I am not that aware of NiFi specific SSL settings, but if you have a truststore from NiFi (instead of a cert) you can use that, if it has a deifferent password you will have to configure it. You can find the instructions here https://knox.apache.org/books/knox-1-0-0/user-guide.html#Mutual+Authentication+with+SSL
On Wed, Mar 7, 2018 at 8:27 PM, Ryan H <ryan.howell.developm...@gmail.com> wrote: > Hi Sandeep, > > So I have the NiFi TLS Toolkit running in Client/Server mode. I have made > a request to the CA server from the Knox machine by running the TLS Toolkit > as a Client and received a keystore, truststore, and nifi-cert.pem. I > understand that I need to get the public cert into the Knox keystore, but > unsure which one to import and to where. Should the cert be imported into > the KNOX_HOME/data/security/keystores/gateway.jks store? And do you know > which one of the files should have the public cert? > > Thanks in Advance, > > -Ryan > > On Wed, Mar 7, 2018 at 8:03 PM, Sandeep Moré <moresand...@gmail.com> > wrote: > >> Hello Ryan, >> >> Looks like you need to provision NiFi public cert into Knox keystore that >> should do it. >> >> >> On Wed, Mar 7, 2018 at 7:12 PM, Ryan H <ryan.howell.developm...@gmail.com >> > wrote: >> >>> Hi All, >>> >>> I seem to be having a really tough time getting Knox to work with a >>> secure NiFi cluster set up. I have tried to get this working two different >>> ways. Both ways have basically the same set up for knoxsso, where it uses >>> cloud foundry UAA as an external identity provider (currently configured >>> for OpenID, with the /.well-known/openid-configuration prepended to the >>> UAA instance url). I'm not sure if OpenID connect is the correct way to go, >>> I believe there are other options with UAA; this is just the route I went >>> as I initially was going to configure NiFi OpenID properties with my UAA >>> instance. I have since decided (based on other factors) that Knox would be >>> a better way to go. I have been focusing on option 1 below, as I think this >>> is the preferred way. However, I tried option 2 below just to see if I >>> could get around the error temporarily. I've included the errors I am >>> running into below as well as relevant config. Any help is greatly >>> appreciated. >>> >>> versions: NiFi 1.6 and Knox 1.1.0 >>> >>> *1. Users will always access NiFi thru Knox (preferred)* >>> *Issue Facing: Getting "PKIX path building failed: unable to find valid >>> certification path to requested target"* >>> >>> *knoxsso.xml* >>> <topology> >>> <gateway> >>> <provider> >>> <role>webappsec</role> >>> <name>WebAppSec</name> >>> <enabled>true</enabled> >>> <param><name>xframe.options.enabled</name><value>true</value >>> ></param> >>> </provider> >>> <provider> >>> <role>federation</role> >>> <name>pac4j</name> >>> <enabled>true</enabled> >>> <param> >>> <name>pac4j.session.store</name> >>> <value>J2ESessionStore</value> >>> </param> >>> <param> >>> <name>pac4j.callbackUrl</name> >>> <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso >>> </value> >>> </param> >>> <param> >>> <name>clientName</name> >>> <value>OidcClient</value> >>> </param> >>> <param> >>> <name>oidc.id</name> >>> <value>some_client_id</value> >>> </param> >>> <param> >>> <name>oidc.secret</name> >>> <value>some_client_secret</value> >>> </param> >>> <param> >>> <name>oidc.discoveryUri</name> >>> <value>https://my-uaa-host:443/.well-known/openid-configurat >>> ion</value> >>> </param> >>> <param> >>> <name>oidc.preferredJwsAlgorithm</name> >>> <value>RS256</value> >>> </param> >>> </provider> >>> </gateway> >>> >>> <application> >>> <name>knoxauth</name> >>> </application> >>> <service> >>> <role>KNOXSSO</role> >>> <param> >>> <name>knoxsso.cookie.secure.only</name> >>> <value>false</value> >>> </param> >>> <param> >>> <name>knoxsso.enable.session</name> >>> <value>true</value> >>> </param> >>> <param> >>> <name>knoxsso.cookie.max.age</name> >>> <value>session</value> >>> </param> >>> <param> >>> <name>knoxsso.token.ttl</name> >>> <value>3600000</value> >>> </param> >>> <param> >>> <name>knoxsso.redirect.whitelist.regex</name> >>> <value>^https?:\/\/(localhost|10\.227\.85\.2|[0-9]{1,3}\.[0 >>> -9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}||127\.0\.0\.1|0:0:0:0:0:0: >>> 0:1|::1):[0-9].