Re: Certificates in Truststore

2019-07-25 Thread Andy LoPresto 
Joseph,

Joe provided a number of good links to help provide context around this. I will 
be working with a couple other committers next week to improve our 
documentation around this task. Hopefully when we have that complete, you can 
take a look and let us know if it would have helped you in this effort and any 
changes you suggest. 

The short answer to your request is to import the public certificate of the 
certificate authority (CA) which is used to sign the individual users’ client 
certificates into the truststore, which is then provided to NiFi. As the CA 
public cert does not change, you can use it (actually the corresponding private 
key) to sign as many user certificates as you want without requiring any 
changes to the deployed truststore (truststores if in a clustered environment). 

Please let me know if anything above is not clear. 


Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Jul 25, 2019, at 9:09 AM, Joe Witt  wrote:
> 
> Joseph
> 
> I'd make sure to read about the keystore/truststore model and high level bits 
> of PKI.  A site like [1] can help with that but the first key is 
> understanding the client cert, server cert, CA, and general trust model.
> 
> With that basis in mind setting up NiFi for mutual auth with certificates 
> both on the client side and nifi server side and proper trust mechanism is 
> much easier.  The docs in NiFi on this topic should then be really helpful 
> [2,3,4].
> 
> [1] 
> http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/
>  
> 
> [2] 
> http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration
>  
> 
> [3] 
> http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
>  
> 
> [4] 
> http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls_generation_toolkit
>  
> 
> 
> Thanks
> Joe
> 
> On Thu, Jul 25, 2019 at 11:58 AM Joe Witt  > wrote:
> Joseph
> 
> You are absolutely right that it would be terrible to have to edit the 
> truststore on the nifi server(s) each time you wanted to add a client cert.  
> You're also right that there is a way to never do this.  I'll poke around for 
> some links to help send you in the right direction.
> 
> Thanks
> 
> On Thu, Jul 25, 2019 at 11:45 AM Joseph Wheeler  > wrote:
> Hello,
> 
>  
> 
> I apologize if this is a simple/stupid question, but reading through the 
> administration guide and copious amounts of googling have returned very 
> little regarding this.
> 
>  
> 
> I’m looking into utilizing only client certificates for authentication to our 
> Apache NiFi server. I want to avoid having to add another software package 
> (e.g. LDAP, Kerberos, etc.) to the server. After spending the last few days 
> working on this and getting an understanding of how to get new users created, 
> I’m running into an issue: a user’s client certificate has to be added to the 
> truststore on the server in order for it to be allowed to access the NiFi web 
> server, and NiFi doesn’t seem to recognize changes to the truststore while 
> it’s running. While I don’t expect to need to add a ton of new users, I am 
> imagining a scenario where my program managers need a new user added 
> immediately while one of our lead developers is in the process of doing 
> something in the web app that he can’t lose due to a service restart. Is 
> there a way to make NiFi recognize changes to the truststore without 
> requiring the service to be restarted? If not, is there a way to have NiFi 
> trust all certs from a certain CA? They still wouldn’t actually be able to 
> access anything without having a user account tied to their cert’s DN…
> 
>  
> 
> Thanks!
> 
>  
> 
> r/
> 
>  
> 
> Joseph Wheeler
>

Re: Certificates in Truststore

2019-07-25 Thread Joe Witt 
Joseph

I'd make sure to read about the keystore/truststore model and high level
bits of PKI.  A site like [1] can help with that but the first key is
understanding the client cert, server cert, CA, and general trust model.

With that basis in mind setting up NiFi for mutual auth with certificates
both on the client side and nifi server side and proper trust mechanism is
much easier.  The docs in NiFi on this topic should then be really helpful
[2,3,4].

