There was definitely some nuances to this area and you need to be careful with confusing the truststore for Knox accepting client certs and Knox sending client certs from dispatch to the back end services. You may find better luck adding the nifi server cert or its ca cert to the Knox machine cacerts truststore.
I am explicitly adding @jeff here as well since he is the Nifi integration guru. On Thu, Mar 8, 2018 at 11:09 AM, Ryan H <ryan.howell.developm...@gmail.com> wrote: > Ok. Well I've imported the truststore from NiFi into the gateway keystore > but I am still unable to connect to NiFi via Knox with the same error. > Password for the NiFi truststore is the same as the gateway keystore just > to make sure that wasn't an issue. I've changed some of the > gateway-site.xml settings to explicitly trust certificates and to use the > gateway.jks store, but still getting the same error. It's clearly an ssl > error between Knox and NiFi. I'll just keep digging I suppose until it gets > worked out. Not really sure what else to try here unfortunately... > > -Ryan > > On Thu, Mar 8, 2018 at 9:23 AM, Sandeep Moré <moresand...@gmail.com> > wrote: > >> I am not that aware of NiFi specific SSL settings, but if you have a >> truststore from NiFi (instead of a cert) you can use that, if it has a >> deifferent password you will have to configure it. You can find the >> instructions here https://knox.apache.org/books/knox-1-0-0/user-guide.htm >> l#Mutual+Authentication+with+SSL >> >> >> >> On Wed, Mar 7, 2018 at 8:27 PM, Ryan H <ryan.howell.developm...@gmail.com >> > wrote: >> >>> Hi Sandeep, >>> >>> So I have the NiFi TLS Toolkit running in Client/Server mode. I have >>> made a request to the CA server from the Knox machine by running the TLS >>> Toolkit as a Client and received a keystore, truststore, and nifi-cert.pem. >>> I understand that I need to get the public cert into the Knox keystore, but >>> unsure which one to import and to where. Should the cert be imported into >>> the KNOX_HOME/data/security/keystores/gateway.jks store? And do you >>> know which one of the files should have the public cert? >>> >>> Thanks in Advance, >>> >>> -Ryan >>> >>> On Wed, Mar 7, 2018 at 8:03 PM, Sandeep Moré <moresand...@gmail.com> >>> wrote: >>> >>>> Hello Ryan, >>>> >>>> Looks like you need to provision NiFi public cert into Knox keystore >>>> that should do it. >>>> >>>> >>>> On Wed, Mar 7, 2018 at 7:12 PM, Ryan H <ryan.howell.development@gmail >>>> .com> wrote: >>>> >>>>> Hi All, >>>>> >>>>> I seem to be having a really tough time getting Knox to work with a >>>>> secure NiFi cluster set up. I have tried to get this working two different >>>>> ways. Both ways have basically the same set up for knoxsso, where it uses >>>>> cloud foundry UAA as an external identity provider (currently configured >>>>> for OpenID, with the /.well-known/openid-configuration prepended to >>>>> the UAA instance url). I'm not sure if OpenID connect is the correct way >>>>> to >>>>> go, I believe there are other options with UAA; this is just the route I >>>>> went as I initially was going to configure NiFi OpenID properties with my >>>>> UAA instance. I have since decided (based on other factors) that Knox >>>>> would >>>>> be a better way to go. I have been focusing on option 1 below, as I think >>>>> this is the preferred way. However, I tried option 2 below just to see if >>>>> I >>>>> could get around the error temporarily. I've included the errors I am >>>>> running into below as well as relevant config. Any help is greatly >>>>> appreciated. >>>>> >>>>> versions: NiFi 1.6 and Knox 1.1.0 >>>>> >>>>> *1. Users will always access NiFi thru Knox (preferred)* >>>>> *Issue Facing: Getting "PKIX path building failed: unable to find >>>>> valid certification path to requested target"* >>>>> >>>>> *knoxsso.xml* >>>>> <topology> >>>>> <gateway> >>>>> <provider> >>>>> <role>webappsec</role> >>>>> <name>WebAppSec</name> >>>>> <enabled>true</enabled> >>>>> <param><name>xframe.options.enabled</name><value>true</value >>>>> ></param> >>>>> </provider> >>>>> <provider> >>>>> <role>federation</role> >>>>> <name>pac4j</name> >>>>> <enabled>true</enabled> >>>>> <param> >>>>> <name>pac4j.session.store</name> >>>>> <value>J2ESessionStore</value> >>>>> </param> >>>>> <param> >>>>> <name>pac4j.callbackUrl</name> >>>>> <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/webs >>>>> so</value> >>>>> </param> >>>>> <param> >>>>> <name>clientName</name> >>>>> <value>OidcClient</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.id</name> >>>>> <value>some_client_id</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.secret</name> >>>>> <value>some_client_secret</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.discoveryUri</name> >>>>> <value>https://my-uaa-host:443/.well-known/openid-configurat >>>>> ion</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.preferredJwsAlgorithm</name> >>>>> <value>RS256</value> >>>>> </param> >>>>> </provider> >>>>> </gateway> >>>>> >>>>> <application> >>>>> <name>knoxauth</name> >>>>> </application> >>>>> <service> >>>>> <role>KNOXSSO</role> >>>>> <param> >>>>> <name>knoxsso.cookie.secure.only</name> >>>>> <value>false</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.enable.session</name> >>>>> <value>true</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.cookie.max.age</name> >>>>> <value>session</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.token.ttl</name> >>>>> <value>3600000</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.redirect.whitelist.regex</name> >>>>> <value>^https?:\/\/(localhost|10\.227\.85\.2|[0-9]{1,3}\.[0 >>>>> -9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}||127\.0\.0\.1|0:0:0:0:0:0:0 >>>>> :1|::1):[0-9].*$</value> >>>>> </param> >>>>> </service> >>>>> </topology> >>>>> >>>>> *sandbox.xml* >>>>> <provider> >>>>> <role>federation</role> >>>>> <name>SSOCookieProvider</name> >>>>> <enabled>true</enabled> >>>>> <param> >>>>> <name>sso.authentication.provider.url</name> >>>>> <value>https://my-knox-host:8443/gateway/knoxsso/api/v1/webs >>>>> so</value> >>>>> </param> >>>>> </provider> >>>>> >>>>> >>>>> <provider> >>>>> <role>identity-assertion</role> >>>>> <name>Default</name> >>>>> <enabled>true</enabled> >>>>> </provider> >>>>> >>>>> <provider> >>>>> <role>hostmap</role> >>>>> <name>static</name> >>>>> <enabled>true</enabled> >>>>> </provider> >>>>> >>>>> </gateway> >>>>> >>>>> <service> >>>>> <role>NIFI</role> >>>>> <url>https://my-nifi-host:8443</url> >>>>> <param name="useTwoWaySsl" value="false" /> >>>>> </service> >>>>> >>>>> *Stacktrace from Knox:* >>>>> knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) - >>>>> Connection exception dispatching request: >>>>> https://my-nifi-host:8443/nifi?user.name=ba2d3b04-6bbd-4473- >>>>> 80f4-c2f528cb1d72 javax.net.ssl.SSLHandshakeException: >>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>> find valid certification path to requested target >>>>> javax.net.ssl.SSLHandshakeException: >>>>> sun.security.validator.ValidatorException: >>>>> PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: >>>>> unable to find valid certification path to requested target >>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) >>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) >>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) >>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>> ndshaker.java:1614) >>>>> at sun.security.ssl.ClientHandshaker.processMessage(ClientHands >>>>> haker.java:216) >>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) >>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) >>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) >>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>>>> cketImpl.java:1385) >>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>> java:1413) >>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl. >>>>> java:1397) >>>>> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLa >>>>> yeredSocket(SSLConnectionSocketFactory.java:396) >>>>> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectS >>>>> ocket(SSLConnectionSocketFactory.java:355) >>>>> at org.apache.http.impl.conn.DefaultHttpClientConnectionOperato >>>>> r.connect(DefaultHttpClientConnectionOperator.java:142) >>>>> at org.apache.http.impl.conn.PoolingHttpClientConnectionManager >>>>> .connect(PoolingHttpClientConnectionManager.java:359) >>>>> at org.apache.http.impl.execchain.MainClientExec.establishRoute >>>>> (MainClientExec.java:381) >>>>> at org.apache.http.impl.execchain.MainClientExec.execute(MainCl >>>>> ientExec.java:237) >>>>> at org.apache.http.impl.execchain.ProtocolExec.execute(Protocol >>>>> Exec.java:185) >>>>> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) >>>>> at org.apache.http.impl.execchain.RedirectExec.execute(Redirect >>>>> Exec.java:111) >>>>> at org.apache.http.impl.client.InternalHttpClient.doExecute(Int >>>>> ernalHttpClient.java:185) >>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >>>>> eableHttpClient.java:83) >>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >>>>> eableHttpClient.java:108) >>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos >>>>> eableHttpClient.java:56) >>>>> at org.apache.knox.gateway.dispatch.DefaultDispatch.executeOutb >>>>> oundRequest(DefaultDispatch.java:130) >>>>> at org.apache.knox.gateway.dispatch.NiFiDispatch.executeRequest >>>>> (NiFiDispatch.java:39) >>>>> at org.apache.knox.gateway.dispatch.DefaultDispatch.doGet(Defau >>>>> ltDispatch.java:278) >>>>> at org.apache.knox.gateway.dispatch.GatewayDispatchFilter$GetAd >>>>> apter.doMethod(GatewayDispatchFilter.java:122) >>>>> at org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFil >>>>> ter(GatewayDispatchFilter.java:105) >>>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>>>> r(AbstractGatewayFilter.java:61) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.identityasserter.common.filter.Abstr >>>>> actIdentityAssertionFilter.doFilterInternal(AbstractIdentity >>>>> AssertionFilter.java:196) >>>>> at org.apache.knox.gateway.identityasserter.common.filter.Abstr >>>>> actIdentityAssertionFilter.continueChainAsPrincipal(Abstract >>>>> IdentityAssertionFilter.java:153) >>>>> at org.apache.knox.gateway.identityasserter.common.filter.Commo >>>>> nIdentityAssertionFilter.doFilter(CommonIdentityAssertionFil >>>>> ter.java:90) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServlet >>>>> Filter.doFilter(UrlRewriteServletFilter.java:60) >>>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>>>> r(AbstractGatewayFilter.java:61) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.provider.federation.jwt.filter.Abstr >>>>> actJWTFilter$1.run(AbstractJWTFilter.java:202) >>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>> at javax.security.auth.Subject.doAs(Subject.java:422) >>>>> at org.apache.knox.gateway.provider.federation.jwt.filter.Abstr >>>>> actJWTFilter.continueWithEstablishedSecurityContext(Abstract >>>>> JWTFilter.java:197) >>>>> at org.apache.knox.gateway.provider.federation.jwt.filter.SSOCo >>>>> okieFederationFilter.doFilter(SSOCookieFederationFilter.java:112) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilt >>>>> er(XForwardedHeaderFilter.java:30) >>>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>>>> r(AbstractGatewayFilter.java:61) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter >>>>> .java:171) >>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter >>>>> .java:94) >>>>> at org.apache.knox.gateway.GatewayServlet.service(GatewayServle >>>>> t.java:141) >>>>> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder >>>>> .java:812) >>>>> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHan >>>>> dler.java:587) >>>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped >>>>> Handler.java:143) >>>>> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHa >>>>> ndler.java:577) >>>>> at org.eclipse.jetty.server.session.SessionHandler.doHandle(Ses >>>>> sionHandler.java:223) >>>>> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(Con >>>>> textHandler.java:1127) >>>>> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHand >>>>> ler.java:515) >>>>> at org.eclipse.jetty.server.session.SessionHandler.doScope(Sess >>>>> ionHandler.java:185) >>>>> at org.eclipse.jetty.server.handler.ContextHandler.doScope(Cont >>>>> extHandler.java:1061) >>>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped >>>>> Handler.java:141) >>>>> at org.eclipse.jetty.server.handler.ContextHandlerCollection.ha >>>>> ndle(ContextHandlerCollection.java:215) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandl >>>>> er.java:51) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.apache.knox.gateway.filter.CorrelationHandler.handle(Cor >>>>> relationHandler.java:39) >>>>> at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandl >>>>> er.java:479) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.apache.knox.gateway.filter.PortMappingHelperHandler.hand >>>>> le(PortMappingHelperHandler.java:152) >>>>> at org.eclipse.jetty.server.handler.HandlerCollection.handle(Ha >>>>> ndlerCollection.java:110) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.eclipse.jetty.server.Server.handle(Server.java:499) >>>>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) >>>>> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConne >>>>> ction.java:257) >>>>> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnec >>>>> tion.java:544) >>>>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(Queued >>>>> ThreadPool.java:635) >>>>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedT >>>>> hreadPool.java:555) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>>> building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: >>>>> unable to find valid certification path to requested target >>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.j >>>>> ava:397) >>>>> at sun.security.validator.PKIXValidator.engineValidate(PKIXVali >>>>> dator.java:302) >>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustMana >>>>> gerImpl.java:324) >>>>> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509Trust >>>>> ManagerImpl.java:229) >>>>> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X50 >>>>> 9TrustManagerImpl.java:124) >>>>> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHa >>>>> ndshaker.java:1596) >>>>> ... 