Thank you David.
If my prior flow was not encrypted, what do I set the
nifi.sensitive.props.algorithm to? I've tried NIFI_PBKDF2_AES_GCM_256,
and PBEWITHMD5AND256BITAES-CBC-OPENSSL.
-Joe
On 7/20/2021 10:44 AM, David Handermann wrote:
Hi Joe,
Thanks for following up. NiFi supports encryption at different levels,
and always implements some form of encryption for sensitive processor
properties. Using the previous value for
nifi.sensitive.props.algorithm should allow NiFi 1.14.0 to load the
existing flow.xml.gz, but it sounds like some additional configuration
changes are necessary.
All cluster nodes should be running the same version of NiFi, but if
your cluster was not previously configured to communicate over HTTPS,
then you have two options. The first option is to configure all
cluster nodes for HTTP communication. You should be able to use the
nifi.web.http properties from your current nifi.properties file to
continue running with HTTP on NiFi 1.14.0. The second option is to
configure all cluster nodes for HTTPS communication. This involves
generating or obtaining unique certificates from a trusted certificate
authority for each cluster node. The current NiFi documentation
includes a guide on secure cluster configuration using the TLS Toolkit:
https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#creating-and-securing-a-nifi-cluster-with-the-tls-toolkit
The certificate generated in NiFi 1.14.0 is only suitable for
standalone deployments. As a self-signed certificate, it is not
intended to be used for clustered configurations, so existing
documentation on configuring a secure cluster provides the recommended
approach.
Regards,
David Handermann
On Tue, Jul 20, 2021 at 9:31 AM Joe Obernberger
<[email protected]> wrote:
Thank you David. I tried the new setting, but no go. I'm sure
this is user error on my end; my old flow file was not encrypted
with 1.13.2, but not sure how to bring it over.
Can Nifi 1.14.x run in the same cluster as 1.13.x?
If I delete the flow file, NiFi runs, but doesn't join the cluster.
"Failed marshalling 'CONNECTION_REQUEST' protocol message due to:
javax.net.ssl.SSLHandshakeException: Remote host terminated the
handshake"
When I try to connect via a browser (now port 8443), the browser
presents a list of certificates. Where can I find the 60 day
self-signed certificate to import?
-Joe
On 7/19/2021 8:15 PM, David Handermann wrote:
Hi Joe,
Thanks for providing the stack trace associated with the startup
failure. The problem is related to decryption of sensitive
property values stored in the flow.xml.gz configuration.
Can you provide the value of the following property from your
nifi.properties file?
nifi.sensitive.props.algorithm
In version 1.13.2, the default value was
PBEWITHMD5AND256BITAES-CBC-OPENSSL. In version 1.14.0 the new
default value is NIFI_PBKDF2_AES_GCM_256.
Based on the error message, the configured value appears to be
NIFI_PBKDF2_AES_GCM_256, or one of the other AES_GCM options.
However, when upgrading from an existing flow.xml.gz, this
property needs to be the exact same value used prior to upgrading.
Can you try changing nifi.sensitive.props.algorithm to
PBEWITHMD5AND256BITAES-CBC-OPENSSL?
Regards,
David Handermann
On Mon, Jul 19, 2021 at 6:50 PM Joe Obernberger
<[email protected]> wrote:
Trying to go from 1.13.2 to 1.14.0, but am getting this error:
2021-07-19 19:47:36,953 WARN [main]
org.apache.nifi.web.server.JettyServer Failed to start web
server...
shutting down.
org.apache.nifi.encrypt.EncryptionException: Decryption
Failed with
Algorithm [AES/GCM/NoPadding]
at
org.apache.nifi.encrypt.CipherPropertyEncryptor.decrypt(CipherPropertyEncryptor.java:78)
at
org.apache.nifi.fingerprint.FingerprintFactory.decrypt(FingerprintFactory.java:935)
at
org.apache.nifi.fingerprint.FingerprintFactory.getLoggableRepresentationOfSensitiveValue(FingerprintFactory.java:550)
at
org.apache.nifi.fingerprint.FingerprintFactory.access$200(FingerprintFactory.java:71)
at
org.apache.nifi.fingerprint.FingerprintFactory$6.compare(FingerprintFactory.java:837)
at
org.apache.nifi.fingerprint.FingerprintFactory$6.compare(FingerprintFactory.java:830)
at
java.base/java.util.TimSort.binarySort(TimSort.java:296)
at java.base/java.util.TimSort.sort(TimSort.java:239)
at java.base/java.util.Arrays.sort(Arrays.java:1515)
at
java.base/java.util.ArrayList.sort(ArrayList.java:1750)
at
java.base/java.util.Collections.sort(Collections.java:179)
at
org.apache.nifi.fingerprint.FingerprintFactory.sortElements(FingerprintFactory.java:879)
at
org.apache.nifi.fingerprint.FingerprintFactory.addFlowFileProcessorFingerprint(FingerprintFactory.java:486)
at
org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:368)
at
org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:396)
at
org.apache.nifi.fingerprint.FingerprintFactory.addFlowControllerFingerprint(FingerprintFactory.java:226)
at
org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:168)
at
org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:142)
at
org.apache.nifi.controller.inheritance.FlowFingerprintCheck.checkInheritability(FlowFingerprintCheck.java:45)
at
org.apache.nifi.controller.StandardFlowSynchronizer.sync(StandardFlowSynchronizer.java:206)
at
org.apache.nifi.controller.FlowController.synchronize(FlowController.java:1469)
at
org.apache.nifi.persistence.StandardXMLFlowConfigurationDAO.load(StandardXMLFlowConfigurationDAO.java:89)
at
org.apache.nifi.controller.StandardFlowService.loadFromBytes(StandardFlowService.java:810)
at
org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:458)
at
org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1206)
at org.apache.nifi.NiFi.<init>(NiFi.java:159)
at org.apache.nifi.NiFi.<init>(NiFi.java:71)
at org.apache.nifi.NiFi.main(NiFi.java:303)
Caused by: javax.crypto.AEADBadTagException: mac check in GCM
failed
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at
org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$AEADGenericBlockCipher.doFinal(Unknown
Source)
at
org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown
Source)
at
java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202)
at
org.apache.nifi.encrypt.CipherPropertyEncryptor.decrypt(CipherPropertyEncryptor.java:74)
... 27 common frames omitted
2021-07-19 19:47:36,953 INFO [Thread-0] org.apache.nifi.NiFi
Initiating
shutdown of Jetty web server...
Any ideas?
Thank you!
-Joe
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
Virus-free. www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
<#m_803060838424769034_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
