It's the SSL Controller Service you need, with the keystore and truststore set to point at the files nifi uses in the nifi.properties file (or at least certificates issued by the same CA).
As you're in a cluster, the files will need to be located in the same location on each node and have the same name (so they can be referred to by the SSL Controller Service - the same service definition is used on each node and the properties don't accept expression language, from memory). Once you've got certs sorted, you'll need to ensure the Input Port on the receiving instance/cluster has the correct policies setup to accept the incoming traffic. On Thursday, 23 July 2020, Sathish Phani Kurella < [email protected]> wrote: > Forwarded as received from : @Swarup Karavadi > <[email protected]> > > To elaborate, > > We are using a 3 node NiFi cluster (1.11.4) that has been secured using > OIDC (Keycloak). We have set up another secured (via Keycloak) standalone > NiFi (also 1.11.4) instance that contains monitoring flows (we derive > metadata about our pipelines by monitoring bulletins, provenance, status & > metrics in the main cluster). To achieve this, we have enabled the four S2S > Reporting Tasks (one each for bulletins, provenance, metrics & status) and > configured these reporting tasks to send this information to the standalone > NiFi instance over HTTP protocol. This worked fine until the standalone > NiFi instance was allowing anonymous HTTP requests. However, we now want to > expose the standalone NiFi instance securely over the internet. We have > been able to do that be securing it via Keycloak. The problem now is that > our main NiFi cluster's reporting tasks are unable to send data to the > standalone NiFi instance the way they previously used to - that's because > the standalone NiFi instance no longer allows anonymous HTTP requests. > > This is the WARNING that we get from the S2SProvenanceReporting task - > 2020-07-23 14:02:56,130 WARN [Http Site-to-Site PeerSelector] o.a.n.r. > SiteToSiteProvenanceReportingTask SiteToSiteProvenanceReportingT > ask[id=4d8716f5-0173-1000-ffff-ffffd536a29c] > org.apache.nifi.remote.client.PeerSelector@78775340 Unable to refresh > Remote Group's peers due to sun.security.validator.ValidatorException: > PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > We figured that using an SSLContextService would maybe alleviate this > issue but are unable to figure out the right way of configuring this > service. Any help or guidance in this direction would be much appreciated. > Do let us know if you need any extra information to better understand the > problem. Both the NiFi cluster & the standalone instance are deployed on > Kubernetes. Both installations sit behind a load balancer. > > Cheers, > Swarup. > > On Thu, Jul 23, 2020 at 4:47 PM Sathish Phani Kurella < > [email protected]> wrote: > >> Hi All, >> >> S2S Provenance Reporting works fine when using insecure(HTTP) reporting >> nifi instance. But, how do we configure S2S Provenance Reporting task to a >> secure nifi reporting instance(HTTPS). >> >> PS: I have tried to use a SSL Context Service. But that did not work. Can >> somebody provide me with details on how to configure the Site2Site >> Provenance Reporting Task for a secure nifi instance. >> >> Regards, >> Sathish Phani Kurella >> > -- *Chris Sampson* IT Consultant [email protected]
