Hello Atul I wrote the chart myself. Cert generation pattern was similar to what you are trying. I ran the server as a separate container, and generated client certs in init-container.
Thanks Sushil On Sun, Jul 26, 2020, 9:46 AM Atul Wankhade <atul.wankhad...@gmail.com> wrote: > Hi Sushil, > > I am using Cetic helm chart only. May I know which did you use? Where did > you generate the certs? > > Thanks, > Atul > > On Sat, Jul 25, 2020 at 2:00 AM Sushil Kumar <skm....@gmail.com> wrote: > >> Hello Atul >> >> I have recently tried using self signed certificates generated using nifi >> toolkit while using helm chart. >> cetic helm chart is not written completely to accomplish this, >> I may be able to help if you can share your helm chart. >> >> However, as of now the error is in your values.yaml file. >> >> Thanks >> Sushil Kumar >> >> On Fri, Jul 24, 2020 at 9:14 AM Chris Sampson <chris.samp...@naimuri.com> >> wrote: >> >>> I don't use our know much about helm, but that error suggests you've got >>> something wrong on line 202 of your yaml, so what's on that line (or the >>> lines immediately before/after)? >>> >>> Notice you're using nifi 1.11.1, might be worth considering 1.11.4 if >>> you can to take advantage of several high priority by fixes in nifi (but >>> that won't affect your helm chart). Also, suggest using the >>> apache/nifi-toolkit image for running the toolkit in tls server mode (much >>> lighter weight), but again that's not likely to be causing you a problem >>> here. >>> >>> >>> Cheers, >>> >>> Chris Sampson >>> >>> On Fri, 24 Jul 2020, 15:05 Atul Wankhade, <atul.wankhad...@gmail.com> >>> wrote: >>> >>>> Chris I am trying what you have suggested, while passing the init >>>> container params in values.yaml getting below error, can you please help to >>>> get around this issue. >>>> *Error: cannot load values.yaml: error converting YAML to JSON: yaml: >>>> line 202: did not find expected ',' or '}'* >>>> I am adding below init container config: tried to edit it in multiple >>>> ways no luck :( >>>> >>>> initContainers: { >>>> name: nifi-init >>>> image: "apache/nifi:1.11.1" >>>> imagePullPolicy: "IfNotPresent" >>>> command: ['sh', '-c', >>>> '/opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh client -c nifi-ca-cs -t >>>> Mytesttoken12345 --dn "CN=$(hostname -f), OU=NIFI"','>','/opt/certs'] >>>> volumeMounts: >>>> - mountPath: /opt/certs/ >>>> name: certs >>>> } >>>> >>>> Created CA service as below: >>>> apiVersion: apps/v1 >>>> kind: ReplicaSet >>>> metadata: >>>> name: nifi-ca >>>> namespace: nifi >>>> labels: >>>> app: nifi-ca >>>> spec: >>>> # modify replicas according to your case >>>> replicas: 1 >>>> selector: >>>> matchLabels: >>>> app: nifi-ca >>>> template: >>>> metadata: >>>> namespace: nifi >>>> labels: >>>> app: nifi-ca >>>> spec: >>>> containers: >>>> - name: nifi-ca >>>> image: apache/nifi:1.9.2 >>>> ports: >>>> - containerPort: 8443 >>>> name: ca-client-port >>>> command: >>>> - bash >>>> - -c >>>> - | >>>> ../nifi-toolkit-current/bin/tls-toolkit.sh server -c >>>> nifi-ca-cs -t <token> >>>> --- >>>> # Create service for the nifi-ca replica set >>>> apiVersion: v1 >>>> kind: Service >>>> metadata: >>>> name: nifi-ca-cs >>>> namespace: nifi >>>> labels: >>>> app: nifi-ca >>>> spec: >>>> ports: >>>> - port: 8443 >>>> name: ca-client-port >>>> targetPort: 8443 >>>> selector: >>>> app: nifi-ca >>>> >>>> On Fri, Jul 24, 2020 at 10:13 AM Atul Wankhade < >>>> atul.wankhad...