78 more >>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>>> unable to find valid certification path to requested target >>>>> at sun.security.provider.certpath.SunCertPathBuilder.build(SunC >>>>> ertPathBuilder.java:141) >>>>> at sun.security.provider.certpath.SunCertPathBuilder.engineBuil >>>>> d(SunCertPathBuilder.java:126) >>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.j >>>>> ava:392) >>>>> ... 84 more >>>>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>>>> (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: >>>>> java.io.IOException: Service connectivity error. >>>>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>>>> (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: >>>>> java.io.IOException: Service connectivity error. >>>>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>>>> (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: >>>>> java.io.IOException: Service connectivity error. >>>>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>>>> (GatewayFilter.java:doFilter(173)) - Gateway processing failed: >>>>> java.io.IOException: Service connectivity error. >>>>> java.io.IOException: Service connectivity error. >>>>> ... >>>>> >>>>> >>>>> >>>>> *2. User will access NiFi directly. NiFi will be configured to use >>>>> KnoxSSO for auth (in nifi.properties).* >>>>> *Issue facing: getting stuck in infinite callback loop* >>>>> >>>>> *nifi.properties (relevant config only)* >>>>> # Apache Knox SSO Properties # >>>>> nifi.security.user.knox.url=https://my-knox-host:8443/gatewa >>>>> y/knoxsso/api/v1/websso >>>>> nifi.security.user.knox.publicKey=/opt/certs/knox.pem >>>>> nifi.security.user.knox.cookieName=hadoop-jwt >>>>> nifi.security.user.knox.audiences= >>>>> >>>>> >>>>> >>>>> *Stacktrace from Knox (this is repeated):* >>>>> 2018-03-07 23:36:16,250 WARN service.knoxsso >>>>> (WebSSOResource.java:init(106)) - The SSO cookie SecureOnly flag is >>>>> set to FALSE and is therefore insecure. >>>>> 2018-03-07 23:36:16,250 INFO service.knoxsso >>>>> (WebSSOResource.java:init(113)) - The cookie max age is being set to: >>>>> session. >>>>> 2018-03-07 23:36:16,250 WARN service.knoxsso >>>>> (WebSSOResource.java:init(117)) - The SSO cookie max age >>>>> configuration is invalid: session - using default. >>>>> 2018-03-07 23:36:16,251 INFO service.knoxsso >>>>> (WebSSOResource.java:getCookieValue(330)) - Unable to find cookie >>>>> with name: original-url >>>>> 2018-03-07 23:36:16,252 INFO service.knoxsso >>>>> (WebSSOResource.java:addJWTHadoopCookie(304)) - JWT cookie >>>>> successfully added. >>>>> 2018-03-07 23:36:16,252 INFO service.knoxsso >>>>> (WebSSOResource.java:getAuthenticationToken(214)) - About to redirect >>>>> to original URL: https://my-nifi-host:8443/nifi >>>>> -api/access/knox/callback >>>>> >>>>> *Log info from NiFi:* >>>>> 2018-03-07 23:21:35,733 INFO [NiFi Web Server-100] >>>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], >>>>> groups[none] does not have permission to access the requested resource. >>>>> Unknown user with identity 'anonymous'. Returning Unauthorized response. >>>>> 2018-03-07 23:21:38,955 INFO [NiFi Web Server-20] >>>>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: >>>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict >>>>> response. >>>>> 2018-03-07 23:21:39,075 INFO [NiFi Web Server-16] >>>>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: >>>>> OpenId Connect is not configured.. Returning Conflict response. >>>>> 2018-03-07 23:21:39,144 INFO [NiFi Web Server-17] >>>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], >>>>> groups[none] does not have permission to access the requested resource. >>>>> Unknown user with identity 'anonymous'. Returning Unauthorized response. >>>>> 2018-03-07 23:21:41,183 INFO [NiFi Web Server-16] >>>>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: >>>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict >>>>> response. >>>>> 2018-03-07 23:21:41,275 INFO [NiFi Web Server-17] >>>>> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: >>>>> OpenId Connect is not configured.. Returning Conflict response. >>>>> >>>>> >>>> >>> >> >
