[GitHub] nifi pull request #875: Nifi 2477
GitHub user brosander opened a pull request: https://github.com/apache/nifi/pull/875 Nifi 2477 You can merge this pull request into a Git repository by running: $ git pull https://github.com/brosander/nifi NIFI-2477 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/875.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #875 commit 8c72a5a208d418ba35c26b31b430315c517d3c32 Author: Andrew Lim Date: 2016-08-12T18:44:38Z NIFI-2477 Document TLS generation tool in Admin and Developer Guides commit 5e8b3ac9e5ad00ff96489de212da38a596cf3546 Author: Bryan Rosander Date: 2016-08-16T18:48:35Z NIFI-2477 - Updating admin guide to account for NIFI-2476 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request #875: Nifi 2477
Github user bbende commented on a diff in the pull request: https://github.com/apache/nifi/pull/875#discussion_r75010710 --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc --- @@ -169,6 +169,81 @@ Now that the User Interface has been secured, we can easily secure Site-to-Site accomplished by setting the `nifi.remote.input.secure` and `nifi.cluster.protocol.is.secure` properties, respectively, to `true`. +TLS Generation Toolkit +~~ + +In order to facilitate the secure setup of NiFi, a tls-toolkit command line utility is available to automatically generate the required keystores, truststore, and relevant configuration files. This is especially useful for securing multiple NiFi nodes, which can be a tedious and error-prone process. + +The tls-toolkit has two primary modes of operation: + +1. Standalone -- generates the certificate authority, keystores, truststores, and nifi.properties files in one command. +2. Client/Server mode -- uses a Certificate Authority Server that accepts Certificate Signing Requests from clients, signs them, and sends the resulting certificates back. Both client and server validate the otherâs identity through a shared secret. + +Standalone +^^ +Standalone mode can be invoked by running âtls-toolkit.sh standalone -hâ which will print the usage information along with descriptions of options that can be specified. + +The most common options to specify are: + +* -n (or --hostnames) a comma-separated list of hostnames that youâd like to generate certificates for. It can be specified multiple times. Range and instance patterns are supported. (see below for details) +* -f (or --nifiPropertiesFile) a base nifi.properties file that the tool will update for each host +* -o (or --outputDirectory) the directory to use for the resulting Certificate Authority files and NiFi configurations. A subdirectory will be made for each host. + +Hostname Patterns: + +* Square brackets can be used in order to easily specify a range of hostnames. Example: [01-20] +* Parentheses can be used in order to specify that more than one NiFi instance will run on the given host(s). Example: (5) + +Examples: --- End diff -- Should we show one example generating a client p12? I think that will be very common. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request #875: Nifi 2477
Github user trixpan commented on a diff in the pull request: https://github.com/apache/nifi/pull/875#discussion_r75027919 --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc --- @@ -169,6 +169,81 @@ Now that the User Interface has been secured, we can easily secure Site-to-Site accomplished by setting the `nifi.remote.input.secure` and `nifi.cluster.protocol.is.secure` properties, respectively, to `true`. +TLS Generation Toolkit +~~ + +In order to facilitate the secure setup of NiFi, a tls-toolkit command line utility is available to automatically generate the required keystores, truststore, and relevant configuration files. This is especially useful for securing multiple NiFi nodes, which can be a tedious and error-prone process. + +The tls-toolkit has two primary modes of operation: + +1. Standalone -- generates the certificate authority, keystores, truststores, and nifi.properties files in one command. +2. Client/Server mode -- uses a Certificate Authority Server that accepts Certificate Signing Requests from clients, signs them, and sends the resulting certificates back. Both client and server validate the otherâs identity through a shared secret. + +Standalone +^^ +Standalone mode can be invoked by running âtls-toolkit.sh standalone -hâ which will print the usage information along with descriptions of options that can be specified. + +The most common options to specify are: + +* -n (or --hostnames) a comma-separated list of hostnames that youâd like to generate certificates for. It can be specified multiple times. Range and instance patterns are supported. (see below for details) +* -f (or --nifiPropertiesFile) a base nifi.properties file that the tool will update for each host +* -o (or --outputDirectory) the directory to use for the resulting Certificate Authority files and NiFi configurations. A subdirectory will be made for each host. + +Hostname Patterns: + +* Square brackets can be used in order to easily specify a range of hostnames. Example: [01-20] +* Parentheses can be used in order to specify that more than one NiFi instance will run on the given host(s). Example: (5) + +Examples: --- End diff -- +1 on @bbende comment --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] nifi pull request #875: Nifi 2477
Github user asfgit closed the pull request at: https://github.com/apache/nifi/pull/875 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
