Joseph I'd make sure to read about the keystore/truststore model and high level bits of PKI. A site like [1] can help with that but the first key is understanding the client cert, server cert, CA, and general trust model.
With that basis in mind setting up NiFi for mutual auth with certificates both on the client side and nifi server side and proper trust mechanism is much easier. The docs in NiFi on this topic should then be really helpful [2,3,4]. [1] http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/ [2] http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration [3] http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication [4] http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls_generation_toolkit Thanks Joe On Thu, Jul 25, 2019 at 11:58 AM Joe Witt <joe.w...@gmail.com> wrote: > Joseph > > You are absolutely right that it would be terrible to have to edit the > truststore on the nifi server(s) each time you wanted to add a client > cert. You're also right that there is a way to never do this. I'll poke > around for some links to help send you in the right direction. > > Thanks > > On Thu, Jul 25, 2019 at 11:45 AM Joseph Wheeler <jwhee...@innovasi.com> > wrote: > >> Hello, >> >> >> >> I apologize if this is a simple/stupid question, but reading through the >> administration guide and copious amounts of googling have returned very >> little regarding this. >> >> >> >> I’m looking into utilizing only client certificates for authentication to >> our Apache NiFi server. I want to avoid having to add another software >> package (e.g. LDAP, Kerberos, etc.) to the server. After spending the last >> few days working on this and getting an understanding of how to get new >> users created, I’m running into an issue: a user’s client certificate has >> to be added to the truststore on the server in order for it to be allowed >> to access the NiFi web server, and NiFi doesn’t seem to recognize changes >> to the truststore while it’s running. While I don’t expect to need to add a >> ton of new users, I am imagining a scenario where my program managers need >> a new user added immediately while one of our lead developers is in the >> process of doing something in the web app that he can’t lose due to a >> service restart. Is there a way to make NiFi recognize changes to the >> truststore without requiring the service to be restarted? If not, is there >> a way to have NiFi trust all certs from a certain CA? They still wouldn’t >> actually be able to access anything without having a user account tied to >> their cert’s DN… >> >> >> >> Thanks! >> >> >> >> r/ >> >> >> >> Joseph Wheeler >> >
