Joseph You are absolutely right that it would be terrible to have to edit the truststore on the nifi server(s) each time you wanted to add a client cert. You're also right that there is a way to never do this. I'll poke around for some links to help send you in the right direction.
Thanks On Thu, Jul 25, 2019 at 11:45 AM Joseph Wheeler <jwhee...@innovasi.com> wrote: > Hello, > > > > I apologize if this is a simple/stupid question, but reading through the > administration guide and copious amounts of googling have returned very > little regarding this. > > > > I’m looking into utilizing only client certificates for authentication to > our Apache NiFi server. I want to avoid having to add another software > package (e.g. LDAP, Kerberos, etc.) to the server. After spending the last > few days working on this and getting an understanding of how to get new > users created, I’m running into an issue: a user’s client certificate has > to be added to the truststore on the server in order for it to be allowed > to access the NiFi web server, and NiFi doesn’t seem to recognize changes > to the truststore while it’s running. While I don’t expect to need to add a > ton of new users, I am imagining a scenario where my program managers need > a new user added immediately while one of our lead developers is in the > process of doing something in the web app that he can’t lose due to a > service restart. Is there a way to make NiFi recognize changes to the > truststore without requiring the service to be restarted? If not, is there > a way to have NiFi trust all certs from a certain CA? They still wouldn’t > actually be able to access anything without having a user account tied to > their cert’s DN… > > > > Thanks! > > > > r/ > > > > Joseph Wheeler >