[1]
http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/
[2]
http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration
[3]
http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
[4]
http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls_generation_toolkit

Thanks
Joe

On Thu, Jul 25, 2019 at 11:58 AM Joe Witt  wrote:

> Joseph
>
> You are absolutely right that it would be terrible to have to edit the
> truststore on the nifi server(s) each time you wanted to add a client
> cert.  You're also right that there is a way to never do this.  I'll poke
> around for some links to help send you in the right direction.
>
> Thanks
>
> On Thu, Jul 25, 2019 at 11:45 AM Joseph Wheeler 
> wrote:
>
>> Hello,
>>
>>
>>
>> I apologize if this is a simple/stupid question, but reading through the
>> administration guide and copious amounts of googling have returned very
>> little regarding this.
>>
>>
>>
>> I’m looking into utilizing only client certificates for authentication to
>> our Apache NiFi server. I want to avoid having to add another software
>> package (e.g. LDAP, Kerberos, etc.) to the server. After spending the last
>> few days working on this and getting an understanding of how to get new
>> users created, I’m running into an issue: a user’s client certificate has
>> to be added to the truststore on the server in order for it to be allowed
>> to access the NiFi web server, and NiFi doesn’t seem to recognize changes
>> to the truststore while it’s running. While I don’t expect to need to add a
>> ton of new users, I am imagining a scenario where my program managers need
>> a new user added immediately while one of our lead developers is in the
>> process of doing something in the web app that he can’t lose due to a
>> service restart. Is there a way to make NiFi recognize changes to the
>> truststore without requiring the service to be restarted? If not, is there
>> a way to have NiFi trust all certs from a certain CA? They still wouldn’t
>> actually be able to access anything without having a user account tied to
>> their cert’s DN…
>>
>>
>>
>> Thanks!
>>
>>
>>
>> r/
>>
>>
>>
>> Joseph Wheeler
>>
>

Re: Certificates in Truststore

2019-07-25 Thread Joe Witt 
Joseph

You are absolutely right that it would be terrible to have to edit the
truststore on the nifi server(s) each time you wanted to add a client
cert.  You're also right that there is a way to never do this.  I'll poke
around for some links to help send you in the right direction.

Thanks

On Thu, Jul 25, 2019 at 11:45 AM Joseph Wheeler 
wrote:

> Hello,
>
>
>
> I apologize if this is a simple/stupid question, but reading through the
> administration guide and copious amounts of googling have returned very
> little regarding this.
>
>
>
> I’m looking into utilizing only client certificates for authentication to
> our Apache NiFi server. I want to avoid having to add another software
> package (e.g. LDAP, Kerberos, etc.) to the server. After spending the last
> few days working on this and getting an understanding of how to get new
> users created, I’m running into an issue: a user’s client certificate has
> to be added to the truststore on the server in order for it to be allowed
> to access the NiFi web server, and NiFi doesn’t seem to recognize changes
> to the truststore while it’s running. While I don’t expect to need to add a
> ton of new users, I am imagining a scenario where my program managers need
> a new user added immediately while one of our lead developers is in the
> process of doing something in the web app that he can’t lose due to a
> service restart. Is there a way to make NiFi recognize changes to the
> truststore without requiring the service to be restarted? If not, is there
> a way to have NiFi trust all certs from a certain CA? They still wouldn’t
> actually be able to access anything without having a user account tied to
> their cert’s DN…
>
>
>
> Thanks!
>
>
>
> r/
>
>
>
> Joseph Wheeler
>

Certificates in Truststore

2019-07-25 Thread Joseph Wheeler 
Hello,

I apologize if this is a simple/stupid question, but reading through the 
administration guide and copious amounts of googling have returned very little 
regarding this.

I'm looking into utilizing only client certificates for authentication to our 
Apache NiFi server. I want to avoid having to add another software package 
(e.g. LDAP, Kerberos, etc.) to the server. After spending the last few days 
working on this and getting an understanding of how to get new users created, 
I'm running into an issue: a user's client certificate has to be added to the 
truststore on the server in order for it to be allowed to access the NiFi web 
server, and NiFi doesn't seem to recognize changes to the truststore while it's 
running. While I don't expect to need to add a ton of new users, I am imagining 
a scenario where my program managers need a new user added immediately while 
one of our lead developers is in the process of doing something in the web app 
that he can't lose due to a service restart. Is there a way to make NiFi 
recognize changes to the truststore without requiring the service to be 
restarted? If not, is there a way to have NiFi trust all certs from a certain 
CA? They still wouldn't actually be able to access anything without having a 
user account tied to their cert's DN...

Thanks!

r/

Joseph Wheeler