Hi Jens,

Thank you for your reply. I’ll check if I can use your scenario in our company 
and try to install a server and client auth for nifi clusters nodes.
Regards

Emmanuel
C2 - Restricted

De : Jens M. Kofoed <[email protected]>
Envoyé : mardi 15 juin 2021 12:07
À : [email protected]
Objet : Re: Using a corporate SSL signed certificate

Hi Emmanuel

I don't use the toolkit, I just do it manually.
I have found that a normal server certificate, generated i Microsoft Windows is 
not working. The certificate for NiFi servers has to be both serverAuth and 
clientAuth. So I have created a new certificate profil in our PKI server for 
NiFi servers.
Next I create a server certificate for node1, with the following settings
Common name = 
node1.domain.net<https://urldefense.com/v3/__http:/node1.domain.net__;!!Dl6pPzL6!O5ZuTIqm8Fy0cfIoo7mHC_XlRzHc9pjCPJU9kEcat2qj3CyuIfqhDAA3zcY6VA8Xf6PESx4mtHJK01z6$>
alternative names:
    dns = 
node1.domain.net<https://urldefense.com/v3/__http:/node1.domain.net__;!!Dl6pPzL6!O5ZuTIqm8Fy0cfIoo7mHC_XlRzHc9pjCPJU9kEcat2qj3CyuIfqhDAA3zcY6VA8Xf6PESx4mtHJK01z6$>
    dns = 
clustername.domain.net<https://urldefense.com/v3/__http:/clustername.domain.net__;!!Dl6pPzL6!O5ZuTIqm8Fy0cfIoo7mHC_XlRzHc9pjCPJU9kEcat2qj3CyuIfqhDAA3zcY6VA8Xf6PESx4mtHY7LeZ1$>

When I export the certificate (as a pfx file) I export it with the private key 
and protect it with a password. I all so export my CA and ICA certificates and 
copies all the the node1 server
To create the keystore file I use the following command:
    keytool -importkeystore -destkeystore keystore.jks -srcstoretype PKCS12 
-deststoretype jks -srckeystore node1.domain.net.pfx
Here you will have to provide the password for the certificate and set a 
password for the keystore. I use the same password for both.

To create a truststore I use the folloing commands:
    keytool -keystore truststore.jks -storetype jks -importcert -trustcacerts 
-file CA.domain.net.cer -alias CA-DOMAIN
    keytool -keystore truststore.jks -importcert -file ICA.domain.net.cer 
-alias ICA-DOMAIN
You will have to provide a password for the truststore.

Now you will have to manually edit the nifi.properties file for the path to the 
files and the passwords.

Just repeat the steps above for the other nodes. Keep in mind if you later will 
use a StandardSSLContextService and use the keystore on each node, the password 
for the certificate and keystores has to be the same.

For accessing my secure nifi cluster afterwards, I simple create a user 
certificate to my self in windows. and configure the authorizers.xml with the 
certificate name "<property name="Initial User Identity 
1">CERTIFICATE</property>"
Keep in mind that NiFi is case sentitive. Therefore I use identity mappings in 
the nifi.properties file
    nifi.security.identity.mapping.pattern.dn=^(.*)$
    nifi.security.identity.mapping.value.dn=$1
    nifi.security.identity.mapping.transform.dn=LOWER

This works fine for my.

Kind regards
Jens M. Kofoed


Den man. 14. jun. 2021 kl. 15.39 skrev QUEVILLON EMMANUEL - EXT-SAFRAN 
ENGINEERING SERVICES (SAFRAN) 
<[email protected]<mailto:[email protected]>>:
Hi list,

We are trying to set a nifi secure installation using a SSL singed certificate 
by our corporate CA.
This SSL certificate is signed for a domain name we’d like to use to access our 
nifi server(s).
We’ve been unable to create a new certificate for our server using tls-toolkit 
for the main admin user identity to connect.

1)      Is it possible to use such SSL signed certificate to create a new one 
with tls-toolkit?

We’ve followed this documentation 
https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_intermediate_ca<https://urldefense.com/v3/__https:/nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html*tls_intermediate_ca__;Iw!!Dl6pPzL6!O5ZuTIqm8Fy0cfIoo7mHC_XlRzHc9pjCPJU9kEcat2qj3CyuIfqhDAA3zcY6VA8Xf6PESx4mtOFEx-P8$>
 and copied respective files and key to the right location and ran tls-toolkit 
command. However, tls-toolkit throw error complaining “The signing certificate 
was not signed by any known certificates
”

We’ve also tried with the full chain certificate as an additional certificate 
file (option –additionalCACertificate), but it looks like tls-toolkit does not 
find all the certificate chain and stop at first level of the chain.

Is anyone faced the same problematic?
Any help or advice will be appreciated.

Thanks, regards

Emmanuel
C2 - Restricted

#
" Ce courriel et les documents qui lui sont joints peuvent contenir des 
informations confidentielles, être soumis aux règlementations relatives au 
contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas 
destinés, nous vous signalons qu'il est strictement interdit de les divulguer, 
de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. 
Toute exportation ou réexportation non autorisée est interdite Si ce message 
vous a été transmis par erreur, merci d'en informer l'expéditeur et de 
supprimer immédiatement de votre système informatique ce courriel ainsi que 
tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or 
proprietary information and may be subject to export control laws and 
regulations. If you are not the intended recipient, you are notified that any 
dissemination, copying of this e-mail and any attachments thereto or use of 
their contents by any means whatsoever is strictly prohibited. Unauthorized 
export or re-export is prohibited. If you have received this e-mail in error, 
please advise the sender immediately and delete this e-mail and all attached 
documents from your computer system."
#

#
" Ce courriel et les documents qui lui sont joints peuvent contenir des 
informations confidentielles, être soumis aux règlementations relatives au 
contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas 
destinés, nous vous signalons qu'il est strictement interdit de les divulguer, 
de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. 
Toute exportation ou réexportation non autorisée est interdite Si ce message 
vous a été transmis par erreur, merci d'en informer l'expéditeur et de 
supprimer immédiatement de votre système informatique ce courriel ainsi que 
tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or 
proprietary information and may be subject to export control laws and 
regulations. If you are not the intended recipient, you are notified that any 
dissemination, copying of this e-mail and any attachments thereto or use of 
their contents by any means whatsoever is strictly prohibited. Unauthorized 
export or re-export is prohibited. If you have received this e-mail in error, 
please advise the sender immediately and delete this e-mail and all attached 
documents from your computer system."
#
  • Using a corp... QUEVILLON EMMANUEL - EXT-SAFRAN ENGINEERING SERVICES (SAFRAN)
    • Re: Usi... Jens M. Kofoed
      • RE:... QUEVILLON EMMANUEL - EXT-SAFRAN ENGINEERING SERVICES (SAFRAN)

Reply via email to