Thanks for looking at this Andy, guess i was mistaken about needing a single-entry keystore. Also thank you for the info regarding WWW-Authenticate behavior with mTLS. Now that you point it out, seems rather logical, if both sides enforce authentication, no need to explicitly ask...
Right, i believe the credentials used and the policies on both sides are correct. The trust and keystores on both sides are valid, not expired with matching CN signatures to what is expected and configured in Users and the RPGs. Both also set client and server Auth ExtendedKeyUsages, i thought that was the issue but not so, credentials should be fine for mTLS use. Both sides using tls1.2 with matching ciphers. Policies also look correct on both sides, in addition to the Admin Guide i have several working s2s installations i'm cross checking against. I'm increasing debug in JVM ssl handshake and bootstrap logging to see if i can get more details, i can see the connection response is from the correct host:port, with 401 Unauthorized, but not the specific reason for authn error. Thanks again. patw On Tue, Aug 25, 2020 at 3:10 PM Andy LoPresto <alopre...@apache.org> wrote: > All S2S authentication is performed using mutual authentication TLS, so > there would not be a WWW-Authenticate request. You’re saying each endpoint > has the appropriate keystore and truststore in place, and each trusts the > other? You’ve also set the appropriate user policies (different from > certificate trust; the user identity is proxied in the request itself and > used for authorization)? > > Have you checked the logs/nifi-app.log and logs/nifi-user.log files to see > what identity the incoming authentication request is presenting? > > Andy LoPresto > alopre...@apache.org > *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>* > He/Him > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On Aug 25, 2020, at 8:09 AM, Pat White <patwh...@verizonmedia.com> wrote: > > Hi Folks, > > Does S2S require use of a single entry keystore, or will multiple entries > work ok? > > I thought i saw documentation which stated S2S will only work with single > entry keystores, but i'm not able to find the reference. Trying to track > down a 401 Unauthorized error trying to do S2S with a peer cluster, without > receiving a followup credential request. > > Everything seems ok, policies allow both sides access, credentials are > valid and set both client and server Auth. Just appears as if the response > to the nifi-api/site-to-site GET doesn't trust the peer node and drops the > connection, without a follow up WWW-Authenticate request. However, i can't > find a reason for the reject. > > > patw > > >
