Ryan, Sure, you can reply with the content here.
On Fri, Mar 9, 2018 at 9:24 AM Ryan H <ryan.howell.developm...@gmail.com> wrote: > Hi Jeff, > > I created txt files with the output for the ssl-debug output, but unable > to attach a file to this email. I can paste it into the email if need be. > Let me know if that is what you prefer or if I should do something else. > > -Ryan > > On Thu, Mar 8, 2018 at 11:59 PM, Jeff <jtsw...@gmail.com> wrote: > >> Ryan, >> >> I just subscribed to the user list here, but haven't pulled the previous >> messages. I did read your responses on the public archive. It's >> interesting that you're getting the SSLPeerUnverifiedException. You >> could try turning on SSL debug in Knox and taking a look (and/or attaching >> that log information to this thread). >> >> Could you provide information on how you used the TLS Toolkit to generate >> the key/truststore? If you can do a verbose listing of the keystore with >> keytool and capture the output to provide in this thread, that would be >> helpful as well. There are a few people on the NiFi team that are more >> knowledgable about the TLS Toolkit and SSL than I am with which I could >> consult. >> >> On Thu, Mar 8, 2018 at 12:49 PM Jeff <jtsw...@gmail.com> wrote: >> >>> Ryan, >>> >>> In addition to the things I mentioned in my previous message, there are >>> some properties you'll need to set as well. In nifi.properties, set >>> nifi.web.proxy.context.path to "/gateway/sandbox/nifi-app". The host and >>> port of the Knox service should also be set for nifi.web.proxy.host. >>> >>> On Thu, Mar 8, 2018 at 12:06 PM Jeff <jtsw...@gmail.com> wrote: >>> >>>> Ryan, >>>> >>>> I noticed in your sandbox.xml, you have the "useTwoWaySsl" parameter >>>> set to false. That needs to be set to true so that the dispatch will >>>> create an SSL context that uses the keystore and truststore material in >>>> gateway.jks. >>>> >>>> I'm glad you're using the TLS Toolkit, I was going to suggest you give >>>> that a try, initially. The cert from the keystore generated by the toolkit >>>> that identifies the cert to use for Knox needs to be added to gateway.jks, >>>> along with the nifi-cert key from the truststore. Just importing both the >>>> keystore and truststore generated by the toolkit for Knox should be all you >>>> have to do there, since the toolkit generates those stores with just the >>>> nifi-key and nifi-cert in the keystore and truststore respectively. You >>>> should end up with three keys in gateway.jks afterward; thy >>>> gateway-identity, nifi-key, and nifi-cert keys. Once both of those are >>>> added to gateway.jks, and you have configured the service definition for >>>> NiFi in your topology with useTwoWaySsl set to true, the two-way SSL >>>> handshake should succeed. >>>> >>>> Also, you will want to add the DN from that nifi-key as a node identity >>>> (in the same place you set the initial admin identity) so that NiFi can >>>> create a "user" to represent the Knox node and add a policy for you to >>>> allow that node/identity to proxy requests, if you haven't already done so. >>>> >>>> After adding the keystore and truststore material to gateway.jks, added >>>> a user and policy for NiFi to identify and authorize Knox for proxying, >>>> Knox should be able to proxy NiFi securely. >>>> >>>> On Thu, Mar 8, 2018 at 11:44 AM larry mccay <lmc...@apache.org> wrote: >>>> >>>>> There was definitely some nuances to this area and you need to be >>>>> careful with confusing the truststore for Knox accepting client certs and >>>>> Knox sending client certs from dispatch to the back end services. You may >>>>> find better luck adding the nifi server cert or its ca cert to the Knox >>>>> machine cacerts truststore. >>>>> >>>>> I am explicitly adding @jeff here as well since he is the Nifi >>>>> integration guru. >>>>> >>>>> On Thu, Mar 8, 2018 at 11:09 AM, Ryan H < >>>>> ryan.howell.developm...