[
https://issues.apache.org/jira/browse/NIFI-7673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Grey resolved NIFI-7673.
-----------------------------
Resolution: Won't Do
In a recent mailing list discussion [1], a consensus discussion was made to
deprecate the module "nifi-toolkit-tls". A set of tickets [2] [3] [4] was
opened and resolved to carry out this work.
In order to complete this effort, any open tickets in the NIFI project relating
to defects, enhancements, etc of "nifi-toolkit-tls" should be marked resolved.
[1] https://lists.apache.org/thread/vn1nzobtz4fh7fs461sgg8jj9zygrk0f
[2] NIFI-12169 - Documentation updates to provide alternatives to usage of TLS
Toolkit
[3] NIFI-12200 - Remove nifi-toolkit-tls module
[4] NIFI-12201 - Deprecation markings for nifi-toolkit-tls module in
support/nifi-1.x
> Toolkit in diagnostic mode should verify independent node
> ---------------------------------------------------------
>
> Key: NIFI-7673
> URL: https://issues.apache.org/jira/browse/NIFI-7673
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Configuration Management, Tools and Build
> Affects Versions: 1.11.4
> Reporter: Veda Kadam
> Assignee: Veda Kadam
> Priority: Major
> Labels: keystore, security, tls, tls-toolkit
> Time Spent: 8h 20m
> Remaining Estimate: 0h
>
> * Incomplete chainĀ
> * All nodes have wildcard certificates. Cannot identify one node from the
> other
> * Use any certs as long as prerequisites are aligned with NiFi.
> * Build monitoring for expiration of TLS certificates
> * Ambari using NiFi CA, overrides/corrupts if using external certs
> * Populate authorization.xml file if using external certs
> * Have internal method to avoid removal of authorization.xml and users.xml
> * Explicit document with prerequisites for certs
> * --additionalCACertificate <arg> for Client-Server model
> * Validate certs if not using CA toolkit
> * Firewall/DNS issues resolving multiple nodes in cluster
> * Independent node configuration verification
> # Priority 0
> # Addresses B, C, D, J
> # Description: Verifies each node has the correct configuration files and
> passwords available, and that the key/certificate contents of the keystore
> and truststore are correct for that node
> # Steps
> # Run on each node
> # Read the nifi.properties file
> # Verify the keystore and truststore are located at the correct file path
> # Verify the keystore password, key password, and truststore password are
> correct
> # Verify that the keystore contains a single private key entry and a public
> certificate which identifies this host
> # CN
> # SAN
> # Not wildcard (or at least unique SAN present)
> # EKU
> # Certificate validity dates
> # Key size
> # Other OIDs
> # Verify that the truststore contains at least one public certificate
> # Verify that the truststore contains a public certificate which verifies
> the private key in the keystore for this node (i.e. this node would trust
> itself/the signer of itself)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
