Based on the error I am getting from Knox, does it lead to be that it is
surely a certificate error? I've imported both the truststore.jks and
keystore.jks into the gateway.jks (used a config file so as to have the
same password as the Knox master password), restarted the Gateway, and
still getting the same error.

2018-03-08 03:47:14,284 WARN  knox.gateway
(DefaultDispatch.java:executeOutboundRequest(147)) - Connection exception
dispatching request:
https://my-nifi-host:8443/nifi?user.name=ba2d3b04-6bbd-4473-80f4-c2f528cb1d72
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at
org.apache.knox.gateway.dispatch.DefaultDispatch.executeOutboundRequest(DefaultDispatch.java:130)
at
org.apache.knox.gateway.dispatch.NiFiDispatch.executeRequest(NiFiDispatch.java:39)
at
org.apache.knox.gateway.dispatch.DefaultDispatch.doGet(DefaultDispatch.java:278)
at
org.apache.knox.gateway.dispatch.GatewayDispatchFilter$GetAdapter.doMethod(GatewayDispatchFilter.java:122)
at
org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFilter(GatewayDispatchFilter.java:105)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.doFilterInternal(AbstractIdentityAssertionFilter.java:196)
at
org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.continueChainAsPrincipal(AbstractIdentityAssertionFilter.java:153)
at
org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:90)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServletFilter.doFilter(UrlRewriteServletFilter.java:60)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter$1.run(AbstractJWTFilter.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter.continueWithEstablishedSecurityContext(AbstractJWTFilter.java:197)
at
org.apache.knox.gateway.provider.federation.jwt.filter.SSOCookieFederationFilter.doFilter(SSOCookieFederationFilter.java:112)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94)
at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39)
at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:479)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:152)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 78 more


On Wed, Mar 7, 2018 at 8:27 PM, Ryan H <ryan.howell.developm...@gmail.com>
wrote:

> Hi Sandeep,
>
> So I have the NiFi TLS Toolkit running in Client/Server mode. I have made
> a request to the CA server from the Knox machine by running the TLS Toolkit
> as a Client and received a keystore, truststore, and nifi-cert.pem. I
> understand that I need to get the public cert into the Knox keystore, but
> unsure which one to import and to where. Should the cert be imported into
> the KNOX_HOME/data/security/keystores/gateway.jks store? And do you know
> which one of the files should have the public cert?
>
> Thanks in Advance,
>
> -Ryan
>
> On Wed, Mar 7, 2018 at 8:03 PM, Sandeep Moré <moresand...@gmail.com>
> wrote:
>
>> Hello Ryan,
>>
>> Looks like you need to provision NiFi public cert into Knox keystore that
>> should do it.
>>
>>
>> On Wed, Mar 7, 2018 at 7:12 PM, Ryan H <ryan.howell.developm...@gmail.com
>> > wrote:
>>
>>> Hi All,
>>>
>>> I seem to be having a really tough time getting Knox to work with a
>>> secure NiFi cluster set up. I have tried to get this working two different
>>> ways. Both ways have basically the same set up for knoxsso, where it uses
>>> cloud foundry UAA as an external identity provider (currently configured
>>> for OpenID, with the /.well-known/openid-configuration prepended to the
>>> UAA instance url). I'm not sure if OpenID connect is the correct way to go,
>>> I believe there are other options with UAA; this is just the route I went
>>> as I initially was going to configure NiFi OpenID properties with my UAA
>>> instance. I have since decided (based on other factors) that Knox would be
>>> a better way to go. I have been focusing on option 1 below, as I think this
>>> is the preferred way. However, I tried option 2 below just to see if I
>>> could get around the error temporarily. I've included the errors I am
>>> running into below as well as relevant config. Any help is greatly
>>> appreciated.
