Bryan, Paul and I have been working on this, and I think our issue is related to certificates.
In your blog posting you used TLS-Toolkit in your example, but I think that is unrealistic for many environments. For example, this also creates the certificates for SSL right? But these will be self-signed and thus untrusted by default in web browsers. In our environment we generated SSL certificates from our CA and loaded them into the KeyStore. We then extracted public keys for the SSL certs and put them in each of the Trust Stores. This I think is where our main problem is… I’m making a few assumptions here, so feel free to correct me, but my understanding is that when you use TLS-Toolkit it either creates multiple certs (SSL & Client Auth), or it creates a cert that you are allowed to use for both activities. In our case we ONLY have SSL certs, and the certs are marked such that they aren’t allowed to be used for Client Authentication. I believe this is the reason why our requests are showing up as ‘Anonymous’, because there are no Client Authentication certificates in the KeyStore, just SSL certs. I’ve asked our security team for Client Authentication certs for each server, since it would be our preference to use our CA rather than having TLS-Toolkit be its own CA. Thoughts? Thanks, Peter From: Bryan Bende [mailto:[email protected]] Sent: Thursday, September 01, 2016 9:26 AM To: [email protected] Subject: Re: I need help configuring Site-to-Site in Secure Mode. Paul, Clustering is not a requirement for site-to-site... This sounds strange since "anonymous" is used to represent a user when NiFi is not secured. Can you double-check all your configs and make sure you have the following properties set... nifi.remote.input.secure=true nifi.web.https.host= nifi.web.https.port= nifi.security.keystore= nifi.security.keystoreType= nifi.security.keystorePasswd= nifi.security.keyPasswd= nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd=<your password> After your question the other day I went through the steps of setting secure site-to-site to make sure I knew what I was talking about :) I wrote up the steps here: http://bryanbende.com/development/2016/08/30/apache-nifi-1.0.0-secure-site-to-site Thanks, Bryan On Thu, Sep 1, 2016 at 10:44 AM, Paul Gibeault (pagibeault) <[email protected]<mailto:[email protected]>> wrote: Bryan, Thanks for the reply. After increasing the log level for Authentication I saw the target NiFi instance used the account “anonymous” for the Site-to-Site connection. After creating a policy for “anonymous”, I was able to view the remote ports and connect to them. Obviously this is not ideal. We would prefer to make policies for remote hosts/users rather than anonymous. We are using the same SSL Certificate for both Key Store and Trust Store on a NiFi Instance. This is likely the cause of the “anonymous” user as it doesn’t have a DN. We are working to correct this. However, after getting my work flow set up across NiFi instances I see this error: Unable to refresh Remote Group's peers due to Unable to communicate with remote NiFi cluster in order to determine which nodes exist in the remote cluster Our NiFi servers are not set up for clustering. Is clustering required to perform Site-to-Site? Thanks, Paul Gibeault From: Bryan Bende [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, August 30, 2016 5:09 PM To: [email protected]<mailto:[email protected]> Subject: Re: I need help configuring Site-to-Site in Secure Mode. Paul, It sounds like you probably have the certificates/truststores setup correctly and just need to create the appropriate policies... Lets say you have nifi-1 with an Remote Process Group pointing at the URL of nifi-2, and nifi-2 has an Input port to receive data. In nifi-2 there needs to be a user for the certificate of nifi-1, and then in the global policies of nifi-2 (top right menu) there needs to be a policy for "retrieve site-to-site details" with the nifi-1 user added to the policy. I think this is what is causing the error message you are seeing since nifi-1 is not authorized to query nifi-2 for site-to-site information (available ports, etc). I believe you also need to create a policy on the Input Port on nifi-2... select the input port and use the lock icon in the left palette and choose "receive data over site-to-site" and add the user of nifi-1. This gives nifi-1 access to the specific port. Let us know if that works. If so we should definitely look at updating some of the documentation to explain this. Thanks, Bryan On Tue, Aug 30, 2016 at 6:28 PM, Paul Gibeault (pagibeault) <[email protected]<mailto:[email protected]>> wrote: Hello, We have been attempting to set up Site-to-Site for NiFi in secure mode and have not been successful. When I create a Remote Process Group, and enter the URL* https://servername:8443/nifi I receive an error icon. The hover status is “Unauthorized” * - servername is the actual hostname running NiFi Things I have tried without success: - Closely followed the instructions in the NiFi System Administrator’s Guide<https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html> - Enabled SSL Security and Kerberos User Authentication (no self-signed certs) - Imported public keys of remote NiFi servers into the local keystores for each instance - Created policies on each instance to allow for full permissions to the accounts in use. - Tried various combinations of Linux & Windows instances of NiFi. - Connected a Site-to-Site process group to itself - Used both 1.0.0-BETA and 1.1.0-SNAPSHOT NiFi versions There are no warnings or errors in the log files when I attempt to connect a NiFi instance running on Linux to another instance on Linux. However, I did see something when attempting to connect a NiFi instance running on Windows to an instance running on Linux From log of NiFi on Windows: 2016-08-30 16:11:21,173 ERROR [Remote Process Group dd2e3ac9-0156-1000-4543-5ba3d10c6130: https://servername:8443/nifi Thread-1] o.a.n.remote.StandardRemoteProcessGroup org.apache.nifi.remote.StandardRemoteProcessGroup$InitializationTask@19bde1f3<mailto:org.apache.nifi.remote.StandardRemoteProcessGroup$InitializationTask@19bde1f3> Failed to request account: got unexpected response code of 404:Not Found From log of NiFi on Linux: nifi-user.log:2016-08-30 16:39:53,973 INFO [NiFi Web Server-465] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=pagibeault) GET https://servername:8443/nifi-api/site-to-site (source ip: 137.201.48.150) nifi-user.log:2016-08-30 16:39:53,973 INFO [NiFi Web Server-465] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=pagibeault nifi-user.log:2016-08-30 16:39:53,974 INFO [NiFi Web Server-465] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=pagibeault does not have permission to access the requested resource. Returning Forbidden response. Any guidance would be grand. Thanks, [http://collab.micron.com/corp/brand/SiteAssets/Micron.png]<http://www.micron.com/> Paul Gibeault Sr. Software Engineer, Big Data Enterprise Analytics & Data Micron Technology, Inc. Office (208) 363-3238<tel:%28208%29%20363-3238> [email protected]<mailto:[email protected]> [http://collab.micron.com/corp/brand/SiteAssets/LinkedIn.png] linkedin.com/in/paulgibeault<https://www.linkedin.com/in/linkedin.com/in/paulgibeault>
