Hi Jens, Thank you for your reply. I’ll check if I can use your scenario in our company and try to install a server and client auth for nifi clusters nodes. Regards
Emmanuel C2 - Restricted De : Jens M. Kofoed <[email protected]> Envoyé : mardi 15 juin 2021 12:07 À : [email protected] Objet : Re: Using a corporate SSL signed certificate Hi Emmanuel I don't use the toolkit, I just do it manually. I have found that a normal server certificate, generated i Microsoft Windows is not working. The certificate for NiFi servers has to be both serverAuth and clientAuth. So I have created a new certificate profil in our PKI server for NiFi servers. Next I create a server certificate for node1, with the following settings Common name = node1.domain.net<https://urldefense.com/v3/__http:/node1.domain.net__;!!Dl6pPzL6!O5ZuTIqm8Fy0cfIoo7mHC_XlRzHc9pjCPJU9kEcat2qj3CyuIfqhDAA3zcY6VA8Xf6PESx4mtHJK01z6$> alternative names: dns = node1.domain.net<https://urldefense.com/v3/__http:/node1.domain.net__;!!Dl6pPzL6!O5ZuTIqm8Fy0cfIoo7mHC_XlRzHc9pjCPJU9kEcat2qj3CyuIfqhDAA3zcY6VA8Xf6PESx4mtHJK01z6$> dns = clustername.domain.net<https://urldefense.com/v3/__http:/clustername.domain.net__;!!Dl6pPzL6!O5ZuTIqm8Fy0cfIoo7mHC_XlRzHc9pjCPJU9kEcat2qj3CyuIfqhDAA3zcY6VA8Xf6PESx4mtHY7LeZ1$> When I export the certificate (as a pfx file) I export it with the private key and protect it with a password. I all so export my CA and ICA certificates and copies all the the node1 server To create the keystore file I use the following command: keytool -importkeystore -destkeystore keystore.jks -srcstoretype PKCS12 -deststoretype jks -srckeystore node1.domain.net.pfx Here you will have to provide the password for the certificate and set a password for the keystore. I use the same password for both. To create a truststore I use the folloing commands: keytool -keystore truststore.jks -storetype jks -importcert -trustcacerts -file CA.domain.net.cer -alias CA-DOMAIN keytool -keystore truststore.jks -importcert -file ICA.domain.net.cer -alias ICA-DOMAIN You will have to provide a password for the truststore. Now you will have to manually edit the nifi.properties file for the path to the files and the passwords. Just repeat the steps above for the other nodes. Keep in mind if you later will use a StandardSSLContextService and use the keystore on each node, the password for the certificate and keystores has to be the same. For accessing my secure nifi cluster afterwards, I simple create a user certificate to my self in windows. and configure the authorizers.xml with the certificate name "<property name="Initial User Identity 1">CERTIFICATE</property>" Keep in mind that NiFi is case sentitive. Therefore I use identity mappings in the nifi.properties file nifi.security.identity.mapping.pattern.dn=^(.*)$ nifi.security.identity.mapping.value.dn=$1 nifi.security.identity.mapping.transform.dn=LOWER This works fine for my. Kind regards Jens M. Kofoed Den man. 14. jun. 2021 kl. 15.39 skrev QUEVILLON EMMANUEL - EXT-SAFRAN ENGINEERING SERVICES (SAFRAN) <[email protected]<mailto:[email protected]>>: Hi list, We are trying to set a nifi secure installation using a SSL singed certificate by our corporate CA. This SSL certificate is signed for a domain name we’d like to use to access our nifi server(s). We’ve been unable to create a new certificate for our server using tls-toolkit for the main admin user identity to connect. 1) Is it possible to use such SSL signed certificate to create a new one with tls-toolkit? We’ve followed this documentation https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_intermediate_ca<https://urldefense.com/v3/__https:/nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html*tls_intermediate_ca__;Iw!!Dl6pPzL6!O5ZuTIqm8Fy0cfIoo7mHC_XlRzHc9pjCPJU9kEcat2qj3CyuIfqhDAA3zcY6VA8Xf6PESx4mtOFEx-P8$> and copied respective files and key to the right location and ran tls-toolkit command. However, tls-toolkit throw error complaining “The signing certificate was not signed by any known certificates ” We’ve also tried with the full chain certificate as an additional certificate file (option –additionalCACertificate), but it looks like tls-toolkit does not find all the certificate chain and stop at first level of the chain. Is anyone faced the same problematic? Any help or advice will be appreciated. Thanks, regards Emmanuel C2 - Restricted # " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés." ****** " This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." # # " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés." ****** " This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #
