Re: WebSocket Service - Using Trusted Certificates

[Andy LoPresto]

I think the word “trusted” is doing a lot of work here. As it stands, only 
certificates that are either explicitly present or signed by a certificate 
present in the corresponding truststore will be accepted. If the certificate is 
self-signed, all that means is that an external entity (a certificate authority 
or CA) did not evaluate the identity & ownership of the certificate and sign 
it. So any certificate (self-signed or not) is still required to be “trusted” 
by the truststore for the connection to work. 

If you mean you want it to accept “any certificate signed by a generally 
accepted CA, you can rely on a generic truststore. Your OS, browser(s), and 
even Java come with these truststores pre-populated with the public 
certificates of the commercial and government CAs (what allows your computer to 
connect to and verify a generic internet site out of the box). The Java Virtual 
Machine (JVM) from the JRE or JDK will contain a JKS truststore called 
“cacerts” with the default password “changeit”. The location will vary slightly 
depending on the version of Java you’re using, but look inside your Java home 
directory for "jre/lib/security/cacerts”. 

Also, is there a reason you’re using web sockets between two NiFi instances? 
The NiFi Site-to-site protocol [1] offers a number of advantages. 

[1] 
https://medium.com/@abdelkrim.hadjidj/hub-and-spoke-architectures-with-nifi-site-to-site-communications-at-any-level-a-nifi-1-10-a8702f77c66e


Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Sep 10, 2020, at 12:32 AM, Madhan Vishwas  
> wrote:
> 
> Hi All,
> I am using WebSocket for communication between two independently running 
> instances of NiFi. 
> SSLContextService is being used for Secure Communication(WSS). 
> Everything works fine and is tested with Self signed certificates.
> However, I would like to make sure that the communication works only with 
> trusted Certificates. Is there some way this can be ensured ?
> Please advise.
> Thanks in advance.
> Madhan.

WebSocket Service - Using Trusted Certificates

[Madhan Vishwas]

Hi All,
I am using WebSocket for communication between two independently running
instances of NiFi.
SSLContextService is being used for Secure Communication(WSS).
Everything works fine and is tested with Self signed certificates.
However, I would like to make sure that the communication works only with
trusted Certificates. Is there some way this can be ensured ?
Please advise.
Thanks in advance.
Madhan.