>>>
>>> versions: NiFi 1.6 and Knox 1.1.0
>>>
>>> *1. Users will always access NiFi thru Knox (preferred)*
>>> *Issue Facing: Getting "PKIX path building failed: unable to find valid
>>> certification path to requested target"*
>>>
>>> *knoxsso.xml*
>>> <topology>
>>>   <gateway>
>>>     <provider>
>>>         <role>webappsec</role>
>>>         <name>WebAppSec</name>
>>>         <enabled>true</enabled>
>>>         <param><name>xframe.options.enabled</name><value>true</value
>>> ></param>
>>>     </provider>
>>>     <provider>
>>>         <role>federation</role>
>>>         <name>pac4j</name>
>>>         <enabled>true</enabled>
>>>         <param>
>>>             <name>pac4j.session.store</name>
>>>             <value>J2ESessionStore</value>
>>>         </param>
>>>         <param>
>>>           <name>pac4j.callbackUrl</name>
>>>           <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso
>>> </value>
>>>         </param>
>>>         <param>
>>>           <name>clientName</name>
>>>           <value>OidcClient</value>
>>>         </param>
>>>         <param>
>>>           <name>oidc.id</name>
>>>           <value>some_client_id</value>
>>>         </param>
>>>         <param>
>>>           <name>oidc.secret</name>
>>>           <value>some_client_secret</value>
>>>         </param>
>>>         <param>
>>>           <name>oidc.discoveryUri</name>
>>>           <value>https://my-uaa-host:443/.well-known/openid-configurat
>>> ion</value>
>>>         </param>
>>>         <param>
>>>           <name>oidc.preferredJwsAlgorithm</name>
>>>           <value>RS256</value>
>>>         </param>
>>>     </provider>
>>> </gateway>
>>>
>>> <application>
>>>   <name>knoxauth</name>
>>> </application>
>>> <service>
>>>     <role>KNOXSSO</role>
>>>     <param>
>>>         <name>knoxsso.cookie.secure.only</name>
>>>         <value>false</value>
>>>     </param>
>>>     <param>
>>>         <name>knoxsso.enable.session</name>
>>>         <value>true</value>
>>>     </param>
>>>     <param>
>>>         <name>knoxsso.cookie.max.age</name>
>>>         <value>session</value>
>>>     </param>
>>>     <param>
>>>         <name>knoxsso.token.ttl</name>
>>>         <value>3600000</value>
>>>     </param>
>>>     <param>
>>>        <name>knoxsso.redirect.whitelist.regex</name>
>>>        <value>^https?:\/\/(localhost|10\.227\.85\.2|[0-9]{1,3}\.[0
>>> -9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}||127\.0\.0\.1|0:0:0:0:0:0:
>>> 0:1|::1):[0-9].*$</value>
>>>     </param>
>>> </service>
>>> </topology>
>>>
>>> *sandbox.xml*
>>> <provider>
>>>       <role>federation</role>
>>>       <name>SSOCookieProvider</name>
>>>       <enabled>true</enabled>
>>>       <param>
>>>           <name>sso.authentication.provider.url</name>
>>>           <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso
>>> </value>
>>>       </param>
>>>   </provider>
>>>
>>>
>>>         <provider>
>>>             <role>identity-assertion</role>
>>>             <name>Default</name>
>>>             <enabled>true</enabled>
>>>         </provider>
>>>
>>>         <provider>
>>>             <role>hostmap</role>
>>>             <name>static</name>
>>>             <enabled>true</enabled>
>>>         </provider>
>>>
>>>     </gateway>
>>>
>>>     <service>
>>>         <role>NIFI</role>
>>>         <url>https://my-nifi-host:8443</url>
>>>         <param name="useTwoWaySsl" value="false" />
>>>     </service>
>>>
>>> *Stacktrace from Knox:*
>>>  knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) -
>>> Connection exception dispatching request: https://my-nifi-host:8443/nifi
>>> ?user.name=ba2d3b04-6bbd-4473-80f4-c2f528cb1d72
>>> javax.net.ssl.SSLHandshakeException: 
>>> sun.security.validator.ValidatorException:
>>> PKIX path building failed: 
>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> javax.net.ssl.SSLHandshakeException: 
>>> sun.security.validator.ValidatorException:
>>> PKIX path building failed: 
>>> sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa
>>> ndshaker.java:1614)
>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands
>>> haker.java:216)
>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
>>> cketImpl.java:1385)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>> java:1413)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
>>> java:1397)
>>> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLa
>>> yeredSocket(SSLConnectionSocketFactory.java:396)
>>> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectS
>>> ocket(SSLConnectionSocketFactory.java:355)
>>> at org.apache.http.impl.conn.DefaultHttpClientConnectionOperato
>>> r.connect(DefaultHttpClientConnectionOperator.java:142)
>>> at org.apache.http.impl.conn.PoolingHttpClientConnectionManager
>>> .connect(PoolingHttpClientConnectionManager.java:359)
>>> at org.apache.http.impl.execchain.MainClientExec.establishRoute
>>> (MainClientExec.java:381)
>>> at org.apache.http.impl.execchain.MainClientExec.execute(MainCl
>>> ientExec.java:237)
>>> at org.apache.http.impl.execchain.ProtocolExec.execute(Protocol
>>> Exec.java:185)
>>> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
>>> at org.apache.http.impl.execchain.RedirectExec.execute(Redirect
>>> Exec.java:111)
>>> at org.apache.http.impl.client.InternalHttpClient.doExecute(Int
>>> ernalHttpClient.java:185)
>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:83)
>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:108)
>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:56)
>>> at org.apache.knox.gateway.dispatch.DefaultDispatch.executeOutb
>>> oundRequest(DefaultDispatch.java:130)
>>> at org.apache.knox.gateway.dispatch.NiFiDispatch.executeRequest
>>> (NiFiDispatch.java:39)
>>> at org.apache.knox.gateway.dispatch.DefaultDispatch.doGet(Defau
>>> ltDispatch.java:278)
>>> at org.apache.knox.gateway.dispatch.GatewayDispatchFilter$GetAd