@gmail.com> wrote: >>>>> >>>>>> Ok. Well I've imported the truststore from NiFi into the gateway >>>>>> keystore but I am still unable to connect to NiFi via Knox with the same >>>>>> error. Password for the NiFi truststore is the same as the gateway >>>>>> keystore >>>>>> just to make sure that wasn't an issue. I've changed some of the >>>>>> gateway-site.xml settings to explicitly trust certificates and to use the >>>>>> gateway.jks store, but still getting the same error. It's clearly an ssl >>>>>> error between Knox and NiFi. I'll just keep digging I suppose until it >>>>>> gets >>>>>> worked out. Not really sure what else to try here unfortunately... >>>>>> >>>>>> -Ryan >>>>>> >>>>>> On Thu, Mar 8, 2018 at 9:23 AM, Sandeep Moré <moresand...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> I am not that aware of NiFi specific SSL settings, but if you have a >>>>>>> truststore from NiFi (instead of a cert) you can use that, if it has a >>>>>>> deifferent password you will have to configure it. You can find the >>>>>>> instructions here >>>>>>> https://knox.apache.org/books/knox-1-0-0/user-guide.html#Mutual+Authentication+with+SSL >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 7, 2018 at 8:27 PM, Ryan H < >>>>>>> ryan.howell.developm...@gmail.com> wrote: >>>>>>> >>>>>>>> Hi Sandeep, >>>>>>>> >>>>>>>> So I have the NiFi TLS Toolkit running in Client/Server mode. I >>>>>>>> have made a request to the CA server from the Knox machine by running >>>>>>>> the >>>>>>>> TLS Toolkit as a Client and received a keystore, truststore, and >>>>>>>> nifi-cert.pem. I understand that I need to get the public cert into the >>>>>>>> Knox keystore, but unsure which one to import and to where. Should the >>>>>>>> cert >>>>>>>> be imported into the KNOX_HOME/data/security/keystores/gateway.jks >>>>>>>> store? >>>>>>>> And do you know which one of the files should have the public cert? >>>>>>>> >>>>>>>> Thanks in Advance, >>>>>>>> >>>>>>>> -Ryan >>>>>>>> >>>>>>>> On Wed, Mar 7, 2018 at 8:03 PM, Sandeep Moré <moresand...@gmail.com >>>>>>>> > wrote: >>>>>>>> >>>>>>>>> Hello Ryan, >>>>>>>>> >>>>>>>>> Looks like you need to provision NiFi public cert into Knox >>>>>>>>> keystore that should do it. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Mar 7, 2018 at 7:12 PM, Ryan H < >>>>>>>>> ryan.howell.developm...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi All, >>>>>>>>>> >>>>>>>>>> I seem to be having a really tough time getting Knox to work with >>>>>>>>>> a secure NiFi cluster set up. I have tried to get this working two >>>>>>>>>> different ways. Both ways have basically the same set up for >>>>>>>>>> knoxsso, where >>>>>>>>>> it uses cloud foundry UAA as an external identity provider (currently >>>>>>>>>> configured for OpenID, with the /.well-known/openid-configuration >>>>>>>>>> prepended >>>>>>>>>> to the UAA instance url). I'm not sure if OpenID connect is the >>>>>>>>>> correct way >>>>>>>>>> to go, I believe there are other options with UAA; this is just the >>>>>>>>>> route I >>>>>>>>>> went as I initially was going to configure NiFi OpenID properties >>>>>>>>>> with my >>>>>>>>>> UAA instance. I have since decided (based on other factors) that >>>>>>>>>> Knox would >>>>>>>>>> be a better way to go. I have been focusing on option 1 below, as I >>>>>>>>>> think >>>>>>>>>> this is the preferred way. However, I tried option 2 below just to >>>>>>>>>> see if I >>>>>>>>>> could get around the error temporarily. I've included the errors I am >>>>>>>>>> running into below as well as relevant config. Any help is greatly >>>>>>>>>> appreciated. >>>>>>>>>> >>>>>>>>>> versions: NiFi 1.6 and Knox 1.1.0 >>>>>>>>>> >>>>>>>>>> *1. Users will always access NiFi thru Knox (preferred)* >>>>>>>>>> *Issue Facing: Getting "PKIX path building failed: unable to find >>>>>>>>>> valid certification path to requested