[GitHub] nifi pull request #875: Nifi 2477

Tue, 16 Aug 2016 13:14:46 -0700 

Github user bbende commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/875#discussion_r75010710
  
    --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
    @@ -169,6 +169,81 @@ Now that the User Interface has been secured, we can 
easily secure Site-to-Site
     accomplished by setting the `nifi.remote.input.secure` and 
`nifi.cluster.protocol.is.secure` properties, respectively, to `true`.
     
     
    +TLS Generation Toolkit
    +~~~~~~~~~~~~~~~~~~~~~~
    +
    +In order to facilitate the secure setup of NiFi, a tls-toolkit command 
line utility is available to automatically generate the required keystores, 
truststore, and relevant configuration files. This is especially useful for 
securing multiple NiFi nodes, which can be a tedious and error-prone process.
    +
    +The tls-toolkit has two primary modes of operation:
    +
    +1. Standalone -- generates the certificate authority, keystores, 
truststores, and nifi.properties files in one command.
    +2. Client/Server mode -- uses a Certificate Authority Server that accepts 
Certificate Signing Requests from clients, signs them, and sends the resulting 
certificates back.  Both client and server validate the other’s identity 
through a shared secret.
    +
    +Standalone
    +^^^^^^^^^^
    +Standalone mode can be invoked by running “tls-toolkit.sh standalone 
-h” which will print the usage information along with descriptions of options 
that can be specified.
    +
    +The most common options to specify are:
    +
    +* -n (or --hostnames) a comma-separated list of hostnames that you’d 
like to generate certificates for.  It can be specified multiple times.  Range 
and instance patterns are supported. (see below for details)
    +* -f (or --nifiPropertiesFile) a base nifi.properties file that the tool 
will update for each host
    +* -o (or --outputDirectory) the directory to use for the resulting 
Certificate Authority files and NiFi configurations.  A subdirectory will be 
made for each host.
    +
    +Hostname Patterns:
    +
    +* Square brackets can be used in order to easily specify a range of 
hostnames. Example: [01-20]
    +* Parentheses can be used in order to specify that more than one NiFi 
instance will run on the given host(s). Example: (5)
    +
    +Examples:
    --- End diff --
    
    Should we show one example generating a client p12? I think that will be 
very common.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to