Hi Russell, Thanks for the reply and additional details.
Reviewing the output of the keytool list command, it appears that the Key Store Type is actually PKCS12, not JKS. What version of Java are you using to create the Key Store? Based on the output indicating PKCS12, I recommend changing the StandardRestrictedSSLContextService to use PKCS12 instead of JKS for the Key Store Type and Trust Store Type. Regards, David Handermann On Thu, Jul 21, 2022 at 1:30 PM Russell Bateman <[email protected]> wrote: > David, > > Sadly, this is my experience. "changeit" works for me. And I tried > reconfiguring the three passwords in *StandardRestrictedSSLContextService* > to no avail. > > ~/dev/nifi/nifi-1.15.0/conf $ *keytool -list -v -keystore > mdmi-keystore.jks* > Enter keystore password: *changeit* > Keystore type: PKCS12 > Keystore provider: SUN > > Your keystore contains 1 entry > > Alias name: mdmi > Creation date: Jul 20, 2022 > Entry type: PrivateKeyEntry > Certificate chain length: 1 > Certificate[1]: > Owner: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT, > C=US > Issuer: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, > ST=UT, C=US > Serial number: 1e7288f7 > Valid from: Wed Jul 20 15:39:23 MDT 2022 until: Thu Jul 20 15:39:23 MDT > 2023 > Certificate fingerprints: > SHA1: B9:58:6E:C1:0D:DA:1D:CF:7D:02:16:54:F2:FA:1F:C4:19:01:F5:1B > SHA256: > FF:0B:3B:4A:59:69:9B:B8:B3:23:1F:4E:72:03:C7:24:11:A9:DF:11:C6:76:89:32:44:F7:12:A4:26:F5:9D:4B > Signature algorithm name: SHA256withRSA > Subject Public Key Algorithm: 2048-bit RSA key > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 69 63 BD 7E 67 A1 EC 0A 54 3C 61 2F 51 D7 64 46 ic..g...T<a/Q.dF > 0010: FB F1 37 E2 ..7. > ] > ] > > ******************************************* > ******************************************* > > ~/dev/nifi/nifi-1.15.0/conf $ *keytool -list -v -keystore > mdmi-truststore.jks* > Enter keystore password: *changeit* > Keystore type: PKCS12 > Keystore provider: SUN > > Your keystore contains 1 entry > > Alias name: mdmi > Creation date: Jul 21, 2022 > Entry type: trustedCertEntry > > Owner: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT, > C=US > Issuer: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, > ST=UT, C=US > Serial number: 1e7288f7 > Valid from: Wed Jul 20 15:39:23 MDT 2022 until: Thu Jul 20 15:39:23 MDT > 2023 > Certificate fingerprints: > SHA1: B9:58:6E:C1:0D:DA:1D:CF:7D:02:16:54:F2:FA:1F:C4:19:01:F5:1B > SHA256: > FF:0B:3B:4A:59:69:9B:B8:B3:23:1F:4E:72:03:C7:24:11:A9:DF:11:C6:76:89:32:44:F7:12:A4:26:F5:9D:4B > Signature algorithm name: SHA256withRSA > Subject Public Key Algorithm: 2048-bit RSA key > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 69 63 BD 7E 67 A1 EC 0A 54 3C 61 2F 51 D7 64 46 ic..g...T<a/Q.dF > 0010: FB F1 37 E2 ..7. > ] > ] > > ******************************************* > ******************************************* > > > On 7/21/22 08:01, David Handermann wrote: > > Hi Russell, > > Thanks for describing the steps used to generate the keystore and > truststore files. > > The validation warnings on StandardRestrictedSSLContextService appear to > indicate that the configured password properties do not match the keystore > and truststore passwords. > > It would be helpful to enter the password properties again and confirm > that there are no trailing spaces. > > The following keytool commands can also be used to verify the passwords: > > keytool -list -v -keystore mdmi-keystore.jks > keytool -list -v -keystore mdmi-truststore.jks > > The configuration appears to be correct, so confirming the password on > both files is a good next step. > > >
