Re: How to trust another certificate from within nifi flows?

2018-02-20 Thread Jaiganesh 
The issue is resloved, the host name i gave in the URL is not fully qualified
name that we have kept in the certificate, once the fully qualifed name
given, it started working. 



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/

Re: How to trust another certificate from within nifi flows?

2018-02-19 Thread Jaiganesh 
Andy, 

There is more update, I found the following bug in nifi 1.4 which is the
reason for the java.lang.runtimeexception, it is looking for a keystore
though there is no configuration specificed in the controller service, this
is raised as an bug which was addressed in 1.5 version. But they have also
provided a workaround to point the same truststore file to keystore as well,
now I am no longer getting the old error, but now i see a different error,
the same .jks file is working with other client applications, so any pointer
to move forward will greatly appreciated. 

https://issues.apache.org/jira/browse/NIFI-4655


2018-02-20 01:09:03,933 INFO [NiFi Web Server-4997]
o.a.n.c.s.StandardProcessScheduler Starting
InvokeHTTP[id=51f5c341-4e72-3f82-4c7a-1a93767a23b4]
2018-02-20 01:09:03,936 INFO [StandardProcessScheduler Thread-4]
o.a.n.c.s.TimerDrivenSchedulingAgent Scheduled
InvokeHTTP[id=51f5c341-4e72-3f82-4c7a-1a93767a23b4] to run with 1 threads
2018-02-20 01:09:03,994 ERROR [Timer-Driven Process Thread-19]
o.a.nifi.processors.standard.InvokeHTTP
InvokeHTTP[id=51f5c341-4e72-3f82-4c7a-1a93767a23b4] Routing to Failure due
to exception: javax.net.ssl.SSLPeerUnverifiedException: Hostname 
not verified:
certificate: sha256/RrHmPKgr/gT1tgmUVg4H1vnObnXME+/PSaHz1gKHIdU=
DN: CN=
subjectAltNames: : javax.net.ssl.SSLPeerUnverifiedException:
Hostname  not verified:
certificate: sha256/RrHmPKgr/gT1tgmUVg4H1vnObnXME+/PSaHz1gKHIdU=
DN: CN=atllvkafap301xd.hughestelematics.net
subjectAltNames: 
javax.net.ssl.SSLPeerUnverifiedException: Hostname  not verified:
certificate: sha256/RrHmPKgr/gT1tgmUVg4H1vnObnXME+/PSaHz1gKHIdU=
DN: CN=
subjectAltNames: 
at
okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:276)


Regards, 
Jai



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/

Re: How to trust another certificate from within nifi flows?

2018-02-19 Thread Jaiganesh 
Hi Andy, 

Thanks for your post.

I just followed your steps, we had the .pem file already imported I used
openssl and keytool to convert pem to store in keystore, following are the
command i used. 
Nifi-Error.png

  
SSLControllerService.png

  
openssl x509 -inform der -in ca.pem -out ca.cdr
/opt/app/java/jdk1.8.0_112/bin/keytool -import -alias ca -keystore cacerts
-file ca.der

I created a StandardSSLContextService and pointed the created keystore file
location, when I tested in the nifi process I am getting
java.lang.Runtimeexception, there is no further traces available in the logs
also. 

I have attached the screen shots of the error and the configuration also. 

Please let me know what could be the reason. 

Thanks & Regards, 
Jai




--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/

Re: How to trust another certificate from within nifi flows?

2018-02-15 Thread Andy LoPresto 
Hi,

In order to do this, you will need to download/obtain the self-signed server 
certificate that is presented by the remote service (you can do this through a 
tool like OpenSSL’s s_client with the -showcerts flag) in PEM format, import it 
into a Java Keystore file acting as a truststore (see commands below), and then 
identify that truststore using a StandardSSLContextService, which you will 
reference in the InvokeHTTP processor.

If you encounter a specific error or exception, feel free to reply so we can 
assist more directly.

> openssl x509 -outform der -in certificate.pem -out certificate.der
> keytool -import -alias your-alias -keystore cacerts -file certificate.der



Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Feb 15, 2018, at 7:39 PM, nifi-san  wrote:
> 
> Hello Experts,
> 
> We have a Nifi cluster without certificates or SSL implementation.
> We have a requirement to call another url/interface from the Nifi flows
> using https url since the end point is configured with SSL.
> The "https" end point uses a self signed certificate and in order to trust
> the certificate,we need to configure or point the flows on Nifi with the
> Trust certificate.
> 
> We tried the options mentioned in the links below but have not been
> successful in getting the connection to work.
> 
> http://www.tomaszezula.com/2016/11/06/using-ssl-with-nifi/
> 
> 
> Apart from Nifi ,other components such as Spark jobs running on cluster and
> even the browser are able to trust the certificates.
> 
> Any pointers would be highly appreciated!
> 
> Thanks
> 
> 
> 
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/



signature.asc
Description: Message signed with OpenPGP using GPGMail