Hi Ryan, I responded to your question over on the Knox user list, but I can include my response here as well.
I'm glad you're using the TLS Toolkit, I was going to suggest you give that a try, initially. The cert from the keystore generated by the toolkit that identifies the cert to use for Knox needs to be added to gateway.jks, along with the nifi-cert key from the truststore. Just importing both the keystore and truststore generated by the toolkit for Knox should be all you have to do there, since the toolkit generates those stores with just the nifi-key and nifi-cert in the keystore and truststore respectively. You should end up with three keys in gateway.jks afterward; the gateway-identity, nifi-key, and nifi-cert keys. Once both of those are added to gateway.jks, and you have configured the service definition for NiFi in your topology with useTwoWaySsl set to true, the two-way SSL handshake should succeed. Also, you will want to add the DN from that nifi-key as a node identity (in the same place you set the initial admin identity) so that NiFi can create a "user" to represent the Knox node and add a policy for you to allow that node/identity to proxy requests, if you haven't already done so. In nifi.properties, set nifi.web.proxy.context.path to "/gateway/sandbox/nifi-app". The host and port of the Knox service should also be set for nifi.web.proxy.host. After adding the keystore and truststore material to gateway.jks, added a user and policy for NiFi to identify and authorize Knox for proxying, and updated nifi.properties mentioned above, Knox should be able to proxy NiFi securely. On Thu, Mar 8, 2018 at 8:15 AM Ryan H <[email protected]> wrote: > Hi All, > > I have been working on getting a secure NiFi cluster to work with Knox. I > would like to have Knox be the entry point to NiFi. I have a NiFi cluster > running in secure mode without error. Now I would like to place Knox in > front of the Cluster. I have KnoxSSO setup which is configured with an > external OpenID provider for which users are redirected to authN. This > setup works fine when NiFi cluster is insecure. > > The error that I am getting is on the Knox side: > ... > *Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target* > ... > > I am pretty sure it is a cert issue (I reached out to the Knox Users Group > and they think that it is a cert issue). I used the TLS Toolkit > (Client/Server mode) to generate certs for the Knox machine. I imported the > keystore.jks and truststore.jks to the Knox gateway.jks keystore. This did > not solve the issue though. Is there something else that I should be > importing into the Knox gateway.jks store based on what is generated by the > TLS Toolkit? > > Any help is appreciated! > > Cheers, > > Ryan >
