RE: Truststore/Trusted hostname

2019-01-13 Thread Vos, Walter
Hi,

I’ve spoken to the admins in the meantime and their suspicion is that the proxy 
changes the certificate which causes issues. They’re investigating, but it’ll 
probably be a misconfiguration of the truststore. Thanks for the suggestions!

-Walter

Van: Andrew Grande [mailto:apere...@gmail.com]
Verzonden: woensdag 9 januari 2019 20:25
Aan: users@nifi.apache.org
CC: Vos, Walter 
Onderwerp: Re: Truststore/Trusted hostname

Walter, you could point to the default JRE truststore file, maybe.

Andrew
On Wed, Jan 9, 2019, 7:12 AM Kevin Doran 
mailto:kdo...@apache.org>> wrote:
Hi Walter,

I could be mistaken, but my interpretation of the Trusted Hostname 
configuration option is that it is designed to work with/in-addition-to the 
truststore, not instead of a truststore as an alternative trust mechanism.

Basically, I think it is to be used in situations when the default hostname 
verifier (i.e., the remote hostname must match the hostname/SANs of the 
certificate) prevents the connection. IF you have a reason the hostname does 
not match the cert (for example, a dev/test environment) you could whitelist an 
alternative hostname while still making aan HTTPS connection.

Note that when using this option there are man-in-the-middle attack 
implications you should consider.

Hope this helps!

Cheers,
Kevin


On January 9, 2019 at 03:28:45, Vos, Walter 
(walter@ns.nl) wrote:
> Hi,
>
> I'm trying to use the invokeHttp processor to POST to an https site through a 
> proxy. The
> proxy is http. Through some googling I found references that Java is rather 
> finicky with
> SSL connections and wants the target server certificate in its truststore, 
> but InvokeHttp
> also offers the trusted hostname parameter.
>
> Because I don't have CLI access to the server that NiFi runs on, that seemed 
> like the way
> to get what I want and I added the hostname to the Trusted Hostname. The 
> domain is in a form
> of subsub.sub.domain.tld and I've tried it just like, as well as 
> *.sub.domain.tld and
> *.domain.tld and domain.tld, but I keep getting this Java exception:
>
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>
> Am I doing something wrong? Is truststore really the only way to go? We're 
> working with
> HDF 3.1.0 / NiFi 1.5.0.*
>
> Cheers, Walter
>
> 
>
> Deze e-mail, inclusief eventuele bijlagen, is uitsluitend bestemd voor 
> (gebruik door)
> de geadresseerde. De e-mail kan persoonlijke of vertrouwelijke informatie 
> bevatten.
> Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van (de 
> inhoud
> van) deze e-mail (en eventuele bijlagen) aan derden is uitdrukkelijk niet 
> toegestaan.
> Indien u niet de bedoelde geadresseerde bent, wordt u vriendelijk verzocht 
> degene die
> de e-mail verzond hiervan direct op de hoogte te brengen en de e-mail (en 
> eventuele bijlagen)
> te vernietigen.
>
> Informatie vennootschap
>



Deze e-mail, inclusief eventuele bijlagen, is uitsluitend bestemd voor (gebruik 
door) de geadresseerde. De e-mail kan persoonlijke of vertrouwelijke informatie 
bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking 
van (de inhoud van) deze e-mail (en eventuele bijlagen) aan derden is 
uitdrukkelijk niet toegestaan. Indien u niet de bedoelde geadresseerde bent, 
wordt u vriendelijk verzocht degene die de e-mail verzond hiervan direct op de 
hoogte te brengen en de e-mail (en eventuele bijlagen) te vernietigen.

Informatie vennootschap


Re: process group name reverts back to initial value if I do a nifi registry "Change version"

2019-01-13 Thread Josef.Zahner1
Thanks Chad for confirming it.

