Joe, When upgrading from a previous version of NiFi with the default settings, you should use PBEWITHMD5AND256BITAES-CBC-OPENSSL for nifi.sensitive.props.algorithm.
If you did not previously have a Sensitive Properties Key configured for nifi.sensitive.props.key in nifi.properties, you can run the following command to set a new Sensitive Properties Key. ./bin/nifi.sh set-sensitive-properties-key NewSensitivePropertiesKey Replace *NewSensitivePropertiesKey *with a randomly generated string of at least 12 characters. You will need to run this command on all cluster nodes, using the same key, to ensure that all nodes share the same configuration. Please pass along any stack traces if NiFi does not startup after making those changes. Regards, David Handermann On Tue, Jul 20, 2021 at 11:54 AM Joe Obernberger < joseph.obernber...@gmail.com> wrote: > Thank you David. > If my prior flow was not encrypted, what do I set the > nifi.sensitive.props.algorithm to? I've tried NIFI_PBKDF2_AES_GCM_256, and > PBEWITHMD5AND256BITAES-CBC-OPENSSL. > > -Joe > On 7/20/2021 10:44 AM, David Handermann wrote: > > Hi Joe, > > Thanks for following up. NiFi supports encryption at different levels, and > always implements some form of encryption for sensitive processor > properties. Using the previous value for nifi.sensitive.props.algorithm > should allow NiFi 1.14.0 to load the existing flow.xml.gz, but it sounds > like some additional configuration changes are necessary. > > All cluster nodes should be running the same version of NiFi, but if your > cluster was not previously configured to communicate over HTTPS, then you > have two options. The first option is to configure all cluster nodes for > HTTP communication. You should be able to use the nifi.web.http properties > from your current nifi.properties file to continue running with HTTP on > NiFi 1.14.0. The second option is to configure all cluster nodes for HTTPS > communication. This involves generating or obtaining unique certificates > from a trusted certificate authority for each cluster node. The current > NiFi documentation includes a guide on secure cluster configuration using > the TLS Toolkit: > > > https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#creating-and-securing-a-nifi-cluster-with-the-tls-toolkit > > The certificate generated in NiFi 1.14.0 is only suitable for standalone > deployments. As a self-signed certificate, it is not intended to be used > for clustered configurations, so existing documentation on configuring a > secure cluster provides the recommended approach. > > Regards, > David Handermann > > > > On Tue, Jul 20, 2021 at 9:31 AM Joe Obernberger < > joseph.obernber...@gmail.com> wrote: > >> Thank you David. I tried the new setting, but no go. I'm sure this is >> user error on my end; my old flow file was not encrypted with 1.13.2, but >> not sure how to bring it over. >> Can Nifi 1.14.x run in the same cluster as 1.13.x? >> >> If I delete the flow file, NiFi runs, but doesn't join the cluster. >> "Failed marshalling 'CONNECTION_REQUEST' protocol message due to: >> javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake" >> >> When I try to connect via a browser (now port 8443), the browser presents >> a list of certificates. Where can I find the 60 day self-signed >> certificate to import? >> >> -Joe >> On 7/19/2021 8:15 PM, David Handermann wrote: >> >> Hi Joe, >> >> Thanks for providing the stack trace associated with the startup failure. >> The problem is related to decryption of sensitive property values stored in >> the flow.xml.gz configuration. >> >> Can you provide the value of the following property from your >> nifi.properties file? >> >> nifi.sensitive.props.algorithm >> >> In version 1.13.2, the default value was PBEWITHMD5AND256BITAES-CBC-OPENSSL. >> In version 1.14.0 the new default value is NIFI_PBKDF2_AES_GCM_256. >> >> Based on the error message, the configured value appears to be >> NIFI_PBKDF2_AES_GCM_256, >> or one of the other AES_GCM options. However, when upgrading from an >> existing flow.xml.gz, this property needs to be the exact same value used >> prior to upgrading. >> >> Can you try changing nifi.sensitive.props.algorithm to P >> BEWITHMD5AND256BITAES-CBC-OPENSSL? >> >> Regards, >> David Handermann >> >> >> >> >> >> On Mon, Jul 19, 2021 at 6:50 PM Joe Obernberger < >> joseph.obernber...