>>> apter.doMethod(GatewayDispatchFilter.java:122)
>>> at org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFil
>>> ter(GatewayDispatchFilter.java:105)
>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte
>>> r(AbstractGatewayFilter.java:61)
>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>>> yFilter.java:377)
>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>>> Filter.java:277)
>>> at org.apache.knox.gateway.identityasserter.common.filter.Abstr
>>> actIdentityAssertionFilter.doFilterInternal(AbstractIdentity
>>> AssertionFilter.java:196)
>>> at org.apache.knox.gateway.identityasserter.common.filter.Abstr
>>> actIdentityAssertionFilter.continueChainAsPrincipal(Abstract
>>> IdentityAssertionFilter.java:153)
>>> at org.apache.knox.gateway.identityasserter.common.filter.Commo
>>> nIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:90)
>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>>> yFilter.java:377)
>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>>> Filter.java:277)
>>> at org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServlet
>>> Filter.doFilter(UrlRewriteServletFilter.java:60)
>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte
>>> r(AbstractGatewayFilter.java:61)
>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>>> yFilter.java:377)
>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>>> Filter.java:277)
>>> at org.apache.knox.gateway.provider.federation.jwt.filter.Abstr
>>> actJWTFilter$1.run(AbstractJWTFilter.java:202)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>> at org.apache.knox.gateway.provider.federation.jwt.filter.Abstr
>>> actJWTFilter.continueWithEstablishedSecurityContext(Abstract
>>> JWTFilter.java:197)
>>> at org.apache.knox.gateway.provider.federation.jwt.filter.SSOCo
>>> okieFederationFilter.doFilter(SSOCookieFederationFilter.java:112)
>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>>> yFilter.java:377)
>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>>> Filter.java:277)
>>> at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilt
>>> er(XForwardedHeaderFilter.java:30)
>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte
>>> r(AbstractGatewayFilter.java:61)
>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>>> yFilter.java:377)
>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>>> Filter.java:277)
>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter
>>> .java:171)
>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94)
>>> at org.apache.knox.gateway.GatewayServlet.service(GatewayServle
>>> t.java:141)
>>> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder
>>> .java:812)
>>> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHan
>>> dler.java:587)
>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped
>>> Handler.java:143)
>>> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHa
>>> ndler.java:577)
>>> at org.eclipse.jetty.server.session.SessionHandler.doHandle(Ses
>>> sionHandler.java:223)
>>> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(Con
>>> textHandler.java:1127)
>>> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHand
>>> ler.java:515)
>>> at org.eclipse.jetty.server.session.SessionHandler.doScope(Sess
>>> ionHandler.java:185)
>>> at org.eclipse.jetty.server.handler.ContextHandler.doScope(Cont
>>> extHandler.java:1061)
>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped
>>> Handler.java:141)
>>> at org.eclipse.jetty.server.handler.ContextHandlerCollection.ha
>>> ndle(ContextHandlerCollection.java:215)
>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>>> erWrapper.java:97)
>>> at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandl
>>> er.java:51)
>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>>> erWrapper.java:97)
>>> at org.apache.knox.gateway.filter.CorrelationHandler.handle(Cor
>>> relationHandler.java:39)
>>> at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandl
>>> er.java:479)
>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>>> erWrapper.java:97)
>>> at org.apache.knox.gateway.filter.PortMappingHelperHandler.hand
>>> le(PortMappingHelperHandler.java:152)
>>> at org.eclipse.jetty.server.handler.HandlerCollection.handle(Ha
>>> ndlerCollection.java:110)
>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>>> erWrapper.java:97)
>>> at org.eclipse.jetty.server.Server.handle(Server.java:499)
>>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
>>> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConne
>>> ction.java:257)
>>> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnec
>>> tion.java:544)
>>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(Queued
>>> ThreadPool.java:635)
>>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedT
>>> hreadPool.java:555)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>> building failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
>>> at sun.security.validator.PKIXValidator.engineValidate(PKIXVali
>>> dator.java:302)
>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustMana
>>> gerImpl.java:324)
>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust
>>> ManagerImpl.java:229)
>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50
>>> 9TrustManagerImpl.java:124)
>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa
>>> ndshaker.java:1596)
>>> ... 78 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at sun.security.provider.certpath.SunCertPathBuilder.build(SunC
>>> ertPathBuilder.java:141)
>>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuil
>>> d(SunCertPathBuilder.java:126)
>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
>>> ... 84 more
>>> 2018-03-07 23:44:23,276 ERROR knox.gateway 
>>> (AbstractGatewayFilter.java:doFilter(63))
>>> - Failed to execute filter: java.io.IOException: Service connectivity error.