@gmail.com> wrote: >>>> >>>>> Hi Andy, >>>>> >>>>> Sorry for the confusion, Nifi is running inside a container on the >>>>> node(Image has java prebuilt). It seems I need to tweak the image to >>>>> generate the certs inside the container. I have done the same setup(worked >>>>> fine) On Azure where I used to generate the certs on VM itself for Node >>>>> Identity so I was trying the same on Kubernetes Node but no Java here. I >>>>> am >>>>> new to K8S/Docker so limited by imagination I assume. TLS toolkit is part >>>>> of the NiFi image but nowhere documented as how to use it inside the >>>>> container(k8s env). >>>>> Need to explore more on what Chris said. >>>>> >>>>> Thank you guys >>>>> Atul >>>>> >>>>> On Thu, Jul 23, 2020 at 9:27 PM Andy LoPresto <alopre...@apache.org> >>>>> wrote: >>>>> >>>>>> Chris has a lot of good suggestions there. NiFi can accept >>>>>> certificates from any provider as long as they meet certain requirements >>>>>> (EKU, SAN, no wildcard, etc.). The toolkit was designed to make the >>>>>> process >>>>>> easier for people who could not obtain their certificates elsewhere. >>>>>> >>>>>> Maybe I am misunderstanding your statement, but I am curious why the >>>>>> toolkit can’t run on the node — if you don’t have Java available, how >>>>>> does >>>>>> NiFi itself run? >>>>>> >>>>>> Andy LoPresto >>>>>> alopre...@apache.org >>>>>> *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>* >>>>>> He/Him >>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >>>>>> >>>>>> On Jul 23, 2020, at 12:35 AM, Chris Sampson < >>>>>> chris.samp...@naimuri.com> wrote: >>>>>> >>>>>> My suggestion would be to run the apache/nifi-toolkit image as >>>>>> another Pod within your k8s namespace and have it running as a TLS >>>>>> Server[1]. You'll probably need to do that separately from your Helm >>>>>> chart >>>>>> (I'm not familiar with Helm or this chart). >>>>>> >>>>>> Then connect to that from your NiFi instances as they start up, e.g. >>>>>> with an init-container based on the same apache/nifi-toolkit image using >>>>>> the TLS client function [1] to obtain the required TLS certificate files >>>>>> from the TLS Server. You can use an emptyDir [2] volume to pass the files >>>>>> from the init-container to the NiFi container within the Pod. >>>>>> >>>>>> If you run the TLS Server as a StatefulSet (or a Deployment) with a >>>>>> Persistent Volume Claim that backed by an external volume within your >>>>>> cloud >>>>>> provider (whatever the GKE equivalent is of AWS's EBS volumes), then the >>>>>> TLS Server can be setup with its own Certificate Authority that persists >>>>>> between Pod restarts and thus your NiFi certificates shouldn't become >>>>>> invalid over time (if the TLS Server is restarted and generates a new CA, >>>>>> then subsequent NiFi restarts would mean your NiFi cluster instances >>>>>> would >>>>>> no longer be able to communicate with one another as they wouldn't trust >>>>>> one another's certificates). >>>>>> >>>>>> >>>>>> An alternative, if it's available in your k8s cluster, is to use >>>>>> something like cert-manager [3] to provision certificates for your >>>>>> instances, then use an init-container within the NiFi Pods to convert the >>>>>> PEM files to Java Keystore or PKCS12 format as required by NiFi. >>>>>> >>>>>> >>>>>> [1]: >>>>>> https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#client-server >>>>>> [2]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir >>>>>> [3]: https://github.com/jetstack/cert-manager >>>>>> >>>>>> >>>>>> *Chris Sampson* >>>>>> IT Consultant >>>>>> chris.samp...@naimuri.com >>>>>> >>>>>> >>>>>> >>>>>> On Thu, 23 Jul 2020 at 07:09, Atul Wankhade < >>>>>> atul.wankhad...