Hi Joe, Thanks for following up. NiFi supports encryption at different levels, and always implements some form of encryption for sensitive processor properties. Using the previous value for nifi.sensitive.props.algorithm should allow NiFi 1.14.0 to load the existing flow.xml.gz, but it sounds like some additional configuration changes are necessary.
All cluster nodes should be running the same version of NiFi, but if your cluster was not previously configured to communicate over HTTPS, then you have two options. The first option is to configure all cluster nodes for HTTP communication. You should be able to use the nifi.web.http properties from your current nifi.properties file to continue running with HTTP on NiFi 1.14.0. The second option is to configure all cluster nodes for HTTPS communication. This involves generating or obtaining unique certificates from a trusted certificate authority for each cluster node. The current NiFi documentation includes a guide on secure cluster configuration using the TLS Toolkit: https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#creating-and-securing-a-nifi-cluster-with-the-tls-toolkit The certificate generated in NiFi 1.14.0 is only suitable for standalone deployments. As a self-signed certificate, it is not intended to be used for clustered configurations, so existing documentation on configuring a secure cluster provides the recommended approach. Regards, David Handermann On Tue, Jul 20, 2021 at 9:31 AM Joe Obernberger < [email protected]> wrote: > Thank you David. I tried the new setting, but no go. I'm sure this is > user error on my end; my old flow file was not encrypted with 1.13.2, but > not sure how to bring it over. > Can Nifi 1.14.x run in the same cluster as 1.13.x? > > If I delete the flow file, NiFi runs, but doesn't join the cluster. > "Failed marshalling 'CONNECTION_REQUEST' protocol message due to: > javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake" > > When I try to connect via a browser (now port 8443), the browser presents > a list of certificates. Where can I find the 60 day self-signed > certificate to import? > > -Joe > On 7/19/2021 8:15 PM, David Handermann wrote: > > Hi Joe, > > Thanks for providing the stack trace associated with the startup failure. > The problem is related to decryption of sensitive property values stored in > the flow.xml.gz configuration. > > Can you provide the value of the following property from your > nifi.properties file? > > nifi.sensitive.props.algorithm > > In version 1.13.2, the default value was PBEWITHMD5AND256BITAES-CBC-OPENSSL. > In version 1.14.0 the new default value is NIFI_PBKDF2_AES_GCM_256. > > Based on the error message, the configured value appears to be > NIFI_PBKDF2_AES_GCM_256, > or one of the other AES_GCM options. However, when upgrading from an > existing flow.xml.gz, this property needs to be the exact same value used > prior to upgrading. > > Can you try changing nifi.sensitive.props.algorithm to P > BEWITHMD5AND256BITAES-CBC-OPENSSL? > > Regards, > David Handermann > > > > > > On Mon, Jul 19, 2021 at 6:50 PM Joe Obernberger < > [email protected]> wrote: > >> Trying to go from 1.13.2 to 1.14.0, but am getting this error: >> >> 2021-07-19 19:47:36,953 WARN [main] >> org.apache.nifi.web.server.JettyServer Failed to start web server... >> shutting down. >> org.apache.nifi.encrypt.EncryptionException: Decryption Failed with >> Algorithm [AES/GCM/NoPadding] >> at >> >> org.apache.nifi.encrypt.CipherPropertyEncryptor.decrypt(CipherPropertyEncryptor.java:78) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.decrypt(FingerprintFactory.java:935) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.getLoggableRepresentationOfSensitiveValue(FingerprintFactory.java:550) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.access$200(FingerprintFactory.java:71) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory$6.compare(FingerprintFactory.java:837) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory$6.compare(FingerprintFactory.java:830) >> at java.base/java.util.TimSort.binarySort(TimSort.java:296) >> at java.base/java.util.TimSort.sort(TimSort.java:239) >> at java.base/java.util.Arrays.sort(Arrays.java:1515) >> at java.base/java.util.ArrayList.sort(ArrayList.java:1750) >> at java.base/java.util.Collections.sort(Collections.java:179) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.sortElements(FingerprintFactory.java:879) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.addFlowFileProcessorFingerprint(FingerprintFactory.java:486) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:368) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:396) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.addFlowControllerFingerprint(FingerprintFactory.java:226) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:168) >> at >> >> org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:142) >> at >> >> org.apache.nifi.controller.inheritance.FlowFingerprintCheck.checkInheritability(FlowFingerprintCheck.java:45) >> at >> >> org.apache.nifi.controller.StandardFlowSynchronizer.sync(StandardFlowSynchronizer.java:206) >> at >> >> org.apache.nifi.controller.FlowController.synchronize(FlowController.java:1469) >> at >> >> org.apache.nifi.persistence.StandardXMLFlowConfigurationDAO.load(StandardXMLFlowConfigurationDAO.java:89) >> at >> >> org.apache.nifi.controller.StandardFlowService.loadFromBytes(StandardFlowService.java:810) >> at >> >> org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:458) >> at >> org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1206) >> at org.apache.nifi.NiFi.<init>(NiFi.java:159) >> at org.apache.nifi.NiFi.<init>(NiFi.java:71) >> at org.apache.nifi.NiFi.main(NiFi.java:303) >> Caused by: javax.crypto.AEADBadTagException: mac check in GCM failed >> at >> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native >> >> Method) >> at >> >> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >> at >> >> java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >> at >> java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) >> at >> org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$AEADGenericBlockCipher.doFinal(Unknown >> >> Source) >> at >> org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown >> >> Source) >> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) >> at >> >> org.apache.nifi.encrypt.CipherPropertyEncryptor.decrypt(CipherPropertyEncryptor.java:74) >> ... 27 common frames omitted >> 2021-07-19 19:47:36,953 INFO [Thread-0] org.apache.nifi.NiFi Initiating >> shutdown of Jetty web server... >> >> Any ideas? >> >> Thank you! >> >> -Joe >> >> > > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > Virus-free. > www.avg.com > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > <#m_803060838424769034_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > >
