Paul, It sounds like you probably have the certificates/truststores setup correctly and just need to create the appropriate policies...
Lets say you have nifi-1 with an Remote Process Group pointing at the URL of nifi-2, and nifi-2 has an Input port to receive data. In nifi-2 there needs to be a user for the certificate of nifi-1, and then in the global policies of nifi-2 (top right menu) there needs to be a policy for "retrieve site-to-site details" with the nifi-1 user added to the policy. I think this is what is causing the error message you are seeing since nifi-1 is not authorized to query nifi-2 for site-to-site information (available ports, etc). I believe you also need to create a policy on the Input Port on nifi-2... select the input port and use the lock icon in the left palette and choose "receive data over site-to-site" and add the user of nifi-1. This gives nifi-1 access to the specific port. Let us know if that works. If so we should definitely look at updating some of the documentation to explain this. Thanks, Bryan On Tue, Aug 30, 2016 at 6:28 PM, Paul Gibeault (pagibeault) < [email protected]> wrote: > Hello, > > > > We have been attempting to set up Site-to-Site for NiFi in secure mode and > have not been successful. > > > > When I create a Remote Process Group, and enter the URL* > https://servername:8443/nifi I receive an error icon. The hover status > is “Unauthorized” > > ** - servername is the actual hostname running NiFi* > > > > Things I have tried without success: > > - Closely followed the instructions in the NiFi System Administrator’s > Guide > <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html> > > - Enabled SSL Security and Kerberos User Authentication (no self-signed > certs) > > - Imported public keys of remote NiFi servers into the local keystores for > each instance > > - Created policies on each instance to allow for full permissions to the > accounts in use. > > - Tried various combinations of Linux & Windows instances of NiFi. > > - Connected a Site-to-Site process group to itself > > - Used both 1.0.0-BETA and 1.1.0-SNAPSHOT NiFi versions > > > > There are no warnings or errors in the log files when I attempt to connect > a NiFi instance running on Linux to another instance on Linux. However, I > did see something when attempting to connect a NiFi instance running on > Windows to an instance running on Linux > > From log of NiFi on Windows: > > 2016-08-30 16:11:21,173 ERROR [Remote Process Group > dd2e3ac9-0156-1000-4543-5ba3d10c6130: https://servername:8443/nifi > Thread-1] o.a.n.remote.StandardRemoteProcessGroup org.apache.nifi.remote. > StandardRemoteProcessGroup$InitializationTask@19bde1f3 Failed to request > account: got unexpected response code of 404:Not Found > > > > From log of NiFi on Linux: > > nifi-user.log:2016-08-30 16:39:53,973 INFO [NiFi Web Server-465] > o.a.n.w.s.NiFiAuthenticationFilter > Attempting request for (CN=pagibeault) GET https://servername:8443/nifi- > api/site-to-site (source ip: 137.201.48.150) > > nifi-user.log:2016-08-30 16:39:53,973 INFO [NiFi Web Server-465] > o.a.n.w.s.NiFiAuthenticationFilter > Authentication success for CN=pagibeault > > nifi-user.log:2016-08-30 16:39:53,974 INFO [NiFi Web Server-465] > o.a.n.w.a.c.AccessDeniedExceptionMapper CN=pagibeault does not have > permission to access the requested resource. Returning Forbidden response. > > > > Any guidance would be grand. > > > > Thanks, > > > > [image: http://collab.micron.com/corp/brand/SiteAssets/Micron.png] > <http://www.micron.com/> > > *Paul Gibeault* > Sr. Software Engineer, Big Data > Enterprise Analytics & Data > Micron Technology, Inc. > > *Office* (208) 363-3238 > > > [email protected] > [image: http://collab.micron.com/corp/brand/SiteAssets/LinkedIn.png] > linkedin.com/in/paulgibeault > <https://www.linkedin.com/in/linkedin.com/in/paulgibeault> > > > > >