@gmail.com> wrote: >>>>>> >>>>>>> Thanks a lot Andy for your reply, it definitely helped >>>>>>> pinpointing what is going wrong. I tried simulating the same with the >>>>>>> docker image from Apache and generating the keystore/truststore files on >>>>>>> the Docker host. For one node NiFi it worked fine. The problem comes >>>>>>> when I >>>>>>> am trying the same on Kubernetes. Nodes in GKE have Container optimized >>>>>>> OS >>>>>>> (no pkg installer) , so it does not support using NiFi tls-toolkit as >>>>>>> Java >>>>>>> cannot be installed. Can you please give some pointers/workaround on >>>>>>> how to >>>>>>> solve this issue with k8s? >>>>>>> Once the files are generated we can mount it using Host mount in the >>>>>>> pod. >>>>>>> >>>>>>> Thanks again for your help :) >>>>>>> Atul >>>>>>> >>>>>>> On Tue, Jul 21, 2020 at 10:37 PM Andy LoPresto <alopre...@apache.org> >>>>>>> wrote: >>>>>>> >>>>>>>> Atul, >>>>>>>> >>>>>>>> I am not a Kubernetes/ingress expert, but that error is indicating >>>>>>>> that you specified NiFi should be secure (i.e. use TLS/HTTPS) and yet >>>>>>>> there >>>>>>>> is no keystore or truststore provided to the application, so it fails >>>>>>>> to >>>>>>>> start. NiFi differs from some other applications in that you cannot >>>>>>>> configure authentication and authorization without explicitly enabling >>>>>>>> and >>>>>>>> configuring TLS for NiFi itself, not just delegating that data in >>>>>>>> transit >>>>>>>> encryption to an external system (like a load balancer, proxy, or >>>>>>>> service >>>>>>>> mesh). >>>>>>>> >>>>>>>> I suggest you read the NiFi walkthrough for “Securing NiFi with >>>>>>>> TLS” [1] which will provide some context around what the various >>>>>>>> requirements are, and the Admin Guide [2] sections on authentication >>>>>>>> and >>>>>>>> authorization for more background. >>>>>>>> >>>>>>>> [1] >>>>>>>> https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-tls >>>>>>>> [2] >>>>>>>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration >>>>>>>> >>>>>>>> >>>>>>>> Andy LoPresto >>>>>>>> alopre...@apache.org >>>>>>>> *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>* >>>>>>>> He/Him >>>>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >>>>>>>> >>>>>>>> On Jul 20, 2020, at 11:58 PM, Atul Wankhade < >>>>>>>> atul.wankhad...@gmail.com> wrote: >>>>>>>> >>>>>>>> Hi All, >>>>>>>> I am trying to install NiFi with SSL on Kubernetes using >>>>>>>> Helm(cetic/nifi), Below is my values.yaml. I keep getting an error on >>>>>>>> NiFi >>>>>>>> containers as - Am I missing something? >>>>>>>> *Caused by: >>>>>>>> org.springframework.beans.factory.BeanCreationException: Error creating >>>>>>>> bean with name 'clusterCoordinationProtocolSender' defined in class >>>>>>>> path >>>>>>>> resource [nifi-cluster-protocol-context.xml]: Cannot resolve reference >>>>>>>> to >>>>>>>> bean 'protocolSocketConfiguration' while setting constructor argument; >>>>>>>> nested exception is >>>>>>>> org.springframework.beans.factory.BeanCreationException: Error creating >>>>>>>> bean with name 'protocolSocketConfiguration': FactoryBean threw >>>>>>>> exception >>>>>>>> on object creation; nested exception is java.io.FileNotFoundException: >>>>>>>> (No >>>>>>>> such file or directory)* >>>>>>>> >>>>>>>> VALUES.YAML: >>>>>>>> --- >>>>>>>> # Number of nifi nodes >>>>>>>> replicaCount: 1 >>>>>>>> >>>>>>>> ## Set default image, imageTag, and imagePullPolicy. >>>>>>>> ## ref: https://hub.docker.com/r/apache/nifi/ >>>>>>>> ## >>>>>>>> image: >>>>>>>> repository: apache/nifi >>>>>>>> tag: "1.11.4" >>>>>>>> pullPolicy: IfNotPresent >>>>>>>> >>>>>>>> ## Optionally specify an imagePullSecret. >>>>>>>> ## Secret must be manually created in the namespace. >>>>>>>> ## ref: >>>>>>>> https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ >>>>>>>> ## >>>>>>>> # pullSecret: myRegistrKeySecretName >>>>>>>> >>>>>>>> securityContext: >>>>>>>> runAsUser: 1000 >>>>>>>> fsGroup: 1000 >>>>>>>> >>>>>>>> sts: >>>>>>>> # Parallel podManagementPolicy for faster bootstrap and teardown. >>>>>>>> Default is OrderedReady. >>>>>>>> podManagementPolicy: Parallel >>>>>>>> AntiAffinity: soft >>>>>>>> hostPort: null >>>>>>>> >>>>>>>> ## Useful if using any custom secrets >>>>>>>> ## Pass in some secrets to use (if required) >>>>>>>> # secrets: >>>>>>>> # - name: myNifiSecret >>>>>>>> # keys: >>>>>>>> # - key1 >>>>>>>> # - key2 >>>>>>>> # mountPath: /opt/nifi/secret >>>>>>>> >>>>>>>> ## Useful if using any custom configmaps >>>>>>>> ## Pass in some configmaps to use (if required) >>>>>>>> # configmaps: >>>>>>>> # - name: myNifiConf >>>>>>>> # keys: >>>>>>>> # - myconf.conf >>>>>>>> # mountPath: /opt/nifi/custom-config >>>>>>>> >>>>>>>> >>>>>>>> properties: >>>>>>>> # use externalSecure for when inbound SSL is provided by >>>>>>>> nginx-ingress or other external mechanism >>>>>>>> externalSecure: true >>>>>>>> isNode: true >>>>>>>> httpPort: null >>>>>>>> httpsPort: 8443 >>>>>>>> clusterPort: 6007 >>>>>>>> clusterSecure: true >>>>>>>> needClientAuth: true >>>>>>>> provenanceStorage: "8 GB" >>>>>>>> siteToSite: >>>>>>>> secure: true >>>>>>>> port: 10000 >>>>>>>> authorizer: managed-authorizer >>>>>>>> # use properties.safetyValve to pass explicit 'key: value' pairs >>>>>>>> that overwrite other configuration >>>>>>>> safetyValve: >>>>>>>> #nifi.variable.registry.properties: >>>>>>>> "${NIFI_HOME}/example1.properties, ${NIFI_HOME}/example2.properties" >>>>>>>> nifi.web.http.network.interface.default: eth0 >>>>>>>> # listen to loopback interface so "kubectl port-forward ..." >>>>>>>> works >>>>>>>> nifi.web.http.network.interface.lo: lo >>>>>>>> >>>>>>>> ## Include additional libraries in the Nifi containers by using the >>>>>>>> postStart handler >>>>>>>> ## ref: >>>>>>>> https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ >>>>>>>> # postStart: /opt/nifi/psql; wget -P /opt/nifi/psql >>>>>>>> https://jdbc.postgresql.org/download/postgresql-42.2.6.jar >>>>>>>> >>>>>>>> # Nifi User Authentication >>>>>>>> auth: >>>>>>>> ldap: >>>>>>>> enabled: false >>>>>>>> host: ldap://<hostname>:<port> >>>>>>>> searchBase: CN=Users,DC=example,DC=com >>>>>>>> searchFilter: CN=john >>>>>>>> >>>>>>>> ## Expose the nifi service to be accessed from outside the cluster >>>>>>>> (LoadBalancer service). >>>>>>>> ## or access it from within the cluster (ClusterIP service). Set >>>>>>>> the service type and the port to serve it. >>>>>>>> ## ref: http://kubernetes.io/docs/user-guide/services/ >>>>>>>> ## >>>>>>>> >>>>>>>> # headless service >>>>>>>> headless: >>>>>>>> type: ClusterIP >>>>>>>> annotations: >>>>>>>> service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" >>>>>>>> >>>>>>>> # ui service >>>>>>>> service: >>>>>>>> type: LoadBalancer >>>>>>>> httpPort: 80 >>>>>>>> httpsPort: 443 >>>>>>>> annotations: {} >>>>>>>> # loadBalancerIP: >>>>>>>> ## Load Balancer sources >>>>>>>> ## >>>>>>>> https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service >>>>>>>> ## >>>>>>>> # loadBalancerSourceRanges: >>>>>>>> # - 10.10.10.0/24 >>>>>>>> >>>>>>>> # Enables additional port/ports to nifi service for internal >>>>>>>> processors >>>>>>>> processors: >>>>>>>> enabled: false >>>>>>>> ports: >>>>>>>> - name: processor01 >>>>>>>> port: 7001 >>>>>>>> targetPort: 7001 >>>>>>>> #nodePort: 30701 >>>>>>>> - name: processor02 >>>>>>>> port: 