Hi Jeff, Yes, I wasn't sure where to post on this specific question since it involved the TLS Toolkit. But I have responded over on the Knox thread for this. Thanks for the help so far!
-Ryan On Thu, Mar 8, 2018 at 12:48 PM, Jeff <[email protected]> wrote: > Hi Ryan, > > I responded to your question over on the Knox user list, but I can include > my response here as well. > > I'm glad you're using the TLS Toolkit, I was going to suggest you give > that a try, initially. The cert from the keystore generated by the toolkit > that identifies the cert to use for Knox needs to be added to gateway.jks, > along with the nifi-cert key from the truststore. Just importing both the > keystore and truststore generated by the toolkit for Knox should be all you > have to do there, since the toolkit generates those stores with just the > nifi-key and nifi-cert in the keystore and truststore respectively. You > should end up with three keys in gateway.jks afterward; the > gateway-identity, nifi-key, and nifi-cert keys. Once both of those are > added to gateway.jks, and you have configured the service definition for > NiFi in your topology with useTwoWaySsl set to true, the two-way SSL > handshake should succeed. > > Also, you will want to add the DN from that nifi-key as a node identity > (in the same place you set the initial admin identity) so that NiFi can > create a "user" to represent the Knox node and add a policy for you to > allow that node/identity to proxy requests, if you haven't already done so. > > In nifi.properties, set nifi.web.proxy.context.path to > "/gateway/sandbox/nifi-app". The host and port of the Knox service should > also be set for nifi.web.proxy.host. > > After adding the keystore and truststore material to gateway.jks, added a > user and policy for NiFi to identify and authorize Knox for proxying, and > updated nifi.properties mentioned above, Knox should be able to proxy NiFi > securely. > > On Thu, Mar 8, 2018 at 8:15 AM Ryan H <[email protected]> > wrote: > >> Hi All, >> >> I have been working on getting a secure NiFi cluster to work with Knox. I >> would like to have Knox be the entry point to NiFi. I have a NiFi cluster >> running in secure mode without error. Now I would like to place Knox in >> front of the Cluster. I have KnoxSSO setup which is configured with an >> external OpenID provider for which users are redirected to authN. This >> setup works fine when NiFi cluster is insecure. >> >> The error that I am getting is on the Knox side: >> ... >> *Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find valid certification path to requested target* >> ... >> >> I am pretty sure it is a cert issue (I reached out to the Knox Users >> Group and they think that it is a cert issue). I used the TLS Toolkit >> (Client/Server mode) to generate certs for the Knox machine. I imported the >> keystore.jks and truststore.jks to the Knox gateway.jks keystore. This did >> not solve the issue though. Is there something else that I should be >> importing into the Knox gateway.jks store based on what is generated by the >> TLS Toolkit? >> >> Any help is appreciated! >> >> Cheers, >> >> Ryan >> >
