NIFI migration behaviour in template( inside flow.xml.gz file)

[sanjeet rath]

Hi All,

I have migrated the flows from 1.8 to 1.11.4 version
I have realised all the processors are auto upgraded to 1.11.4 Howeever
below two types are not auto upgraded.

1-> all the processors & controler of the *template* are not auto upgraded
to 1.11.4 in flow.xml.gz file.

2->processor having invalid state(invalid means its realtion is not
connected or not auto terminated.

Please clarify is it expected behaviour or some bug.

Thanks a lot for your helping in migration process.
Sanjeet

Re: NiFi 1.12.0 - KeyStores with multiple certificates are not supported

[Josef.Zahner1]

Hi Andy & Kotaro

Thank you for your comments. So this means we can’t upgrade to nifi 1.12.0 :-( 
(except if we change the certs, which is no option at the moment).

@Andy: I’m aware of the wildcard certificate notes from the documentation. We 
don’t have a wildcard certificate with a ‘*’ sign in it. We are using SAN with 
multiple explicit nodenames like nifi1.domain.com, nifi2.domain.com. Does this 
causes the same issues as you mentioned with a real wildcard or would that be 
fine? This isn’t clear for me when reading the documentation.

We can’t use the NiFiToolkit as we have to use our own Corporate CA which is at 
the moment not automatically provisionable, so the CSRs need to be done 
manually and it would be a huge work to create and maintain the certificates.

Cheers Josef



From: Andy LoPresto 
Reply to: "users@nifi.apache.org" 
Date: Thursday, 20 August 2020 at 01:06
To: "users@nifi.apache.org" 
Subject: Re: NiFi 1.12.0 - KeyStores with multiple certificates are not 
supported

Hi Josef and Kotaro,

Thanks for identifying this scenario. I am away from the office for a bit but 
will try to review Kotaro’s changes in the linked PR. The regression is within 
Jetty’s code, and requires a new API to be invoked. NiFi does not have an 
existing method to configure a specific key to use within the keystore, and 
thus has always encouraged the use of a keystore with a single certificate and 
key (PrivateKeyEntry).

However, I will note that the initial scenario described by Josef seems to use 
a wildcard certificate, and this is explicitly mentioned in the documentation 
as not supported and discouraged [1].


Wildcard certificates (i.e. two nodes 
node1.nifi.apache.org and 
node2.nifi.apache.org being assigned the same 
certificate with a CN or SAN entry of 
*.nifi.apache.org) are not officially supported and not 
recommended. There are numerous disadvantages to using wildcard certificates, 
and a cluster working with wildcard certificates has occurred in previous 
versions out of lucky accidents, not intentional support. Wildcard SAN entries 
are acceptable if each cert maintains an additional unique SAN entry and CN 
entry.

I understand the challenges around automating key and certificate management 
and regenerating/expiring certificates appropriately. The TLS Toolkit exists to 
assist with this process, and there are ongoing improvements being made. 
However, fully supporting wildcard certificates would require substantial 
refactoring in the core framework and is not planned for any immediate 
attention.

[1] 
https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#wildcard_certificates


Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69


On Aug 19, 2020, at 11:13 AM, Kotaro Terada 
mailto:kota...@apache.org>> wrote:

Hi Josef and teams,

I encountered the same problem, and I have created a patch to fix it [1].

I guess the only way to fix the problem is to apply the patch and rebuild NiFi, 
since the current implementation unfortunately doesn't seem to support 
keystores with multiple certificates. Could someone please give support to 
review the PR and proceed to fix it?

[1] https://issues.apache.org/jira/browse/NIFI-7730

Thanks,
Kotaro


On Thu, Aug 20, 2020 at 12:51 AM 
mailto:josef.zahn...@swisscom.com>> wrote:
Hi guys

As we are waiting for some fixed bugs in NiFI 1.12.0, we upgraded today from 
1.11.4 to the newest version on one of our secured test single VM instances. 
However, NiFi crashed during startup, error message below. It tells us that 
KeyStores with multiple certificates are not supported. As you know we have to 
use two keystores (keystore & truststore):

  1.  Keystore with PrivateKey and Signed Cert -> only one Cert, the one 
belongs to the PrivateKey (picture far below)
  2.  Truststore Keystore with CA Certs -> Multiple CA certs as we have 
imported the cacerts from linux

I see two potential issues now, but I didn’t found the time to execute further 
tests.

We don’t have multiple certs in the keystore with the privateKey as you can see 
in the picture far below, but of course we have SAN (Subject Alternative Names) 
as we have ton’s of NiFi instances running and it’s more than annoying to 
configure/generate a keypair for each instance. So the workaround was to insert 
all our NiFi instances as SAN and that way we were able to use one single 
keystore for all our NiFi instances (some of them are even clustered, some 
not). However my assumption is that the mentioned workaround potentially breaks 
now NiFi, this was working until NiFi 1.11.4. We know from security perspective 
the workaround is/was not ideal, but we don’t have the manpower to generate 
manually that many certs every 1-2 years when the certs are expiring and it’s 
anyway completely separated from pub

[ANNOUNCE] Apache NiFi 1.12.0 release

[Joe Witt]

Hello

The Apache NiFi team would like to announce the release of Apache NiFi
1.12.0.

This release includes over 330 bug fixes, improvements and many new
features.

Apache NiFi is an easy to use, powerful, and reliable system to process and
distribute data.  Apache NiFi was made for dataflow.  It supports highly
configurable directed graphs of data routing, transformation, and system
mediation logic.

More details on Apache NiFi can be found here:
https://nifi.apache.org/

The release artifacts can be downloaded from here:
https://nifi.apache.org/download.html

Maven artifacts have been made available and mirrored as per normal ASF
artifact processes.

Issues closed/resolved for this list can be found here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12346778

Release note highlights can be found here:
https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.12.0

Thank you
The Apache NiFi team