7002 >>>>>>>> targetPort: 7002 >>>>>>>> #nodePort: 30702 >>>>>>>> >>>>>>>> ## Configure Ingress based on the documentation here: >>>>>>>> https://kubernetes.io/docs/concepts/services-networking/ingress/ >>>>>>>> ## >>>>>>>> ingress: >>>>>>>> enabled: false >>>>>>>> annotations: {} >>>>>>>> tls: [] >>>>>>>> hosts: [] >>>>>>>> path: / >>>>>>>> rule: [] >>>>>>>> # If you want to change the default path, see this issue >>>>>>>> https://github.com/cetic/helm-nifi/issues/22 >>>>>>>> >>>>>>>> # Amount of memory to give the NiFi java heap >>>>>>>> jvmMemory: 2g >>>>>>>> >>>>>>>> # Separate image for tailing each log separately >>>>>>>> sidecar: >>>>>>>> image: ez123/alpine-tini >>>>>>>> >>>>>>>> # Busybox image >>>>>>>> busybox: >>>>>>>> image: busybox >>>>>>>> >>>>>>>> ## Enable persistence using Persistent Volume Claims >>>>>>>> ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ >>>>>>>> ## >>>>>>>> persistence: >>>>>>>> enabled: false >>>>>>>> >>>>>>>> # When creating persistent storage, the NiFi helm chart can >>>>>>>> either reference an already-defined >>>>>>>> # storage class by name, such as "standard" or can define a >>>>>>>> custom storage class by specifying >>>>>>>> # customStorageClass: true and providing the "storageClass", >>>>>>>> "storageProvisioner" and "storageType". >>>>>>>> # For example, to use SSD storage on Google Compute Engine see >>>>>>>> values-gcp.yaml >>>>>>>> # >>>>>>>> # To use a storage class that already exists on the Kubernetes >>>>>>>> cluster, we can simply reference it by name. >>>>>>>> # For example: >>>>>>>> # storageClass: standard >>>>>>>> # >>>>>>>> # The default storage class is used if this variable is not set. >>>>>>>> >>>>>>>> accessModes: [ReadWriteOnce] >>>>>>>> ## Storage Capacities for persistent volumes >>>>>>>> # Storage capacity for the 'data' directory, which is used to >>>>>>>> hold things such as the flow.xml.gz, configuration, state, etc. >>>>>>>> dataStorage: >>>>>>>> size: 1Gi >>>>>>>> # Storage capacity for the FlowFile repository >>>>>>>> flowfileRepoStorage: >>>>>>>> size: 10Gi >>>>>>>> # Storage capacity for the Content repository >>>>>>>> contentRepoStorage: >>>>>>>> size: 10Gi >>>>>>>> # Storage capacity for the Provenance repository. When changing >>>>>>>> this, one should also change the properties.provenanceStorage value >>>>>>>> above, >>>>>>>> also. >>>>>>>> provenanceRepoStorage: >>>>>>>> size: 10Gi >>>>>>>> # Storage capacity for nifi logs >>>>>>>> logStorage: >>>>>>>> size: 5Gi >>>>>>>> >>>>>>>> ## Configure resource requests and limits >>>>>>>> ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ >>>>>>>> ## >>>>>>>> resources: {} >>>>>>>> # We usually recommend not to specify default resources and to >>>>>>>> leave this as a conscious >>>>>>>> # choice for the user. This also increases chances charts run on >>>>>>>> environments with little >>>>>>>> # resources, such as Minikube. If you do want to specify >>>>>>>> resources, uncomment the following >>>>>>>> # lines, adjust them as necessary, and remove the curly braces >>>>>>>> after 'resources:'. >>>>>>>> # limits: >>>>>>>> # cpu: 100m >>>>>>>> # memory: 128Mi >>>>>>>> # requests: >>>>>>>> # cpu: 100m >>>>>>>> # memory: 128Mi >>>>>>>> >>>>>>>> logresources: >>>>>>>> requests: >>>>>>>> cpu: 10m >>>>>>>> memory: 10Mi >>>>>>>> limits: >>>>>>>> cpu: 50m >>>>>>>> memory: 50Mi >>>>>>>> >>>>>>>> nodeSelector: {} >>>>>>>> >>>>>>>> tolerations: [] >>>>>>>> >>>>>>>> initContainers: {} >>>>>>>> # foo-init: # <- will be used as container name >>>>>>>> # image: "busybox:1.30.1" >>>>>>>> # imagePullPolicy: "IfNotPresent" >>>>>>>> # command: ['sh', '-c', 'echo