Hi Tiago, The initial warning for the Insecure Cipher Provider Algorithm indicates the use of the deprecated setting as mentioned previously.
The set-sensitive-properties-algorithm command looks correct, and should have updated the flow.xml.gz, flow.json.gz, and nifi.properties settings. The Decryption Failed message indicates that the nifi.sensitive.props.key value does not match the value used to encrypt the flow configuration, or that the algorithm does not match. Can you provide some additional details about the NiFi installation? Is this a standalone or clustered deployment, and is it running in a containerized environment, or directly on a server? Regards, David Handermann On Thu, Oct 27, 2022 at 10:35 AM Tiago Luís Sebastião (DSI) < tiago.luis.sebast...@cgd.pt> wrote: > Hi all, > > > > I'm having the same “problem”. > > I upgraded nifi version from 1.17.0 to 1.18.0 and that same warning > started to appear 500k times a day. > > " > > WARN [Flow Service Tasks Thread-1] d.o.a.n.s.u.c.NiFiLegacyCipherProvider > Insecure Cipher Provider Algorithm [PBEWITHMD5AND256BITAES-CBC-OPENSSL] > generate salt requested > > " > > > > A already had nifi.sensitive.props.key value defined from when we migrated > to 1.15.3. > > > > With Nifi STOPPED and without changing any configuration on > nifi.properties I executed the following: > > > > ./nifi.sh set-sensitive-properties-algorithm NIFI_PBKDF2_AES_GCM_256 > > > > No errors found there, then I started Nifi and received the following > errors: > > " > > WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web > server... shutting down. > > org.apache.nifi.encrypt.EncryptionException: Decryption Failed with > Algorithm [AES/GCM/NoPadding] > > " > > > > Since Nifi could not start anymore I reversed it... > > Now Im kind of stuck with this warning... > > Anyone knows what Im doing wrong? > > > > Tiago > > > > *From:* David Handermann [mailto:exceptionfact...@apache.org] > *Sent:* 19 de outubro de 2022 13:41 > *To:* users@nifi.apache.org > *Subject:* Re: NiFi 1.18.0 Sensitive Property broken after Upgrade > > > > Hi Mike, > > > > The deprecation warning is not related to NIFI-10567 or Sensitive Dynamic > Properties. > > > > Deprecation logging is a new feature added in NiFi 1.18.0 to highlight > components and features that are targeted for removal in future major > releases. The current administrator's guide has more details on deprecation > logging. [1] Deprecation warnings do not impact operational behavior, but > they do identify configuration settings that should be changed. > > > > In this particular case, the deprecation is related to the use of the > insecure algorithm. NiFi 1.14.0 and following introduced new Sensitive > Properties Key Algorithm settings, which should be used instead of the > historical default value indicated in the warning. The new default value is > NIFI_PBKDF2_AES_GCM_256, additional supported options are listed in the > administrator's guide, [2] along with the command that can be run to update > the Sensitive Properties Key Algorithm. [3] > > > > Feel free to follow up if you have additional questions. > > > > Regards, > > David Handermann > > > > [1] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#deprecation-logging > > [2] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#property-encryption-algorithms > > [3] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#updating-the-sensitive-properties-algorithm > > > > On Wed, Oct 19, 2022 at 7:28 AM Mike S <88msha...@gmail.com> wrote: > > I upgraded from 1.16.2 to 1.18.0 and now see this warning in the log file. > > > > WARN [Flow Service Tasks Thread-1] d.o.a.n.s.u.c.NiFiLegacyCipherProvider > Insecure Cipher Provider Algorithm [PBEWITHMD5AND256BITAES-CBC-OPENSSL] > generate salt requested > org.apache.nifi.deprecation.log.DeprecationException: Reference Class > [org.apache.nifi.security.util.crypto.NiFiLegacyCipherProvider] ClassLoader > [org.apache.nifi.nar.NarClassLoader[./work/nar/framework/nifi-framework-nar-1.18.0.nar-unpacked]] > > I read this here. > > > > NIFI-10567 <https://issues.apache.org/jira/browse/NIFI-10567> Corrects > the parsing of Sensitive Dynamic Properties read from the XML version of > the flow configuration, in absence of the JSON version. > > The issue surfaces when upgrading to NiFi 1.17.0 or 1.18.0 from a version > older than 1.16.0. The issue also requires the presence of a Parameter > Context with a Sensitive value assigned to a component with a Sensitive > Property. Upgrading from 1.16.0 and following is not a problem. > > It appears that all my ListS3 processors using sensitive properties are > working. > > Is this related since 1.16.2 has the latest flow.json.gz file? > > > > Mike > >