*$</value> >>> </param> >>> </service> >>> </topology> >>> >>> *sandbox.xml* >>> <provider> >>> <role>federation</role> >>> <name>SSOCookieProvider</name> >>> <enabled>true</enabled> >>> <param> >>> <name>sso.authentication.provider.url</name> >>> <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/websso >>> </value> >>> </param> >>> </provider> >>> >>> >>> <provider> >>> <role>identity-assertion</role> >>> <name>Default</name> >>> <enabled>true</enabled> >>> </provider> >>> >>> <provider> >>> <role>hostmap</role> >>> <name>static</name> >>> <enabled>true</enabled> >>> </provider> >>> >>> </gateway> >>> >>> <service> >>> <role>NIFI</role> >>> <url>https://my-nifi-host:8443</url> >>> <param name="useTwoWaySsl" value="false" /> >>> </service> >>> >>> *Stacktrace from Knox:* >>> knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) - >>> Connection exception dispatching request: https://my-nifi-host:8443/nifi >>> ?user.name=ba2d3b04-6bbd-4473-80f4-c2f528cb1d72 >>> javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: >>> PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: >>> PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) >>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>> ndshaker.java:1614) >>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>> haker.java:216) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) >>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) >>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) >>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>> cketImpl.java:1385) >>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>> java:1413) >>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>> java:1397) >>> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLa >>> yeredSocket(SSLConnectionSocketFactory.java:396) >>> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectS >>> ocket(SSLConnectionSocketFactory.java:355) >>> at org.apache.http.impl.conn.DefaultHttpClientConnectionOperato >>> r.connect(DefaultHttpClientConnectionOperator.java:142) >>> at org.apache.http.impl.conn.PoolingHttpClientConnectionManager >>> .connect(PoolingHttpClientConnectionManager.java:359) >>> at org.apache.http.impl.execchain.MainClientExec.establishRoute >>> (MainClientExec.java:381) >>> at org.apache.http.impl.execchain.MainClientExec.execute(MainCl >>> ientExec.java:237) >>> at org.apache.http.impl.execchain.ProtocolExec.execute(Protocol >>> Exec.java:185) >>> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) >>> at org.apache.http.impl.execchain.RedirectExec.execute(Redirect >>> Exec.java:111) >>> at org.apache.http.impl.client.InternalHttpClient.doExecute(Int >>> ernalHttpClient.java:185) >>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >>> eableHttpClient.java:83) >>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >>> eableHttpClient.java:108) >>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >>> eableHttpClient.java:56) >>> at org.apache.knox.gateway.dispatch.DefaultDispatch.executeOutb >>> oundRequest(DefaultDispatch.java:130) >>> at org.apache.knox.gateway.dispatch.NiFiDispatch.executeRequest >>> (NiFiDispatch.java:39) >>> at org.apache.knox.gateway.dispatch.DefaultDispatch.doGet(Defau >>> ltDispatch.java:278) >>> at org.apache.knox.gateway.dispatch.GatewayDispatchFilter$GetAd >>> apter.doMethod(GatewayDispatchFilter.java:122) >>> at org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFil >>> ter(GatewayDispatchFilter.java:105) >>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>> r(AbstractGatewayFilter.java:61) >>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>> yFilter.java:377) >>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>> Filter.java:277) >>> at org.apache.knox.gateway.identityasserter.common.filter.Abstr >>> actIdentityAssertionFilter.doFilterInternal(AbstractIdentity >>> AssertionFilter.java:196) >>> at org.apache.knox.gateway.identityasserter.common.filter.Abstr >>> actIdentityAssertionFilter.continueChainAsPrincipal(Abstract >>> IdentityAssertionFilter.java:153) >>> at org.apache.knox.gateway.identityasserter.common.filter.Commo >>> nIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:90) >>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>> yFilter.java:377) >>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>> Filter.java:277) >>> at org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServlet >>> Filter.doFilter(UrlRewriteServletFilter.java:60) >>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>> r(AbstractGatewayFilter.java:61) >>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>> yFilter.java:377) >>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>> Filter.java:277) >>> at org.apache.knox.gateway.provider.federation.jwt.filter.Abstr >>> actJWTFilter$1.run(AbstractJWTFilter.java:202) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at javax.security.auth.Subject.doAs(Subject.java:422) >>> at org.apache.knox.gateway.provider.federation.jwt.filter.Abstr >>> actJWTFilter.continueWithEstablishedSecurityContext(Abstract >>> JWTFilter.java:197) >>> at org.apache.knox.gateway.provider.federation.jwt.filter.SSOCo >>> okieFederationFilter.doFilter(SSOCookieFederationFilter.java:112) >>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>> yFilter.java:377) >>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>> Filter.java:277) >>> at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilt >>> er(XForwardedHeaderFilter.java:30) >>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>> r(AbstractGatewayFilter.java:61) >>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>> yFilter.java:377) >>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>> Filter.java:277) >>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter >>> .java:171) >>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94) >>> at org.apache.knox.gateway.GatewayServlet.service(GatewayServle >>> t.java:141) >>> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder >>> .java:812) >>> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHan >>> dler.java:587) >>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped >>> Handler.java:143) >>> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHa >>> ndler.java:577) >>> at org.eclipse.jetty.server.session.SessionHandler.doHandle(Ses >>> sionHandler.java:223) >>> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(Con >>> textHandler.java:1127) >>> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHand >>> ler.java:515) >>> at org.eclipse.jetty.server.session.SessionHandler.doScope(Sess >>> ionHandler.java:185) >>> at org.eclipse.jetty.server.handler.ContextHandler.doScope(Cont >>> extHandler.java:1061) >>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped >>> Handler.java:141) >>> at org.eclipse.jetty.server.handler.ContextHandlerCollection.ha >>> ndle(ContextHandlerCollection.java:215) >>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>> erWrapper.java:97) >>> at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandl >>> er.java:51) >>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>> erWrapper.java:97) >>> at org.apache.knox.gateway.filter.CorrelationHandler.handle(Cor >>> relationHandler.java:39) >>> at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandl >>> er.java:479) >>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>> erWrapper.java:97) >>> at org.apache.knox.gateway.filter.PortMappingHelperHandler.hand >>> le(PortMappingHelperHandler.java:152) >>> at org.eclipse.jetty.server.handler.HandlerCollection.handle(Ha >>> ndlerCollection.java:110) >>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>> erWrapper.java:97) >>> at org.eclipse.jetty.server.Server.handle(Server.java:499) >>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) >>> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConne >>> ction.java:257) >>> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnec >>> tion.java:544) >>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(Queued >>> ThreadPool.java:635) >>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedT >>> hreadPool.java:555) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: sun.security.validator.ValidatorException: PKIX path >>> building failed: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) >>> at sun.security.validator.PKIXValidator.engineValidate(PKIXVali >>> dator.java:302) >>> at sun.security.validator.Validator.validate(Validator.java:260) >>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustMana >>> gerImpl.java:324) >>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>> ManagerImpl.java:229) >>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>> 9TrustManagerImpl.java:124) >>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>> ndshaker.java:1596) >>> ... 