this is an initContainer'] >>>>>>>> # volumeMounts: >>>>>>>> # - mountPath: /tmp/foo >>>>>>>> # name: foo >>>>>>>> >>>>>>>> extraVolumeMounts: [] >>>>>>>> >>>>>>>> extraVolumes: [] >>>>>>>> >>>>>>>> ## Extra containers >>>>>>>> extraContainers: [] >>>>>>>> >>>>>>>> terminationGracePeriodSeconds: 30 >>>>>>>> >>>>>>>> ## Extra environment variables that will be pass onto deployment >>>>>>>> pods >>>>>>>> env: [] >>>>>>>> >>>>>>>> # >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> # Zookeeper: >>>>>>>> # >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> zookeeper: >>>>>>>> ## If true, install the Zookeeper chart >>>>>>>> ## ref: >>>>>>>> https://github.com/kubernetes/charts/tree/master/incubator/zookeeper >>>>>>>> enabled: true >>>>>>>> ## If the Zookeeper Chart is disabled a URL and port are required >>>>>>>> to connect >>>>>>>> url: "" >>>>>>>> port: 2181 >>>>>>>> >>>>>>>> *Complete stacktrace:* >>>>>>>> Caused by: org.springframework.beans.factory.BeanCreationException: >>>>>>>> Error creating bean with name 'clusterCoordinationProtocolSender' >>>>>>>> defined >>>>>>>> in class path resource [nifi-cluster-protocol-context.xml]: Cannot >>>>>>>> resolve >>>>>>>> reference to bean 'protocolSocketConfiguration' while setting >>>>>>>> constructor >>>>>>>> argument; nested exception is >>>>>>>> org.springframework.beans.factory.BeanCreationException: Error creating >>>>>>>> bean with name 'protocolSocketConfiguration': FactoryBean threw >>>>>>>> exception >>>>>>>> on object creation; nested exception is java.io.FileNotFoundException: >>>>>>>> (No >>>>>>>> such file or directory) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1198) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1100) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:511) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) >>>>>>>> ... 75 common frames omitted >>>>>>>> Caused by: org.springframework.beans.factory.BeanCreationException: >>>>>>>> Error creating bean with name 'protocolSocketConfiguration': >>>>>>>> FactoryBean >>>>>>>> threw exception on object creation; nested exception is >>>>>>>> java.io.FileNotFoundException: (No such file or directory) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) >>>>>>>> ... 87 common frames omitted >>>>>>>> Caused by: java.io.FileNotFoundException: (No such file or >>>>>>>> directory) >>>>>>>> at java.io.FileInputStream.open0(Native Method) >>>>>>>> at java.io.FileInputStream.open(FileInputStream.java:195) >>>>>>>> at java.io.FileInputStream.<init>(FileInputStream.java:138) >>>>>>>> at java.io.FileInputStream.<init>(FileInputStream.java:93) >>>>>>>> at >>>>>>>> org.apache.nifi.io.socket.SSLContextFactory.<init>(SSLContextFactory.java:66) >>>>>>>> at >>>>>>>> org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:45) >>>>>>>> at >>>>>>>> org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:30) >>>>>>>> at >>>>>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178) >>>>>>>> ... 92 common frames omitted >>>>>>>> 2020-07-17 11:04:25,204 INFO [Thread-1] org.apache.nifi.NiFi >>>>>>>> Initiating shutdown of Jetty web server... >>>>>>>> 2020-07-17 11:04:25,214 INFO [Thread-1] >>>>>>>> o.eclipse.jetty.server.AbstractConnector Stopped >>>>>>>> ServerConnector@700f518a{SSL,[ssl, >>>>>>>> http/1.1]}{0.0.0.0:8443} >>>>>>>> 2020-07-17 11:04:25,214 INFO [Thread-1] >>>>>>>> org.eclipse.jetty.server.session node0 Stopped scavenging >>>>>>>> >>>>>>>> Any help to resolve this is appreciated. >>>>>>>> Atul Wankhade >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >> >> -- >> -- >> >> Thanks >> >> Sushil Kumar >> +1-(206)-698-4116 >> >>