Hi Sandeep,

So I have the NiFi TLS Toolkit running in Client/Server mode. I have made a
request to the CA server from the Knox machine by running the TLS Toolkit
as a Client and received a keystore, truststore, and nifi-cert.pem. I
understand that I need to get the public cert into the Knox keystore, but
unsure which one to import and to where. Should the cert be imported into
the KNOX_HOME/data/security/keystores/gateway.jks store? And do you know
which one of the files should have the public cert?

Thanks in Advance,

-Ryan

On Wed, Mar 7, 2018 at 8:03 PM, Sandeep Moré <moresand...@gmail.com> wrote:

> Hello Ryan,
>
> Looks like you need to provision NiFi public cert into Knox keystore that
> should do it.
>
>
> On Wed, Mar 7, 2018 at 7:12 PM, Ryan H <ryan.howell.developm...@gmail.com>
> wrote:
>
>> Hi All,
>>
>> I seem to be having a really tough time getting Knox to work with a
>> secure NiFi cluster set up. I have tried to get this working two different
>> ways. Both ways have basically the same set up for knoxsso, where it uses
>> cloud foundry UAA as an external identity provider (currently configured
>> for OpenID, with the /.well-known/openid-configuration prepended to the
>> UAA instance url). I'm not sure if OpenID connect is the correct way to go,
>> I believe there are other options with UAA; this is just the route I went
>> as I initially was going to configure NiFi OpenID properties with my UAA
>> instance. I have since decided (based on other factors) that Knox would be
>> a better way to go. I have been focusing on option 1 below, as I think this
>> is the preferred way. However, I tried option 2 below just to see if I
>> could get around the error temporarily. I've included the errors I am
>> running into below as well as relevant config. Any help is greatly
>> appreciated.
>>
>> versions: NiFi 1.6 and Knox 1.1.0
>>
>> *1. Users will always access NiFi thru Knox (preferred)*
>> *Issue Facing: Getting "PKIX path building failed: unable to find valid
>> certification path to requested target"*
>>
>> *knoxsso.xml*
>> <topology>
>>   <gateway>
>>     <provider>
>>         <role>webappsec</role>
>>         <name>WebAppSec</name>
>>         <enabled>true</enabled>
>>         <param><name>xframe.options.enabled</name><value>true</value
>> ></param>
>>     </provider>
>>     <provider>
>>         <role>federation</role>
>>         <name>pac4j</name>
>>         <enabled>true</enabled>
>>         <param>
>>             <name>pac4j.session.store</name>
>>             <value>J2ESessionStore</value>
>>         </param>
>>         <param>
>>           <name>pac4j.callbackUrl</name>
>>           <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso
>> </value>
>>         </param>
>>         <param>
>>           <name>clientName</name>
>>           <value>OidcClient</value>
>>         </param>
>>         <param>
>>           <name>oidc.id</name>
>>           <value>some_client_id</value>
>>         </param>
>>         <param>
>>           <name>oidc.secret</name>
>>           <value>some_client_secret</value>
>>         </param>
>>         <param>
>>           <name>oidc.discoveryUri</name>
>>           <value>https://my-uaa-host:443/.well-known/openid-configuration
>> </value>
>>         </param>
>>         <param>
>>           <name>oidc.preferredJwsAlgorithm</name>
>>           <value>RS256</value>
>>         </param>
>>     </provider>
>> </gateway>
>>
>> <application>
>>   <name>knoxauth</name>
>> </application>
>> <service>
>>     <role>KNOXSSO</role>
>>     <param>
>>         <name>knoxsso.cookie.secure.only</name>
>>         <value>false</value>
>>     </param>
>>     <param>
>>         <name>knoxsso.enable.session</name>
>>         <value>true</value>
>>     </param>
>>     <param>
>>         <name>knoxsso.cookie.max.age</name>
>>         <value>session</value>
>>     </param>
>>     <param>
>>         <name>knoxsso.token.ttl</name>
>>         <value>3600000</value>
>>     </param>
>>     <param>
>>        <name>knoxsso.redirect.whitelist.regex</name>
>>        <value>^https?:\/\/(localhost|10\.227\.85\.2|[0-9]{1,3}\.[
>> 0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}||127\.0\.0\.1|0:0:0:0:0:
>> 0:0:1|::1):[0-9].*$</value>
>>     </param>
>> </service>
>> </topology>
>>
>> *sandbox.xml*
>> <provider>
>>       <role>federation</role>
>>       <name>SSOCookieProvider</name>
>>       <enabled>true</enabled>
>>       <param>
>>           <name>sso.authentication.provider.url</name>
>>           <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso
>> </value>
>>       </param>
>>   </provider>
>>
>>
>>         <provider>
>>             <role>identity-assertion</role>
>>             <name>Default</name>
>>             <enabled>true</enabled>
>>         </provider>
>>
>>         <provider>
>>             <role>hostmap</role>
>>             <name>static</name>
>>             <enabled>true</enabled>
>>         </provider>
>>
>>     </gateway>
>>
>>     <service>
>>         <role>NIFI</role>
>>         <url>https://my-nifi-host:8443</url>
>>         <param name="useTwoWaySsl" value="false" />
>>     </service>
>>
>> *Stacktrace from Knox:*
>>  knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) -
>> Connection exception dispatching request: https://my-nifi-host:8443/nifi
>> ?user.name=ba2d3b04-6bbd-4473-80f4-c2f528cb1d72
>> javax.net.ssl.SSLHandshakeException: 
>> sun.security.validator.ValidatorException:
>> PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> javax.net.ssl.SSLHandshakeException: 
>> sun.security.validator.ValidatorException:
>> PKIX path building failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa
>> ndshaker.java:1614)
>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands
>> haker.java:216)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
>> cketImpl.java:1385)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
>> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLa
>> yeredSocket(SSLConnectionSocketFactory.java:396)
>> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectS
>> ocket(SSLConnectionSocketFactory.java:355)
>> at org.apache.http.impl.conn.DefaultHttpClientConnectionOperato
>> r.connect(DefaultHttpClientConnectionOperator.java:142)
>> at org.apache.http.impl.conn.PoolingHttpClientConnectionManager
>> .connect(PoolingHttpClientConnectionManager.java:359)
>> at org.apache.http.impl.execchain.MainClientExec.establishRoute
>> (MainClientExec.java:381)
>> at org.apache.http.impl.execchain.MainClientExec.execute(
>> MainClientExec.java:237)
>> at org.apache.http.impl.execchain.ProtocolExec.execute(
>> ProtocolExec.java:185)
>> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
>> at org.apache.http.impl.execchain.RedirectExec.execute(
>> RedirectExec.java:111)
>> at org.apache.http.impl.client.InternalHttpClient.doExecute(Int
>> ernalHttpClient.java:185)
>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:83)
>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:108)
>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:56)
>> at org.apache.knox.gateway.dispatch.DefaultDispatch.executeOutb
>> oundRequest(DefaultDispatch.java:130)
>> at org.apache.knox.gateway.dispatch.NiFiDispatch.executeRequest
>> (NiFiDispatch.java:39)
>> at org.apache.knox.gateway.dispatch.DefaultDispatch.doGet(
>> DefaultDispatch.java:278)
>> at org.apache.knox.gateway.dispatch.GatewayDispatchFilter$GetAd
>> apter.doMethod(GatewayDispatchFilter.java:122)
>> at org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFil
>> ter(GatewayDispatchFilter.java:105)
>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte
>> r(AbstractGatewayFilter.java:61)
>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>> yFilter.java:377)
>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>> Filter.java:277)
>> at org.apache.knox.gateway.identityasserter.common.filter.Abstr
>> actIdentityAssertionFilter.doFilterInternal(AbstractIdent
>> ityAssertionFilter.java:196)
>> at org.apache.knox.gateway.identityasserter.common.filter.Abstr
>> actIdentityAssertionFilter.continueChainAsPrincipal(Abstr
>> actIdentityAssertionFilter.java:153)
>> at org.apache.knox.gateway.identityasserter.common.filter.Commo
>> nIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:90)
>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>> yFilter.java:377)
>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>> Filter.java:277)
>> at org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServlet
>> Filter.doFilter(UrlRewriteServletFilter.java:60)
>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte
>> r(AbstractGatewayFilter.java:61)
>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>> yFilter.java:377)
>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>> Filter.java:277)
>> at org.apache.knox.gateway.provider.federation.jwt.filter.
>> AbstractJWTFilter$1.run(AbstractJWTFilter.java:202)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAs(Subject.java:422)
>> at org.apache.knox.gateway.provider.federation.jwt.filter.
>> AbstractJWTFilter.continueWithEstablishedSecurityContext(
>> AbstractJWTFilter.java:197)
>> at org.apache.knox.gateway.provider.federation.jwt.filter.SSOCo
>> okieFederationFilter.doFilter(SSOCookieFederationFilter.java:112)
>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>> yFilter.java:377)
>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>> Filter.java:277)
>> at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilt
>> er(XForwardedHeaderFilter.java:30)
>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte
>> r(AbstractGatewayFilter.java:61)
>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>> yFilter.java:377)
>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>> Filter.java:277)
>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171)
>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94)
>> at org.apache.knox.gateway.GatewayServlet.service(GatewayServle
>> t.java:141)
>> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
>> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHan
>> dler.java:587)
>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped
>> Handler.java:143)
>> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHa
>> ndler.java:577)
>> at org.eclipse.jetty.server.session.SessionHandler.doHandle(
>> SessionHandler.java:223)
>> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(
>> ContextHandler.java:1127)
>> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHand
>> ler.java:515)
>> at org.eclipse.jetty.server.session.SessionHandler.doScope(
>> SessionHandler.java:185)
>> at org.eclipse.jetty.server.handler.ContextHandler.doScope(
>> ContextHandler.java:1061)
>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped
>> Handler.java:141)
>> at org.eclipse.jetty.server.handler.ContextHandlerCollection.ha
