Re: Need help SSL LDAP Nifi Registry

2020-06-30 Thread Etienne Jouvin
Got it thanks to
https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-NiFi-to-Integrate-with-a-Secure-NiFi/ta-p/247765

Next steps would be to have NiFi and Registry on different hosts and see
how connections are made.



Le mar. 30 juin 2020 à 11:43, Etienne Jouvin  a
écrit :

> But now, I have NiFi and Registry with secure access (LDAP + SSL)
>
> I need to find out how to configure the Registry in NiFi, because for now
> I did not have to specify login.
> And even if my first bucket is Public, it is not accessible from NiFi.
>
>
> Le mar. 30 juin 2020 à 11:29, Etienne Jouvin  a
> écrit :
>
>> Hi Josef.
>>
>> No I did not try that.
>> And well done, with that I can access the UI, and can connect with LDAP
>> identity.
>>
>> Thanks a lot.
>>
>> Cheers
>>
>> Etienne
>>
>>
>>
>> Le mar. 30 juin 2020 à 11:15,  a écrit :
>>
>>> Hi Etienne
>>>
>>>
>>>
>>> Did you tried the following in «nifi-registry.properties»:
>>>
>>> nifi.registry.security.needClientAuth=false
>>>
>>>
>>>
>>> Cheers Josef
>>>
>>>
>>>
>>>
>>>
>>> *From: *Etienne Jouvin 
>>> *Reply to: *"users@nifi.apache.org" 
>>> *Date: *Tuesday, 30 June 2020 at 10:46
>>> *To: *"users@nifi.apache.org" 
>>> *Subject: *Need help SSL LDAP Nifi Registry
>>>
>>>
>>>
>>> Hello all.
>>>
>>>
>>>
>>> I am trying to setup LDAP authentication on NiFi Registry.
>>>
>>> I followed some links, like
>>> https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753
>>>
>>>
>>>
>>> But each time, it requires that a certificate is installed on client
>>> side. I had this "problem" for NiFi but because I did not provided
>>> the nifi.security.user.login.identity.provider
>>>
>>>
>>>
>>> But for the registry, I remember that and did it.
>>>
>>>
>>>
>>> For summary, what I have in nifi-registry.properties
>>>
>>> nifi.registry.security.keystore=./conf/keystore.jks
>>> nifi.registry.security.keystoreType=jks
>>> nifi.registry.security.keystorePasswd=password
>>> nifi.registry.security.keyPasswd=password
>>> nifi.registry.security.truststore=./conf/truststore.jks
>>> nifi.registry.security.truststoreType=jks
>>> nifi.registry.security.truststorePasswd=password
>>>
>>>
>>>
>>> (All of those informations were given by the tls-toolkit, when executed
>>> for NiFi)
>>>
>>> Then I put this
>>>
>>> #nifi.registry.security.identity.provider=
>>> nifi.registry.security.identity.provider=ldap-identity-provider
>>>
>>>
>>>
>>> In the file identity-providers.xml
>>>
>>> I setup the LDAP provider
>>>
>>> 
>>> ldap-identity-provider
>>>
>>> org.apache.nifi.registry.security.ldap.LdapIdentityProvider
>>> SIMPLE
>>>
>>> uid=admin,ou=system
>>> secret
>>>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>
>>> FOLLOW
>>> 10 secs
>>> 10 secs
>>>
>>> ldap://localhost:10389
>>> ou=users,dc=test,dc=ch
>>> uid={0}
>>>
>>> USE_DN
>>> 12 hours
>>> 
>>>
>>>
>>>
>>> And finally in authorizers.xml
>>>
>>> 
>>> file-user-group-provider
>>>
>>> org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider
>>> ./conf/users.xml
>>> uid=firstuser,
>>> ou=users,dc=test,dc=ch
>>> 
>>>
>>>
>>>
>>> 
>>> file-access-policy-provider
>>>
>>> org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider
>>> file-user-group-provider
>>> ./conf/authorizations.xml
>>>  uid=firstuser,
>>> ou=users,dc=test,dc=ch 
>>> 
>>>
>>> 
>>> 
>>>
>>>
>>>
>>>
>>>
>>> Starting Registry is OK.
>>>
>>>
>>>
>>> But when I want to access throw Chrome, I have a certificate error
>>> : ERR_BAD_SSL_CLIENT_AUTH_CERT
>>>
>>>
>>>
>>> How can I force the authentication to not request a client side
>>> certificate ?
>>>
>>>
>>>
>>> Thanks for any input.
>>>
>>>
>>>
>>> Etienne Jouvin
>>>
>>>
>>>
>>


Re: Need help SSL LDAP Nifi Registry

2020-06-30 Thread Etienne Jouvin
But now, I have NiFi and Registry with secure access (LDAP + SSL)

I need to find out how to configure the Registry in NiFi, because for now I
did not have to specify login.
And even if my first bucket is Public, it is not accessible from NiFi.