>>> 2018-03-07 23:44:23,276 ERROR knox.gateway 
>>> (AbstractGatewayFilter.java:doFilter(63))
>>> - Failed to execute filter: java.io.IOException: Service connectivity error.
>>> 2018-03-07 23:44:23,276 ERROR knox.gateway 
>>> (AbstractGatewayFilter.java:doFilter(63))
>>> - Failed to execute filter: java.io.IOException: Service connectivity error.
>>> 2018-03-07 23:44:23,276 ERROR knox.gateway 
>>> (GatewayFilter.java:doFilter(173))
>>> - Gateway processing failed: java.io.IOException: Service connectivity
>>> error.
>>> java.io.IOException: Service connectivity error.
>>> ...
>>>
>>>
>>>
>>> *2. User will access NiFi directly. NiFi will be configured to use
>>> KnoxSSO for auth (in nifi.properties).*
>>> *Issue facing: getting stuck in infinite callback loop*
>>>
>>> *nifi.properties (relevant config only)*
>>> # Apache Knox SSO Properties #
>>> nifi.security.user.knox.url=https://my-knox-host:8443/gatewa
>>> y/knoxsso/api/v1/websso
>>> nifi.security.user.knox.publicKey=/opt/certs/knox.pem
>>> nifi.security.user.knox.cookieName=hadoop-jwt
>>> nifi.security.user.knox.audiences=
>>>
>>>
>>>
>>> *Stacktrace from Knox (this is repeated):*
>>> 2018-03-07 23:36:16,250 WARN  service.knoxsso
>>> (WebSSOResource.java:init(106)) - The SSO cookie SecureOnly flag is set
>>> to FALSE and is therefore insecure.
>>> 2018-03-07 23:36:16,250 INFO  service.knoxsso
>>> (WebSSOResource.java:init(113)) - The cookie max age is being set to:
>>> session.
>>> 2018-03-07 23:36:16,250 WARN  service.knoxsso
>>> (WebSSOResource.java:init(117)) - The SSO cookie max age configuration
>>> is invalid: session - using default.
>>> 2018-03-07 23:36:16,251 INFO  service.knoxsso
>>> (WebSSOResource.java:getCookieValue(330)) - Unable to find cookie with
>>> name: original-url
>>> 2018-03-07 23:36:16,252 INFO  service.knoxsso
>>> (WebSSOResource.java:addJWTHadoopCookie(304)) - JWT cookie successfully
>>> added.
>>> 2018-03-07 23:36:16,252 INFO  service.knoxsso
>>> (WebSSOResource.java:getAuthenticationToken(214)) - About to redirect
>>> to original URL: https://my-nifi-host:8443/nifi-api/access/knox/callback
>>>
>>> *Log info from NiFi:*
>>> 2018-03-07 23:21:35,733 INFO [NiFi Web Server-100]
>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous],
>>> groups[none] does not have permission to access the requested resource.
>>> Unknown user with identity 'anonymous'. Returning Unauthorized response.
>>> 2018-03-07 23:21:38,955 INFO [NiFi Web Server-20]
>>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>>> response.
>>> 2018-03-07 23:21:39,075 INFO [NiFi Web Server-16]
>>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
>>> OpenId Connect is not configured.. Returning Conflict response.
>>> 2018-03-07 23:21:39,144 INFO [NiFi Web Server-17]
>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous],
>>> groups[none] does not have permission to access the requested resource.
>>> Unknown user with identity 'anonymous'. Returning Unauthorized response.
>>> 2018-03-07 23:21:41,183 INFO [NiFi Web Server-16]
>>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>>> response.
>>> 2018-03-07 23:21:41,275 INFO [NiFi Web Server-17]
>>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
>>> OpenId Connect is not configured.. Returning Conflict response.
>>>
>>>
>>
>

Reply via email to