gresockj opened a new pull request #4986:
URL: https://github.com/apache/nifi/pull/4986
#### Description of PR
Adding autogeneration of self-signed certificate in a default
keystore/truststore when applicable. Conditions for autogeneration are as
follows:
**nifi.properties contains the following configuration:**
```
nifi.web.https.port=<value> // Must be set
nifi.security.keystore=<value> // Recommend testing with ./conf/keystore.p12
nifi.security.truststore=<value> // Recommend testing with
./conf/truststore.p12
```
Additionally, the keystore and truststore files as configured must not exist
on the file system at those locations in order for them to be autogenerated.
The code will not attempt to generate these files if one or both of them is
present in the configured locations.
**The results will be:**
- A self-signed certificate (CN=localhost) is generated with an expiration
of 60 days. The cert will be configured with Subject Alternative Names for the
localhost hostname and address, as well as any values found in the following
nifi.properties: nifi.remote.input.host, nifi.web.https.host,
nifi.web.proxy.host, nifi.cluster.load.balance.address
- A keystore containing the corresponding private key is placed at the path
configured in nifi.security.keystore
- A truststore containing the trusted certificate entry is placed at the
path configured in nifi.security.truststore
- Passwords generated with a secure random are used to protect the
keystore/truststore
- The following properties are populated appropriately in nifi.properties:
```
nifi.security.keystoreType=PKCS12
nifi.security.keystorePassword=<generated password>
nifi.security.keyPassword=<same as keystore password>
nifi.security.truststoreType=PKCS12
nifi.security.truststorePassword=<generated password>
```
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [x] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA
number you are trying to resolve? Pay particular attention to the hyphen "-"
character.
- [x] Has your PR been rebased against the latest commit within the target
branch (typically `main`)?
- [x] Is your initial contribution a single, squashed commit? _Additional
commits in response to PR reviewer feedback should be made on this branch and
pushed to allow change tracking. Do not `squash` or use `--force` when pushing
to allow for clean monitoring of changes._
### For code changes:
- [x] Have you ensured that the full suite of tests is executed via `mvn
-Pcontrib-check clean install` at the root `nifi` folder?
- [x] Have you written or updated unit tests to verify your changes?
- [x] Have you verified that the full build is successful on JDK 8?
- [x] Have you verified that the full build is successful on JDK 11?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main
`LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main
`NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to
.name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which
it is rendered?
### Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for
build issues and submit an update to your PR as soon as possible.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
