Hi Emmanuel
I don't use the toolkit, I just do it manually.
I have found that a normal server certificate, generated i Microsoft
Windows is not working. The certificate for NiFi servers has to be both
serverAuth and clientAuth. So I have created a new certificate profil in
our PKI server for NiFi servers.
Next I create a server certificate for node1, with the following settings
Common name = node1.domain.net
alternative names:
dns = node1.domain.net
dns = clustername.domain.net
When I export the certificate (as a pfx file) I export it with the private
key and protect it with a password. I all so export my CA and ICA
certificates and copies all the the node1 server
To create the keystore file I use the following command:
keytool -importkeystore -destkeystore keystore.jks -srcstoretype PKCS12
-deststoretype jks -srckeystore node1.domain.net.pfx
Here you will have to provide the password for the certificate and set a
password for the keystore. I use the same password for both.
To create a truststore I use the folloing commands:
keytool -keystore truststore.jks -storetype jks -importcert
-trustcacerts -file CA.domain.net.cer -alias CA-DOMAIN
keytool -keystore truststore.jks -importcert -file ICA.domain.net.cer
-alias ICA-DOMAIN
You will have to provide a password for the truststore.
Now you will have to manually edit the nifi.properties file for the path to
the files and the passwords.
Just repeat the steps above for the other nodes. Keep in mind if you later
will use a StandardSSLContextService and use the keystore on each node, the
password for the certificate and keystores has to be the same.
For accessing my secure nifi cluster afterwards, I simple create a user
certificate to my self in windows. and configure the authorizers.xml with
the certificate name "<property name="Initial User Identity
1">CERTIFICATE</property>"
Keep in mind that NiFi is case sentitive. Therefore I use identity mappings
in the nifi.properties file
nifi.security.identity.mapping.pattern.dn=^(.*)$
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.transform.dn=LOWER
This works fine for my.
Kind regards
Jens M. Kofoed
Den man. 14. jun. 2021 kl. 15.39 skrev QUEVILLON EMMANUEL - EXT-SAFRAN
ENGINEERING SERVICES (SAFRAN) <[email protected]>:
> Hi list,
>
>
>
> We are trying to set a nifi secure installation using a SSL singed
> certificate by our corporate CA.
>
> This SSL certificate is signed for a domain name we’d like to use to
> access our nifi server(s).
>
> We’ve been unable to create a new certificate for our server using
> tls-toolkit for the main admin user identity to connect.
>
> 1) Is it possible to use such SSL signed certificate to create a new
> one with tls-toolkit?
>
>
>
> We’ve followed this documentation
> https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_intermediate_ca
> and copied respective files and key to the right location and ran
> tls-toolkit command. However, tls-toolkit throw error complaining “The
> signing certificate was not signed by any known certificates
>
> ”
>
>
>
> We’ve also tried with the full chain certificate as an additional
> certificate file (option –additionalCACertificate), but it looks like
> tls-toolkit does not find all the certificate chain and stop at first level
> of the chain.
>
>
>
> Is anyone faced the same problematic?
>
> Any help or advice will be appreciated.
>
>
>
> Thanks, regards
>
>
>
> Emmanuel
>
> C2 - Restricted
>
>
> #
> " Ce courriel et les documents qui lui sont joints peuvent contenir des
> informations confidentielles, être soumis aux règlementations relatives au
> contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont
> pas destinés, nous vous signalons qu'il est strictement interdit de les
> divulguer, de les reproduire ou d'en utiliser de quelque manière que ce
> soit le contenu. Toute exportation ou réexportation non autorisée est
> interdite Si ce message vous a été transmis par erreur, merci d'en informer
> l'expéditeur et de supprimer immédiatement de votre système informatique ce
> courriel ainsi que tous les documents qui y sont attachés."
> ******
> " This e-mail and any attached documents may contain confidential or
> proprietary information and may be subject to export control laws and
> regulations. If you are not the intended recipient, you are notified that
> any dissemination, copying of this e-mail and any attachments thereto or
> use of their contents by any means whatsoever is strictly prohibited.
> Unauthorized export or re-export is prohibited. If you have received this
> e-mail in error, please advise the sender immediately and delete this
> e-mail and all attached documents from your computer system."
> #
>