78 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.security.provider.certpath.SunCertPathBuilder.build(SunC >>> ertPathBuilder.java:141) >>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuil >>> d(SunCertPathBuilder.java:126) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) >>> ... 84 more >>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>> (AbstractGatewayFilter.java:doFilter(63)) >>> - Failed to execute filter: java.io.IOException: Service connectivity error. >>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>> (AbstractGatewayFilter.java:doFilter(63)) >>> - Failed to execute filter: java.io.IOException: Service connectivity error. >>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>> (AbstractGatewayFilter.java:doFilter(63)) >>> - Failed to execute filter: java.io.IOException: Service connectivity error. >>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>> (GatewayFilter.java:doFilter(173)) >>> - Gateway processing failed: java.io.IOException: Service connectivity >>> error. >>> java.io.IOException: Service connectivity error. >>> ... >>> >>> >>> >>> *2. User will access NiFi directly. NiFi will be configured to use >>> KnoxSSO for auth (in nifi.properties).* >>> *Issue facing: getting stuck in infinite callback loop* >>> >>> *nifi.properties (relevant config only)* >>> # Apache Knox SSO Properties # >>> nifi.security.user.knox.url=https://my-knox-host:8443/gatewa >>> y/knoxsso/api/v1/websso >>> nifi.security.user.knox.publicKey=/opt/certs/knox.pem >>> nifi.security.user.knox.cookieName=hadoop-jwt >>> nifi.security.user.knox.audiences= >>> >>> >>> >>> *Stacktrace from Knox (this is repeated):* >>> 2018-03-07 23:36:16,250 WARN service.knoxsso >>> (WebSSOResource.java:init(106)) - The SSO cookie SecureOnly flag is set >>> to FALSE and is therefore insecure. >>> 2018-03-07 23:36:16,250 INFO service.knoxsso >>> (WebSSOResource.java:init(113)) - The cookie max age is being set to: >>> session. >>> 2018-03-07 23:36:16,250 WARN service.knoxsso >>> (WebSSOResource.java:init(117)) - The SSO cookie max age configuration >>> is invalid: session - using default. >>> 2018-03-07 23:36:16,251 INFO service.knoxsso >>> (WebSSOResource.java:getCookieValue(330)) - Unable to find cookie with >>> name: original-url >>> 2018-03-07 23:36:16,252 INFO service.knoxsso >>> (WebSSOResource.java:addJWTHadoopCookie(304)) - JWT cookie successfully >>> added. >>> 2018-03-07 23:36:16,252 INFO service.knoxsso >>> (WebSSOResource.java:getAuthenticationToken(214)) - About to redirect >>> to original URL: https://my-nifi-host:8443/nifi-api/access/knox/callback >>> >>> *Log info from NiFi:* >>> 2018-03-07 23:21:35,733 INFO [NiFi Web Server-100] >>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], >>> groups[none] does not have permission to access the requested resource. >>> Unknown user with identity 'anonymous'. Returning Unauthorized response. >>> 2018-03-07 23:21:38,955 INFO [NiFi Web Server-20] >>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: >>> Kerberos ticket login not supported by this NiFi.. Returning Conflict >>> response. >>> 2018-03-07 23:21:39,075 INFO [NiFi Web Server-16] >>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: >>> OpenId Connect is not configured.. Returning Conflict response. >>> 2018-03-07 23:21:39,144 INFO [NiFi Web Server-17] >>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], >>> groups[none] does not have permission to access the requested resource. >>> Unknown user with identity 'anonymous'. Returning Unauthorized response. >>> 2018-03-07 23:21:41,183 INFO [NiFi Web Server-16] >>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: >>> Kerberos ticket login not supported by this NiFi.. Returning Conflict >>> response. >>> 2018-03-07 23:21:41,275 INFO [NiFi Web Server-17] >>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: >>> OpenId Connect is not configured.. Returning Conflict response. >>> >>> >> >
