2b:1a: - e0:ca:e0:15:2c:94:82:26:d2:85:1f:a1:f5:f8:ce: - db:a4:aa:ec:cf:a6:43:0a:cf:a4:93:03:26:ef:a0: - 12:2d:fd:ed:94:3d:a1:de:63:64:a8:71:b8:4b:32: - e7:b8:10:fd:d2:30:7a:eb:aa:4e:d6:b7:22:e8:58: - d8:0d:aa:7b:8b:e0:c2:dc:5e:23:f7:eb:f1:61:85: - ed:f4:09:67:d3:d5:15:cf:de:21:c7:e2:da:03:fa: - e5:93:d3:87:63:71:32:07:a1 -exponent2: - 40:fd:c0:ad:34:d8:de:68:ab:f6:9b:13:3c:3d:b8: - c3:ff:6f:3d:77:ce:58:b9:e1:e0:7e:90:87:80:fb: - 37:89:98:aa:ed:6f:a2:c3:ca:e2:f8:52:b3:31:26: - 85:bf:0e:ba:ce:04:dc:3a:d5:0b:b7:1b:a5:be:2a: - 86:eb:29:bd:ba:69:36:f5:d3:90:46:0c:66:29:0a: - ac:82:77:24:ab:ab:86:b8:e8:f1:c0:91:ea:ae:56: - 47:8d:0c:3a:bc:b4:9a:4e:1c:48:93:e6:80:ce:ef: - a2:02:1f:94:f1:36:5b:5b:86:63:9a:b3:a2:19:d3: - 14:b8:99:43:a0:6a:72:1f -coefficient: - 00:91:8d:fa:90:8d:17:a5:61:5b:54:ee:3e:81:0f: - d0:43:6c:27:e6:8a:9c:1a:44:d3:f4:0a:e0:06:39: - 5b:52:f9:49:c9:b9:a2:21:b1:71:50:40:61:01:b8: - e9:df:16:28:c8:bd:be:d8:71:74:4b:e2:99:51:60: - f3:2f:0e:a6:11:34:e6:ee:23:a0:3e:d7:13:6d:af: - 4d:34:9f:16:bf:1d:47:f3:29:57:88:f5:3b:27:f4: - 02:8c:5a:75:d2:f1:97:1f:4a:db:15:7f:7a:03:15: - f7:d7:61:1a:82:69:67:ae:86:93:26:83:d4:f0:75: - 7a:00:bb:07:e9:13:91:82:9b</code></pre> -</div> -</div> -<div class="olist arabic"> -<ol class="arabic"> -<li> -<p>To convert from DER encoded public certificate (<code>cert.der</code>) to PEM encoded (<code>cert.pem</code>):</p> -<div class="ulist"> -<ul> -<li> -<p>If the DER file contains both the public certificate and private key, remove the private key with this command:</p> -<div class="ulist"> -<ul> -<li> -<p><code>perl -pe 'BEGIN{undef $/;} s|-----BEGIN PRIVATE KEY-----.*?-----END PRIVATE KEY-----|Removed private key|gs' cert.der > cert.pem</code></p> -</li> -</ul> -</div> -</li> -<li> -<p>If the DER file only contains the public certificate, use this command:</p> -<div class="ulist"> -<ul> -<li> -<p><code>openssl x509 -inform der -in cert.der -out cert.pem</code></p> -</li> -</ul> -</div> -</li> -</ul> -</div> -</li> -<li> -<p>To convert from a PKCS12 keystore (<code>keystore.p12</code>) containing both the public certificate and private key into PEM encoded files (<code>$PASSWORD</code> is the keystore password):</p> -<div class="ulist"> -<ul> -<li> -<p><code>openssl pkcs12 -in keystore.p12 -out cert.der -nodes -password "pass:$PASSWORD"</code></p> -</li> -<li> -<p><code>openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.key -password "pass:$PASSWORD"</code></p> -</li> -<li> -<p>Follow the steps above to convert <code>cert.der</code> to <code>cert.pem</code></p> -</li> -</ul> -</div> -</li> -<li> -<p>To convert from a Java Keystore (<code>keystore.jks</code>) containing private key into PEM encoded files (<code>$P12_PASSWORD</code> is the PKCS12 keystore password, <code>$JKS_PASSWORD</code> is the Java keystore password you want to set, and <code>$ALIAS</code> can be any value — the NiFi default is <code>nifi-key</code>):</p> -<div class="ulist"> -<ul> -<li> -<p><code>keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -destkeypass "$P12_PASSWORD" -deststorepass "$P12_PASSWORD" -srcstorepass "$JKS_PASSWORD" -srcalias "$ALIAS" -destalias "$ALIAS"</code></p> -</li> -<li> -<p>Follow the steps above to convert from <code>keystore.p12</code> to <code>cert.pem</code> and <code>key.key</code></p> -</li> -</ul> -</div> -</li> -<li> -<p>To convert from PKCS #8 PEM format to PKCS #1 PEM format:</p> -<div class="ulist"> -<ul> -<li> -<p>If the private key is provided in PKCS #8 format (the file begins with <code>-----BEGIN PRIVATE KEY-----</code> rather than <code>-----BEGIN RSA PRIVATE KEY-----</code>), the following command will convert it to PKCS #1 format, move the original to <code>nifi-key-pkcs8.key</code>, and rename the PKCS #1 version as <code>nifi-key.key</code>:</p> -<div class="ulist"> -<ul> -<li> -<p><code>openssl rsa -in nifi-key.key -out nifi-key-pkcs1.key && mv nifi-key.key nifi-key-pkcs8.key && mv nifi-key-pkcs1.key nifi-key.key</code></p> -</li> -</ul> -</div> -</li> -</ul> -</div> -</li> -<li> -<p>To combine a private key in PEM format (<code>private.key</code>) and public certificate in PEM format (<code>certificate.pem</code>) into PKCS12 keystore:</p> -<div class="ulist"> -<ul> -<li> -<p>The following command will create the PKCS12 keystore (<code>keystore.p12</code>) from the two independent files. A Java keystore (JKS) cannot be formed directly from the PEM files:</p> -<div class="ulist"> -<ul> -<li> -<p><code>openssl pkcs12 -export -out keystore.p12 -inkey private.key -in certificate.pem</code></p> -</li> -</ul> -</div> -</li> -</ul> -</div> -</li> -<li> -<p>To convert a PKCS12 keystore (<code>keystore.p12</code>) to JKS keystore (<code>keystore.jks</code>):</p> -<div class="ulist"> -<ul> -<li> -<p>The following command will create the JKS keystore (<code>keystore.jks</code>). The <code>-destalias</code> flag is optional, as NiFi does not currently read from a specific alias in the keystore. The user will be prompted for a keystore password, which must be set and have minimum 8 characters, and a key password, which can be the same as the keystore password or different:</p> -<div class="ulist"> -<ul> -<li> -<p><code>keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks --deststoretype jks -destalias nifi-key</code></p> -</li> -</ul> -</div> -</li> -</ul> -</div> -</li> -</ol> -</div> -</div> -</div> -<div class="sect4"> -<h5 id="signing-with-externally-signed-ca-certificates"><a class="anchor" href="administration-guide.html#signing-with-externally-signed-ca-certificates"></a>Signing with Externally-signed CA Certificates</h5> -<div class="paragraph"> -<p>To sign generated certificates with a certificate authority (CA) generated outside of the TLS Toolkit, ensure the necessary files are in the right format and location (see above). For example, an organization <strong>Large Organization</strong> has an internal CA (<code>CN=ca.large.org, OU=Certificate Authority</code>). This <strong>root CA</strong> is offline and only used to sign other internal CAs. The Large IT team generates an <strong>intermediate CA</strong> (<code>CN=nifi_ca.large.org, OU=NiFi, OU=Certificate Authority</code>) to be used to sign all NiFi node certificates (<code>CN=node1.nifi.large.org, OU=NiFi</code>, <code>CN=node2.nifi.large.org, OU=NiFi</code>, etc.).</p> -</div> -<div class="paragraph"> -<p>To use the toolkit to generate these certificates and sign them using the <strong>intermediate CA</strong>, ensure that the following files are present (see <a href="administration-guide.html#additional-commands">Additional Commands</a> above):</p> -</div> -<div class="ulist"> -<ul> -<li> -<p><code>nifi-cert.pem</code> — the public certificate of the <strong>intermediate CA</strong> in PEM format</p> -</li> -<li> -<p><code>nifi-key.key</code> — the Base64-encoded private key of the <strong>intermediate CA</strong> in PKCS #1 PEM format</p> -</li> -</ul> -</div> -<div class="paragraph"> -<p>If the <strong>intermediate CA</strong> was the <strong>root CA</strong>, it would be <strong>self-signed</strong> — the signature over the certificate would be issued from the same key. In that case (the same as a toolkit-generated CA), no additional arguments are necessary. However, because the <strong>intermediate CA</strong> is signed by the <strong>root CA</strong>, the public certificate of the <strong>root CA</strong> needs to be provided as well to validate the signature. The <code>--additionalCACertificate</code> parameter is used to specify the path to the signing public certificate. The value should be the absolute path to the <strong>root CA</strong> public certificate.</p> -</div> -<div class="paragraph"> -<p>Example:</p> -</div> -<div class="listingblock"> -<div class="content"> -<pre class="highlight"><code># Generate cert signed by intermediate CA (which is signed by root CA) -- WILL FAIL - -$ ./bin/tls-toolkit.sh standalone -n 'node1.nifi.apache.org' \ --P passwordpassword \ --S passwordpassword \ --o /opt/certs/externalCA \ --O - -2018/08/02 18:48:11 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. -2018/08/02 18:48:12 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory /opt/certs/externalCA -2018/08/02 18:48:12 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=nifi_ca.large.org, OU=Certificate Authority -2018/08/02 18:48:12 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=nifi_ca.large.org, OU=NiFi, OU=Certificate Authority signature with CN=nifi_ca.large.org, OU=NiFi, OU=Certificate Authority -2018/08/02 18:48:12 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate CN=nifi_ca.large.org, OU=NiFi, OU=Certificate Authority not signed by CN=nifi_ca.large.org, OU=NiFi, OU=Certificate Authority [certificate does not verify with supplied key] -Error generating TLS configuration. (The signing certificate was not signed by any known certificates) - -# Provide additional CA certificate path for signature verification of intermediate CA - -$ ./bin/tls-toolkit.sh standalone -n 'node1.nifi.apache.org' \ --P passwordpassword \ --S passwordpassword \ --o /opt/certs/externalCA \ ---additionalCACertificate /opt/certs/externalCA/root.pem \ --O - -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory /opt/certs/externalCA -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Verifying the certificate signature for CN=nifi_ca.large.org, OU=NiFi, OU=Certificate