target"* >>>>>>>>>> >>>>>>>>>> *knoxsso.xml* >>>>>>>>>> <topology> >>>>>>>>>> <gateway> >>>>>>>>>> <provider> >>>>>>>>>> <role>webappsec</role> >>>>>>>>>> <name>WebAppSec</name> >>>>>>>>>> <enabled>true</enabled> >>>>>>>>>> >>>>>>>>>> <param><name>xframe.options.enabled</name><value>true</value></param> >>>>>>>>>> </provider> >>>>>>>>>> <provider> >>>>>>>>>> <role>federation</role> >>>>>>>>>> <name>pac4j</name> >>>>>>>>>> <enabled>true</enabled> >>>>>>>>>> <param> >>>>>>>>>> <name>pac4j.session.store</name> >>>>>>>>>> <value>J2ESessionStore</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>pac4j.callbackUrl</name> >>>>>>>>>> <value> >>>>>>>>>> https://my-knox-host:8443/gateway/knoxsso/api/v1/websso</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>clientName</name> >>>>>>>>>> <value>OidcClient</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>oidc.id</name> >>>>>>>>>> <value>some_client_id</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>oidc.secret</name> >>>>>>>>>> <value>some_client_secret</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>oidc.discoveryUri</name> >>>>>>>>>> <value> >>>>>>>>>> https://my-uaa-host:443/.well-known/openid-configuration</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>oidc.preferredJwsAlgorithm</name> >>>>>>>>>> <value>RS256</value> >>>>>>>>>> </param> >>>>>>>>>> </provider> >>>>>>>>>> </gateway> >>>>>>>>>> >>>>>>>>>> <application> >>>>>>>>>> <name>knoxauth</name> >>>>>>>>>> </application> >>>>>>>>>> <service> >>>>>>>>>> <role>KNOXSSO</role> >>>>>>>>>> <param> >>>>>>>>>> <name>knoxsso.cookie.secure.only</name> >>>>>>>>>> <value>false</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>knoxsso.enable.session</name> >>>>>>>>>> <value>true</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>knoxsso.cookie.max.age</name> >>>>>>>>>> <value>session</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>knoxsso.token.ttl</name> >>>>>>>>>> <value>3600000</value> >>>>>>>>>> </param> >>>>>>>>>> <param> >>>>>>>>>> <name>knoxsso.redirect.whitelist.regex</name> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <value>^https?:\/\/(localhost|10\.227\.85\.2|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}||127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> >>>>>>>>>> </param> >>>>>>>>>> </service> >>>>>>>>>> </topology> >>>>>>>>>> >>>>>>>>>> *sandbox.xml* >>>>>>>>>> <provider> >>>>>>>>>> <role>federation</role> >>>>>>>>>> <name>SSOCookieProvider</name> >>>>>>>>>> <enabled>true</enabled> >>>>>>>>>> <param> >>>>>>>>>> <name>sso.authentication.provider.url</name> >>>>>>>>>> <value> >>>>>>>>>> https://my-knox-host:8443/gateway/knoxsso/api/v1/websso</value> >>>>>>>>>> </param> >>>>>>>>>> </provider> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <provider> >>>>>>>>>> <role>identity-assertion</role> >>>>>>>>>> <name>Default</name> >>>>>>>>>> <enabled>true</enabled> >>>>>>>>>> </provider> >>>>>>>>>> >>>>>>>>>> <provider> >>>>>>>>>> <role>hostmap</role> >>>>>>>>>> <name>static</name> >>>>>>>>>> <enabled>true</enabled> >>>>>>>>>> </provider> >>>>>>>>>> >>>>>>>>>> </gateway> >>>>>>>>>> >>>>>>>>>> <service> >>>>>>>>>> <role>NIFI</role> >>>>>>>>>> <url>https://my-nifi-host:8443</url> >>>>>>>>>> <param name="useTwoWaySsl" value="false" /> >>>>>>>>>> </service> >>>>>>>>>> >>>>>>>>>> *Stacktrace from Knox:* >>>>>>>>>> knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) >>>>>>>>>> - Connection exception dispatching request: >>>>>>>>>> https://my-nifi-host:8443/nifi?user.name=ba2d3b04-6bbd-4473-80f4-c2f528cb1d72 >>>>>>>>>> javax.net.ssl.SSLHandshakeException: >>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable >>>>>>>>>> to find >>>>>>>>>> valid certification path to requested target >>>>>>>>>> javax.net.ssl.SSLHandshakeException: >>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable >>>>>>>>>> to find >>>>>>>>>> valid certification path to requested target >>>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) >>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) >>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) >>>>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) >>>>>>>>>> at sun.security.ssl.Handshaker.pr >>>>>>>>>> ocess_record(Handshaker.java:987) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) >>>>>>>>>> at >>>>>>>>>> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) >>>>>>>>>> at >>>>>>>>>> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) >>>>>>>>>> at >>>>>>>>>> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) >>>>>>>>>> at >>>>>>>>>> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359) >>>>>>>>>> at >>>>>>>>>> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) >>>>>>>>>> at >>>>>>>>>> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) >>>>>>>>>> at >>>>>>>>>> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) >>>>>>>>>> at >>>>>>>>>> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) >>>>>>>>>> at >>>>>>>>>> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) >>>>>>>>>> at org.apache.http.impl.client.In >>>>>>>>>> ternalHttpClient.doExecute(InternalHttpClient.java:185) >>>>>>>>>> at org.apache.http.impl.client.Cl >>>>>>>>>> oseableHttpClient.execute(CloseableHttpClient.java:83) >>>>>>>>>> at org.apache.http.impl.client.Cl >>>>>>>>>> oseableHttpClient.execute(CloseableHttpClient.java:108) >>>>>>>>>> at org.apache.http.impl.client.Cl >>>>>>>>>> oseableHttpClient.execute(CloseableHttpClient.java:56) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.dispatch.DefaultDispatch.executeOutboundRequest(DefaultDispatch.java:130) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.dispatch.NiFiDispatch.executeRequest(NiFiDispatch.java:39) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.dispatch.DefaultDispatch.doGet(DefaultDispatch.java:278) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.dispatch.GatewayDispatchFilter$GetAdapter.doMethod(GatewayDispatchFilter.java:122) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFilter(GatewayDispatchFilter.java:105) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.doFilterInternal(AbstractIdentityAssertionFilter.java:196) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.continueChainAsPrincipal(AbstractIdentityAssertionFilter.java:153) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:90) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServletFilter.doFilter(UrlRewriteServletFilter.java:60) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter$1.run(AbstractJWTFilter.java:202) >>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:422) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter.continueWithEstablishedSecurityContext(AbstractJWTFilter.java:197) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.provider.federation.jwt.filter.SSOCookieFederationFilter.doFilter(SSOCookieFederationFilter.java:112) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:479) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >>>>>>>>>> at >>>>>>>>>> org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:152) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >>>>>>>>>> at org.eclipse.jetty.server.Server.handle(Server.java:499) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) >>>>>>>>>> at org.eclipse.jetty.io >>>>>>>>>> .AbstractConnection$2.run(AbstractConnection.java:544) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) >>>>>>>>>> at >>>>>>>>>> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>>>>>>>> building failed: >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable >>>>>>>>>> to find >>>>>>>>>> valid certification path to requested target >>>>>>>>>> at >>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) >>>>>>>>>> at >>>>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) >>>>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >>>>>>>>>> at >>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) >>>>>>>>>> ... 78 more >>>>>>>>>> Caused by: >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable >>>>>>>>>> to find >>>>>>>>>> valid certification path to requested target >>>>>>>>>> at >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) >>>>>>>>>> at >>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) >>>>>>>>>> at >>>>>>>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >>>>>>>>>> at >>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) >>>>>>>>>> ... 