>> ndle(ContextHandlerCollection.java:215)
>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>> erWrapper.java:97)
>> at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandl
>> er.java:51)
>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>> erWrapper.java:97)
>> at org.apache.knox.gateway.filter.CorrelationHandler.handle(
>> CorrelationHandler.java:39)
>> at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandl
>> er.java:479)
>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>> erWrapper.java:97)
>> at org.apache.knox.gateway.filter.PortMappingHelperHandler.hand
>> le(PortMappingHelperHandler.java:152)
>> at org.eclipse.jetty.server.handler.HandlerCollection.handle(
>> HandlerCollection.java:110)
>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>> erWrapper.java:97)
>> at org.eclipse.jetty.server.Server.handle(Server.java:499)
>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
>> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConne
>> ction.java:257)
>> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnec
>> tion.java:544)
>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(Queued
>> ThreadPool.java:635)
>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedT
>> hreadPool.java:555)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
>> at sun.security.validator.PKIXValidator.engineValidate(PKIXVali
>> dator.java:302)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustMana
>> gerImpl.java:324)
>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust
>> ManagerImpl.java:229)
>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50
>> 9TrustManagerImpl.java:124)
>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa
>> ndshaker.java:1596)
>> ... 78 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at sun.security.provider.certpath.SunCertPathBuilder.build(
>> SunCertPathBuilder.java:141)
>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuil
>> d(SunCertPathBuilder.java:126)
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
>> ... 84 more
>> 2018-03-07 23:44:23,276 ERROR knox.gateway 
>> (AbstractGatewayFilter.java:doFilter(63))
>> - Failed to execute filter: java.io.IOException: Service connectivity error.
>> 2018-03-07 23:44:23,276 ERROR knox.gateway 
>> (AbstractGatewayFilter.java:doFilter(63))
>> - Failed to execute filter: java.io.IOException: Service connectivity error.
>> 2018-03-07 23:44:23,276 ERROR knox.gateway 
>> (AbstractGatewayFilter.java:doFilter(63))
>> - Failed to execute filter: java.io.IOException: Service connectivity error.
>> 2018-03-07 23:44:23,276 ERROR knox.gateway (GatewayFilter.java:doFilter(173))
>> - Gateway processing failed: java.io.IOException: Service connectivity
>> error.
>> java.io.IOException: Service connectivity error.
>> ...
>>
>>
>>
>> *2. User will access NiFi directly. NiFi will be configured to use
>> KnoxSSO for auth (in nifi.properties).*
>> *Issue facing: getting stuck in infinite callback loop*
>>
>> *nifi.properties (relevant config only)*
>> # Apache Knox SSO Properties #
>> nifi.security.user.knox.url=https://my-knox-host:8443/gatewa
>> y/knoxsso/api/v1/websso
>> nifi.security.user.knox.publicKey=/opt/certs/knox.pem
>> nifi.security.user.knox.cookieName=hadoop-jwt
>> nifi.security.user.knox.audiences=
>>
>>
>>
>> *Stacktrace from Knox (this is repeated):*
>> 2018-03-07 23:36:16,250 WARN  service.knoxsso
>> (WebSSOResource.java:init(106)) - The SSO cookie SecureOnly flag is set
>> to FALSE and is therefore insecure.
>> 2018-03-07 23:36:16,250 INFO  service.knoxsso
>> (WebSSOResource.java:init(113)) - The cookie max age is being set to:
>> session.
>> 2018-03-07 23:36:16,250 WARN  service.knoxsso
>> (WebSSOResource.java:init(117)) - The SSO cookie max age configuration
>> is invalid: session - using default.
>> 2018-03-07 23:36:16,251 INFO  service.knoxsso
>> (WebSSOResource.java:getCookieValue(330)) - Unable to find cookie with
>> name: original-url
>> 2018-03-07 23:36:16,252 INFO  service.knoxsso
>> (WebSSOResource.java:addJWTHadoopCookie(304)) - JWT cookie successfully
>> added.
>> 2018-03-07 23:36:16,252 INFO  service.knoxsso
>> (WebSSOResource.java:getAuthenticationToken(214)) - About to redirect to
>> original URL: https://my-nifi-host:8443/nifi-api/access/knox/callback
>>
>> *Log info from NiFi:*
>> 2018-03-07 23:21:35,733 INFO [NiFi Web Server-100]
>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous],
>> groups[none] does not have permission to access the requested resource.
>> Unknown user with identity 'anonymous'. Returning Unauthorized response.
>> 2018-03-07 23:21:38,955 INFO [NiFi Web Server-20]
>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>> response.
>> 2018-03-07 23:21:39,075 INFO [NiFi Web Server-16]
>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
>> OpenId Connect is not configured.. Returning Conflict response.
>> 2018-03-07 23:21:39,144 INFO [NiFi Web Server-17]
>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous],
>> groups[none] does not have permission to access the requested resource.
>> Unknown user with identity 'anonymous'. Returning Unauthorized response.
>> 2018-03-07 23:21:41,183 INFO [NiFi Web Server-16]
>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>> response.
>> 2018-03-07 23:21:41,275 INFO [NiFi Web Server-17]
>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
>> OpenId Connect is not configured.. Returning Conflict response.
>>
>>
>

Reply via email to