Authority -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Attempting to verify certificate CN=nifi_ca.large.org, OU=NiFi, OU=Certificate Authority signature with CN=ca.large.org, OU=Certificate Authority -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Certificate was signed by CN=ca.large.org, OU=Certificate Authority -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate /opt/certs/externalCA/nifi-cert.pem and key /opt/certs/externalCA/nifi-key.key -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl configuration to /opt/certs/externalCA/node1.nifi.apache.org -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated TLS configuration for node1.nifi.apache.org 1 in /opt/certs/externalCA/node1.nifi.apache.org -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn specified, not generating any client certificates. -2018/08/02 18:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully</code></pre> -</div> -</div> -</div> -</div> -</div> -</div> -</div> -<div class="sect1"> -<h2 id="user_authentication"><a class="anchor" href="administration-guide.html#user_authentication"></a>User Authentication</h2> -<div class="sectionbody"> -<div class="paragraph"> -<p>NiFi supports user authentication via client certificates, via username/password, via Apache Knox, or via <a href="http://openid.net/connect"; target="_blank">OpenId Connect</a>.</p> -</div> -<div class="paragraph"> -<p>Username/password authentication is performed by a 'Login Identity Provider'. The Login Identity Provider is a pluggable mechanism for -authenticating users via their username/password. Which Login Identity Provider to use is configured in the <em>nifi.properties</em> file. -Currently NiFi offers username/password with Login Identity Providers options for <a href="administration-guide.html#ldap_login_identity_provider">Lightweight Directory Access Protocol (LDAP)</a> and <a href="administration-guide.html#kerberos_login_identity_provider">Kerberos</a>.</p> -</div> -<div class="paragraph"> -<p>The <code>nifi.login.identity.provider.configuration.file</code> property specifies the configuration file for Login Identity Providers. By default, this property is set to <code>./conf/login-identity-providers.xml</code>.</p> -</div> -<div class="paragraph"> -<p>The <code>nifi.security.user.login.identity.provider</code> property indicates which of the configured Login Identity Provider should be -used. By default, this property is not configured meaning that username/password must be explicitly enabled.</p> -</div> -<div class="paragraph"> -<p>During OpenId Connect authentication, NiFi will redirect users to login with the Provider before returning to NiFi. NiFi will then -call the Provider to obtain the user identity.</p> -</div> -<div class="paragraph"> -<p>During Apache Knox authentication, NiFi will redirect users to login with Apache Knox before returning to NiFi. NiFi will verify the Apache Knox -token during authentication.</p> -</div> -<div class="admonitionblock note"> -<table> -<tr> -<td class="icon"> -<i class="fa icon-note" title="Note"></i> -</td> -<td class="content"> -NiFi can only be configured for username/password, OpenId Connect, or Apache Knox at a given time. It does not support running each of -these concurrently. NiFi will require client certificates for authenticating users over HTTPS if none of these are configured. -</td> -</tr> -</table> -</div> -<div class="paragraph"> -<p>A secured instance of NiFi cannot be accessed anonymously unless configured to use an <a href="administration-guide.html#ldap_login_identity_provider">Lightweight Directory Access Protocol (LDAP)</a> or <a href="administration-guide.html#kerberos_login_identity_provider">Kerberos</a> Login Identity Provider, which in turn must be configured to explicitly allow anonymous access. Anonymous access is not currently possible by the default FileAuthorizer (see <a href="administration-guide.html#authorizer-configuration">Authorizer Configuration</a>), but is a future effort (<a href="https://issues.apache.org/jira/browse/NIFI-2730"; target="_blank">NIFI-2730</a>).</p> -</div> -<div class="admonitionblock note"> -<table> -<tr> -<td class="icon"> -<i class="fa icon-note" title="Note"></i> -</td> -<td class="content"> -NiFi does not perform user authentication over HTTP. Using HTTP, all users will be granted all roles. -</td> -</tr> -</table> -</div> -<div class="sect2"> -<h3 id="ldap_login_identity_provider"><a class="anchor" href="administration-guide.html#ldap_login_identity_provider"></a>Lightweight Directory Access Protocol (LDAP)</h3> -<div class="paragraph"> -<p>Below is an example and description of configuring a Login Identity Provider that integrates with a Directory Server to authenticate users.</p> -</div> -<div class="paragraph"> -<p>Set the following in <em>nifi.properties</em> to enable LDAP username/password authentication:</p> -</div> -<div class="listingblock"> -<div class="content"> -<pre>nifi.security.user.login.identity.provider=ldap-provider</pre> -</div> -</div> -<div class="paragraph"> -<p>Modify <em>login-identity-providers.xml</em> to enable the <code>ldap-provider</code>. Here is the sample provided in the file:</p> -</div> -<div class="listingblock"> -<div class="content"> -<pre><provider> - <identifier>ldap-provider</identifier> - <class>org.apache.nifi.ldap.LdapProvider</class> - <property name="Authentication Strategy">START_TLS</property> - - <property name="Manager DN"></property> - <property name="Manager Password"></property> - - <property name="TLS - Keystore"></property> - <property name="TLS - Keystore Password"></property> - <property name="TLS - Keystore Type"></property> - <property name="TLS - Truststore"></property> - <property name="TLS - Truststore Password"></property> - <property name="TLS - Truststore Type"></property> - <property name="TLS - Client Auth"></property> - <property name="TLS - Protocol"></property> - <property name="TLS - Shutdown Gracefully"></property> - - <property name="Referral Strategy">FOLLOW</property> - <property name="Connect Timeout">10 secs</property> - <property name="Read Timeout">10 secs</property> - - <property name="Url"></property> - <property name="User Search Base"></property> - <property name="User Search Filter"></property> - - <property name="Identity Strategy">USE_DN</property> - <property name="Authentication Expiration">12 hours</property> -</provider></pre> -</div> -</div> -<div class="paragraph"> -<p>The <code>ldap-provider</code> has the following properties:</p> -</div> -<table class="tableblock frame-all grid-all spread"> -<colgroup> -<col style="width: 50%;"> -<col style="width: 50%;"> -</colgroup> -<thead> -<tr> -<th class="tableblock halign-left valign-top">Property Name</th> -<th class="tableblock halign-left valign-top">Description</th> -</tr> -</thead> -<tfoot> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Expiration</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.</p></td> -</tr> -</tfoot> -<tbody> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Authentication Strategy</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">How the connection to the LDAP server is authenticated. Possible values are <code>ANONYMOUS</code>, <code>SIMPLE</code>, <code>LDAPS</code>, or <code>START_TLS</code>.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Manager DN</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">The DN of the manager that is used to bind to the LDAP server to search for users.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Manager Password</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">The password of the manager that is used to bind to the LDAP server to search for users.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore Password</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Password for the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Keystore Type</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Type of the Keystore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. <code>JKS</code> or <code>PKCS12</code>).</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore Password</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Password for the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Truststore Type</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Type of the Truststore that is used when connecting to LDAP using LDAPS or START_TLS (i.e. <code>JKS</code> or <code>PKCS12</code>).</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Client Auth</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Client authentication policy when connecting to LDAP using LDAPS or START_TLS. Possible values are <code>REQUIRED</code>, <code>WANT</code>, <code>NONE</code>.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Protocol</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. <code>TLS</code>, <code>TLSv1.1</code>, <code>TLSv1.2</code>, etc).</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>TLS - Shutdown Gracefully</code></p></td> -<td class="tableblock halign-left valign-top"><p class="tableblock">Specifies whether the TLS should be shut down gracefully before the target context is closed. Defaults to false.</p></td> -</tr> -<tr> -<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Referral Strategy</code></p></td>
[... 12772 lines stripped ...]