84 more >>>>>>>>>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>>>>>>>>> (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: >>>>>>>>>> java.io.IOException: Service connectivity error. >>>>>>>>>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>>>>>>>>> (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: >>>>>>>>>> java.io.IOException: Service connectivity error. >>>>>>>>>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>>>>>>>>> (AbstractGatewayFilter.java:doFilter(63)) - Failed to execute filter: >>>>>>>>>> java.io.IOException: Service connectivity error. >>>>>>>>>> 2018-03-07 23:44:23,276 ERROR knox.gateway >>>>>>>>>> (GatewayFilter.java:doFilter(173)) - Gateway processing failed: >>>>>>>>>> java.io.IOException: Service connectivity error. >>>>>>>>>> java.io.IOException: Service connectivity error. >>>>>>>>>> ... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *2. User will access NiFi directly. NiFi will be configured to >>>>>>>>>> use KnoxSSO for auth (in nifi.properties).* >>>>>>>>>> *Issue facing: getting stuck in infinite callback loop* >>>>>>>>>> >>>>>>>>>> *nifi.properties (relevant config only)* >>>>>>>>>> # Apache Knox SSO Properties # >>>>>>>>>> nifi.security.user.knox.url= >>>>>>>>>> https://my-knox-host:8443/gateway/knoxsso/api/v1/websso >>>>>>>>>> nifi.security.user.knox.publicKey=/opt/certs/knox.pem >>>>>>>>>> nifi.security.user.knox.cookieName=hadoop-jwt >>>>>>>>>> nifi.security.user.knox.audiences= >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *Stacktrace from Knox (this is repeated):* >>>>>>>>>> 2018-03-07 23:36:16,250 WARN service.knoxsso >>>>>>>>>> (WebSSOResource.java:init(106)) - The SSO cookie SecureOnly flag is >>>>>>>>>> set to >>>>>>>>>> FALSE and is therefore insecure. >>>>>>>>>> 2018-03-07 23:36:16,250 INFO service.knoxsso >>>>>>>>>> (WebSSOResource.java:init(113)) - The cookie max age is being set to: >>>>>>>>>> session. >>>>>>>>>> 2018-03-07 23:36:16,250 WARN service.knoxsso >>>>>>>>>> (WebSSOResource.java:init(117)) - The SSO cookie max age >>>>>>>>>> configuration is >>>>>>>>>> invalid: session - using default. >>>>>>>>>> 2018-03-07 23:36:16,251 INFO service.knoxsso >>>>>>>>>> (WebSSOResource.java:getCookieValue(330)) - Unable to find cookie >>>>>>>>>> with >>>>>>>>>> name: original-url >>>>>>>>>> 2018-03-07 23:36:16,252 INFO service.knoxsso >>>>>>>>>> (WebSSOResource.java:addJWTHadoopCookie(304)) - JWT cookie >>>>>>>>>> successfully >>>>>>>>>> added. >>>>>>>>>> 2018-03-07 23:36:16,252 INFO service.knoxsso >>>>>>>>>> (WebSSOResource.java:getAuthenticationToken(214)) - About to >>>>>>>>>> redirect to >>>>>>>>>> original URL: >>>>>>>>>> https://my-nifi-host:8443/nifi-api/access/knox/callback >>>>>>>>>> >>>>>>>>>> *Log info from NiFi:* >>>>>>>>>> 2018-03-07 23:21:35,733 INFO [NiFi Web Server-100] >>>>>>>>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], >>>>>>>>>> groups[none] >>>>>>>>>> does not have permission to access the requested resource. Unknown >>>>>>>>>> user >>>>>>>>>> with identity 'anonymous'. Returning Unauthorized response. >>>>>>>>>> 2018-03-07 23:21:38,955 INFO [NiFi Web Server-20] >>>>>>>>>> o.a.n.w.a.c.IllegalStateExceptionMapper >>>>>>>>>> java.lang.IllegalStateException: >>>>>>>>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict >>>>>>>>>> response. >>>>>>>>>> 2018-03-07 23:21:39,075 INFO [NiFi Web Server-16] >>>>>>>>>> o.a.n.w.a.c.IllegalStateExceptionMapper >>>>>>>>>> java.lang.IllegalStateException: >>>>>>>>>> OpenId Connect is not configured.. Returning Conflict response. >>>>>>>>>> 2018-03-07 23:21:39,144 INFO [NiFi Web Server-17] >>>>>>>>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[anonymous], >>>>>>>>>> groups[none] >>>>>>>>>> does not have permission to access the requested resource. Unknown >>>>>>>>>> user >>>>>>>>>> with identity 'anonymous'. Returning Unauthorized response. >>>>>>>>>> 2018-03-07 23:21:41,183 INFO [NiFi Web Server-16] >>>>>>>>>> o.a.n.w.a.c.IllegalStateExceptionMapper >>>>>>>>>> java.lang.IllegalStateException: >>>>>>>>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict >>>>>>>>>> response. >>>>>>>>>> 2018-03-07 23:21:41,275 INFO [NiFi Web Server-17] >>>>>>>>>> o.a.n.w.a.c.IllegalStateExceptionMapper >>>>>>>>>> java.lang.IllegalStateException: >>>>>>>>>> OpenId Connect is not configured.. Returning Conflict response. >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >