Hi David, It’s a standalone deployment and runs directly on the server.
Yes the command updated the flow.xml.gz/flow.json.gz and nifi.properties settings. Maybe I messed up the nifi.sensitive.props.key, I’ll run some more tests. Thanks for your help. Tiago From: David Handermann [mailto:exceptionfact...@apache.org] Sent: 27 de outubro de 2022 16:50 To: users@nifi.apache.org<mailto:users@nifi.apache.org> Subject: Re: NiFi 1.18.0 Sensitive Property broken after Upgrade Hi Tiago, The initial warning for the Insecure Cipher Provider Algorithm indicates the use of the deprecated setting as mentioned previously. The set-sensitive-properties-algorithm command looks correct, and should have updated the flow.xml.gz, flow.json.gz, and nifi.properties settings. The Decryption Failed message indicates that the nifi.sensitive.props.key value does not match the value used to encrypt the flow configuration, or that the algorithm does not match. Can you provide some additional details about the NiFi installation? Is this a standalone or clustered deployment, and is it running in a containerized environment, or directly on a server? Regards, David Handermann On Thu, Oct 27, 2022 at 10:35 AM Tiago Luís Sebastião (DSI) <tiago.luis.sebast...@cgd.pt<mailto:tiago.luis.sebast...@cgd.pt>> wrote: Hi all, I'm having the same “problem”. I upgraded nifi version from 1.17.0 to 1.18.0 and that same warning started to appear 500k times a day. " WARN [Flow Service Tasks Thread-1] d.o.a.n.s.u.c.NiFiLegacyCipherProvider Insecure Cipher Provider Algorithm [PBEWITHMD5AND256BITAES-CBC-OPENSSL] generate salt requested " A already had nifi.sensitive.props.key value defined from when we migrated to 1.15.3. With Nifi STOPPED and without changing any configuration on nifi.properties I executed the following: ./nifi.sh set-sensitive-properties-algorithm NIFI_PBKDF2_AES_GCM_256 No errors found there, then I started Nifi and received the following errors: " WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down. org.apache.nifi.encrypt.EncryptionException: Decryption Failed with Algorithm [AES/GCM/NoPadding] " Since Nifi could not start anymore I reversed it... Now Im kind of stuck with this warning... Anyone knows what Im doing wrong? Tiago From: David Handermann [mailto:exceptionfact...@apache.org<mailto:exceptionfact...@apache.org>] Sent: 19 de outubro de 2022 13:41 To: users@nifi.apache.org<mailto:users@nifi.apache.org> Subject: Re: NiFi 1.18.0 Sensitive Property broken after Upgrade Hi Mike, The deprecation warning is not related to NIFI-10567 or Sensitive Dynamic Properties. Deprecation logging is a new feature added in NiFi 1.18.0 to highlight components and features that are targeted for removal in future major releases. The current administrator's guide has more details on deprecation logging. [1] Deprecation warnings do not impact operational behavior, but they do identify configuration settings that should be changed. In this particular case, the deprecation is related to the use of the insecure algorithm. NiFi 1.14.0 and following introduced new Sensitive Properties Key Algorithm settings, which should be used instead of the historical default value indicated in the warning. The new default value is NIFI_PBKDF2_AES_GCM_256, additional supported options are listed in the administrator's guide, [2] along with the command that can be run to update the Sensitive Properties Key Algorithm. [3] Feel free to follow up if you have additional questions. Regards, David Handermann [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#deprecation-logging [2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#property-encryption-algorithms [3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#updating-the-sensitive-properties-algorithm On Wed, Oct 19, 2022 at 7:28 AM Mike S <88msha...@gmail.com<mailto:88msha...@gmail.com>> wrote: I upgraded from 1.16.2 to 1.18.0 and now see this warning in the log file. WARN [Flow Service Tasks Thread-1] d.o.a.n.s.u.c.NiFiLegacyCipherProvider Insecure Cipher Provider Algorithm [PBEWITHMD5AND256BITAES-CBC-OPENSSL] generate salt requested org.apache.nifi.deprecation.log.DeprecationException: Reference Class [org.apache.nifi.security.util.crypto.NiFiLegacyCipherProvider] ClassLoader [org.apache.nifi.nar.NarClassLoader[./work/nar/framework/nifi-framework-nar-1.18.0.nar-unpacked]] I read this here. NIFI-10567<https://issues.apache.org/jira/browse/NIFI-10567> Corrects the parsing of Sensitive Dynamic Properties read from the XML version of the flow configuration, in absence of the JSON version. The issue surfaces when upgrading to NiFi 1.17.0 or 1.18.0 from a version older than 1.16.0. The issue also requires the presence of a Parameter Context with a Sensitive value assigned to a component with a Sensitive Property. Upgrading from 1.16.0 and following is not a problem. It appears that all my ListS3 processors using sensitive properties are working. Is this related since 1.16.2 has the latest flow.json.gz file? Mike