@gmail.com> wrote: >> >>> Trying to go from 1.13.2 to 1.14.0, but am getting this error: >>> >>> 2021-07-19 19:47:36,953 WARN [main] >>> org.apache.nifi.web.server.JettyServer Failed to start web server... >>> shutting down. >>> org.apache.nifi.encrypt.EncryptionException: Decryption Failed with >>> Algorithm [AES/GCM/NoPadding] >>> at >>> >>> org.apache.nifi.encrypt.CipherPropertyEncryptor.decrypt(CipherPropertyEncryptor.java:78) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.decrypt(FingerprintFactory.java:935) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.getLoggableRepresentationOfSensitiveValue(FingerprintFactory.java:550) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.access$200(FingerprintFactory.java:71) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory$6.compare(FingerprintFactory.java:837) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory$6.compare(FingerprintFactory.java:830) >>> at java.base/java.util.TimSort.binarySort(TimSort.java:296) >>> at java.base/java.util.TimSort.sort(TimSort.java:239) >>> at java.base/java.util.Arrays.sort(Arrays.java:1515) >>> at java.base/java.util.ArrayList.sort(ArrayList.java:1750) >>> at java.base/java.util.Collections.sort(Collections.java:179) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.sortElements(FingerprintFactory.java:879) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.addFlowFileProcessorFingerprint(FingerprintFactory.java:486) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:368) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.addProcessGroupFingerprint(FingerprintFactory.java:396) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.addFlowControllerFingerprint(FingerprintFactory.java:226) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:168) >>> at >>> >>> org.apache.nifi.fingerprint.FingerprintFactory.createFingerprint(FingerprintFactory.java:142) >>> at >>> >>> org.apache.nifi.controller.inheritance.FlowFingerprintCheck.checkInheritability(FlowFingerprintCheck.java:45) >>> at >>> >>> org.apache.nifi.controller.StandardFlowSynchronizer.sync(StandardFlowSynchronizer.java:206) >>> at >>> >>> org.apache.nifi.controller.FlowController.synchronize(FlowController.java:1469) >>> at >>> >>> org.apache.nifi.persistence.StandardXMLFlowConfigurationDAO.load(StandardXMLFlowConfigurationDAO.java:89) >>> at >>> >>> org.apache.nifi.controller.StandardFlowService.loadFromBytes(StandardFlowService.java:810) >>> at >>> >>> org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:458) >>> at >>> org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1206) >>> at org.apache.nifi.NiFi.<init>(NiFi.java:159) >>> at org.apache.nifi.NiFi.<init>(NiFi.java:71) >>> at org.apache.nifi.NiFi.main(NiFi.java:303) >>> Caused by: javax.crypto.AEADBadTagException: mac check in GCM failed >>> at >>> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>> >>> Method) >>> at >>> >>> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>> at >>> >>> java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>> at >>> java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) >>> at >>> org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$AEADGenericBlockCipher.doFinal(Unknown >>> >>> Source) >>> at >>> org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown >>> >>> Source) >>> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2202) >>> at >>> >>> org.apache.nifi.encrypt.CipherPropertyEncryptor.decrypt(CipherPropertyEncryptor.java:74) >>> ... 27 common frames omitted >>> 2021-07-19 19:47:36,953 INFO [Thread-0] org.apache.nifi.NiFi Initiating >>> shutdown of Jetty web server... >>> >>> Any ideas? >>> >>> Thank you! >>> >>> -Joe >>> >>> >> >> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> >> Virus-free. >> www.avg.com >> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> >> <#m_1841351089320358696_m_803060838424769034_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >> >>