Le mar. 30 juin 2020 à 11:29, Etienne Jouvin  a
écrit :

> Hi Josef.
>
> No I did not try that.
> And well done, with that I can access the UI, and can connect with LDAP
> identity.
>
> Thanks a lot.
>
> Cheers
>
> Etienne
>
>
>
> Le mar. 30 juin 2020 à 11:15,  a écrit :
>
>> Hi Etienne
>>
>>
>>
>> Did you tried the following in «nifi-registry.properties»:
>>
>> nifi.registry.security.needClientAuth=false
>>
>>
>>
>> Cheers Josef
>>
>>
>>
>>
>>
>> *From: *Etienne Jouvin 
>> *Reply to: *"users@nifi.apache.org" 
>> *Date: *Tuesday, 30 June 2020 at 10:46
>> *To: *"users@nifi.apache.org" 
>> *Subject: *Need help SSL LDAP Nifi Registry
>>
>>
>>
>> Hello all.
>>
>>
>>
>> I am trying to setup LDAP authentication on NiFi Registry.
>>
>> I followed some links, like
>> https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753
>>
>>
>>
>> But each time, it requires that a certificate is installed on client
>> side. I had this "problem" for NiFi but because I did not provided
>> the nifi.security.user.login.identity.provider
>>
>>
>>
>> But for the registry, I remember that and did it.
>>
>>
>>
>> For summary, what I have in nifi-registry.properties
>>
>> nifi.registry.security.keystore=./conf/keystore.jks
>> nifi.registry.security.keystoreType=jks
>> nifi.registry.security.keystorePasswd=password
>> nifi.registry.security.keyPasswd=password
>> nifi.registry.security.truststore=./conf/truststore.jks
>> nifi.registry.security.truststoreType=jks
>> nifi.registry.security.truststorePasswd=password
>>
>>
>>
>> (All of those informations were given by the tls-toolkit, when executed
>> for NiFi)
>>
>> Then I put this
>>
>> #nifi.registry.security.identity.provider=
>> nifi.registry.security.identity.provider=ldap-identity-provider
>>
>>
>>
>> In the file identity-providers.xml
>>
>> I setup the LDAP provider
>>
>> 
>> ldap-identity-provider
>>
>> org.apache.nifi.registry.security.ldap.LdapIdentityProvider
>> SIMPLE
>>
>> uid=admin,ou=system
>> secret
>>
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> FOLLOW
>> 10 secs
>> 10 secs
>>
>> ldap://localhost:10389
>> ou=users,dc=test,dc=ch
>> uid={0}
>>
>> USE_DN
>> 12 hours
>> 
>>
>>
>>
>> And finally in authorizers.xml
>>
>> 
>> file-user-group-provider
>>
>> org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider
>> ./conf/users.xml
>> uid=firstuser,
>> ou=users,dc=test,dc=ch
>> 
>>
>>
>>
>> 
>> file-access-policy-provider
>>
>> org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider
>> file-user-group-provider
>> ./conf/authorizations.xml
>>  uid=firstuser,
>> ou=users,dc=test,dc=ch 
>> 
>>
>> 
>> 
>>
>>
>>
>>
>>
>> Starting Registry is OK.
>>
>>
>>
>> But when I want to access throw Chrome, I have a certificate error
>> : ERR_BAD_SSL_CLIENT_AUTH_CERT
>>
>>
>>
>> How can I force the authentication to not request a client side
>> certificate ?
>>
>>
>>
>> Thanks for any input.
>>
>>
>>
>> Etienne Jouvin
>>
>>
>>
>


Re: Need help SSL LDAP Nifi Registry

2020-06-30 Thread Etienne Jouvin
Hi Josef.

No I did not try that.
And well done, with that I can access the UI, and can connect with LDAP
identity.

Thanks a lot.

Cheers

Etienne



Le mar. 30 juin 2020 à 11:15,  a écrit :

> Hi Etienne
>
>
>
> Did you tried the following in «nifi-registry.properties»:
>
> nifi.registry.security.needClientAuth=false
>
>
>
> Cheers Josef
>
>
>
>
>
> *From: *Etienne Jouvin 
> *Reply to: *"users@nifi.apache.org" 
> *Date: *Tuesday, 30 June 2020 at 10:46
> *To: *"users@nifi.apache.org" 
> *Subject: *Need help SSL LDAP Nifi Registry
>
>
>
> Hello all.
>
>
>
> I am trying to setup LDAP authentication on NiFi Registry.
>
> I followed some links, like
> https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753
>
>
>
> But each time, it requires that a certificate is installed on client side.
> I had this "problem" for NiFi but because I did not provided
> the nifi.security.user.login.identity.provider
>
>
>
> But for the registry, I remember that and did it.
>
>
>
> For summary, what I have in nifi-registry.properties
>
> nifi.registry.security.keystore=./conf/keystore.jks
> nifi.registry.security.keystoreType=jks
> nifi.registry.security.keystorePasswd=password
> nifi.registry.security.keyPasswd=password
> nifi.registry.security.truststore=./conf/truststore.jks
> nifi.registry.security.truststoreType=jks
> nifi.registry.security.truststorePasswd=password
>
>
>
> (All of those informations were given by the tls-toolkit, when executed
> for NiFi)
>
> Then I put this
>
> #nifi.registry.security.identity.provider=
> nifi.registry.security.identity.provider=ldap-identity-provider
>
>
>
> In the file identity-providers.xml
>
> I setup the LDAP provider
>
> 
> ldap-identity-provider
>
> org.apache.nifi.registry.security.ldap.LdapIdentityProvider
> SIMPLE
>
> uid=admin,ou=system
> secret
>
> 
> 
> 
> 
> 
> 
> 
> 
> 
>
> FOLLOW
> 10 secs
> 10 secs
>
> ldap://localhost:10389
> ou=users,dc=test,dc=ch
> uid={0}
>
> USE_DN
> 12 hours
> 
>
>
>
> And finally in authorizers.xml
>
> 
> file-user-group-provider
>
> org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider
> ./conf/users.xml
> uid=firstuser,
> ou=users,dc=test,dc=ch
> 
>
>
>
> 
> file-access-policy-provider
>
> org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider
> file-user-group-provider
> ./conf/authorizations.xml
>  uid=firstuser,
> ou=users,dc=test,dc=ch 
> 
>
> 
> 
>
>
>
>
>
> Starting Registry is OK.
>
>
>
> But when I want to access throw Chrome, I have a certificate error
> : ERR_BAD_SSL_CLIENT_AUTH_CERT
>
>
>
> How can I force the authentication to not request a client side
> certificate ?
>
>
>
> Thanks for any input.
>
>
>
> Etienne Jouvin
>
>
>


Re: Need help SSL LDAP Nifi Registry

2020-06-30 Thread Josef.Zahner1
Hi Etienne

Did you tried the following in «nifi-registry.properties»:
nifi.registry.security.needClientAuth=false

Cheers Josef


From: Etienne Jouvin 
Reply to: "users@nifi.apache.org" 
Date: Tuesday, 30 June 2020 at 10:46
To: "users@nifi.apache.org" 
Subject: Need help SSL LDAP Nifi Registry

Hello all.

I am trying to setup LDAP authentication on NiFi Registry.
I followed some links, like 
https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753

But each time, it requires that a certificate is installed on client side. I 
had this "problem" for NiFi but because I did not provided the 
nifi.security.user.login.identity.provider

But for the registry, I remember that and did it.

For summary, what I have in nifi-registry.properties
nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=password
nifi.registry.security.keyPasswd=password
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=password

(All of those informations were given by the tls-toolkit, when executed for 
NiFi)
Then I put this
#nifi.registry.security.identity.provider=
nifi.registry.security.identity.provider=ldap-identity-provider

In the file identity-providers.xml
I setup the LDAP provider

ldap-identity-provider

org.apache.nifi.registry.security.ldap.LdapIdentityProvider
SIMPLE

uid=admin,ou=system
secret











FOLLOW
10 secs
10 secs

ldap://localhost:10389
ou=users,dc=test,dc=ch
uid={0}

USE_DN
12 hours


And finally in authorizers.xml

file-user-group-provider

org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider
./conf/users.xml
uid=firstuser, 
ou=users,dc=test,dc=ch



file-access-policy-provider

org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider
file-user-group-provider
./conf/authorizations.xml
 uid=firstuser, 
ou=users,dc=test,dc=ch 






Starting Registry is OK.

But when I want to access throw Chrome, I have a certificate error : 
ERR_BAD_SSL_CLIENT_AUTH_CERT

How can I force the authentication to not request a client side certificate ?

Thanks for any input.

Etienne Jouvin



smime.p7s
Description: S/MIME Cryptographic Signature