@Bryan Bende: how shall we continue here? I understand that it isn't a high 
prio issue, however it would be great to get it fixed or at least know that it 
will be fixed in one of the future releases...

Cheers Josef


On 08.01.19, 20:34, "Chad Woodhead"  wrote:

Bryan/Josef,

Just wanted to let you know that I just tested this with NiFi 1.8.0 and 
NiFi Registry 0.3.0 and I experience the same behavior as Josef.

-Chad

> On Jan 8, 2019, at 12:58 PM, Bryan Bende  wrote:
> 
> I will keep trying, but I haven't been able to reproduce using NiFi
> 1.8.0 and registry 0.2.0.
> 
> I must be missing something.
> 
> On Tue, Jan 8, 2019 at 11:50 AM  wrote:
>> 
>> I've tried it now on another secured cluster exactly like you did:
>> 
>>1) Create PG "A" and save to registry
>>2) Import PG "A" from registry and rename to "B"
>>3) Add new processor (Execute Script) to original PG "A" and save 
to registry
>>4) Change version on PG "B" to new version
>> 
>> Problem still there... after changing to new version on "B" the name 
changed back to "A"
>> 
>> 
>> 
>> On 08.01.19, 17:40, "Zahner Josef, GSB-LR-TRW-LI" 
 wrote:
>> 
>>Hi Bryan
>> 
>>In my case it happens all the time, doesn't matter what kind of 
change. On my first test below I've changed a variable on a processor inside 
the PG and the second time (a few seconds ago) I've added a connection to my 
"Execute Script" processor. All the time my second PG with the new name changed 
back to the initial name... Even if I just click "Change version" and select 
another one than the current, my second PG changes the name back to the initial 
value.
>> 
>>Btw. we use NiFi Registry 0.2.0.
>> 
>>Cheers Josef
>> 
>> 
>> 
>> 
>> 
>>On 08.01.19, 17:23, "Bryan Bende"  wrote:
>> 
>>Hi Josef,
>> 
>>That sounds like a possible bug. I think the PG name is supposed 
to
>>remain unchanged.
>> 
>>I wasn't able to reproduce this though... in step 5 when you 
change
>>the "abc" group, what type of change are you making?
>> 
>>I did the following...
>> 
>>1) Create PG "A" and save to registry
>>2) Import PG "A" from registry and rename to "B"
>>3) Add new processor to original PG "A" and save to registry
>>4) Change version on PG "B" to new version
>> 
>>PG "B" is still named "B" at this point.
>> 
>>On Tue, Jan 8, 2019 at 10:26 AM  
wrote:
>>> 
>>> Hi guys
>>> 
>>> 
>>> 
>>> I’ve faced again an (at least for me) unexpected behavior of NiFi 1.8.0 
together with NiFi Registry.
>>> 
>>> 
>>> 
>>> Following use case:
>>> 
>>> 
>>> 
>>> Create a process group with name “abc” and add some processors to the pg
>>> Commit the pg to the NiFi registry
>>> Create a new pg and import the pg from step 1 from the registry
>>> Change the name of the new pg to “def” instead of “abc” – so far so 
good, no change from registry point of view
>>> Change the original pg “abc” from step 1 and commit the change to the 
registry
>>> Now we have change to the newest version for the pg “def” from step 4, 
as it isn’t anymore up to date – but now in my case as soon as I’m changing the 
version, the pg name gets changed back to “abc”. This happens all the time if I 
change the version on a pg which has another name than on the commit
>>> 
>>> 
>>> 
>>> Any comments on this? We use the NiFi registry as well as templating 
infrastructure, means we have several times the same pg but with different 
variables and names on the same NiFi canvas. But with the actual behavior this 
is very inconvenient… we have to memorize the name before we do the “Change 
version” and then after execution we have to set it again.
>>> 
>>> 
>>> 
>>> Cheers Josef
>> 
>> 
>> 
>> 





smime.p7s
Description: S/MIME Cryptographic Signature