This morning through further research I came across this by Bryan Bende: Apache NiFi 1.14.0 - Secure by Default (bryanbende.com) <https://bryanbende.com/development/2021/07/19/apache-nifi-1-14-0-secure-by-default> It appears that beginning with Apache NiFi 1.14.0, it is possible to have nifi establish the truststore and keystore if they are not present at startup. So I tried this, bearing in mind that I am trying to start up v1.16.3.
My nifi.properties has these parms set in it: nifi.web.https.host=ec2-52-4-149-72.compute-1.amazonaws.com nifi.web.https.port=8443 nifi.security.autoreload.enabled=false nifi.security.autoreload.interval=10 secs nifi.security.keystore=./conf/keystore.p12 nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd= nifi.security.keyPasswd= nifi.security.truststore=./conf/truststore.p12 nifi.security.truststoreType=PKCS12 nifi.security.truststorePasswd= nifi.security.user.authorizer=single-user-authorizer nifi.security.allow.anonymous.authentication=false nifi.security.user.login.identity.provider=single-user-provider My authorizers.xml: <authorizers> <authorizer> <identifier>single-user-authorizer</identifier> <class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class> </authorizer> </authorizers> My login-identity-proividers.xml: <provider> <identifier>single-user-provider</identifier> <class>org.apache.nifi.authentication.single.user.SingleUserLoginIdentityProvider</class> <property name="Username"/> <property name="Password"/> </provider> And even in this minimalist state, startup fails with this entry in the nifi-app.log: 2022-12-28 13:59:21,744 INFO [main] o.a.n.r.v.FileBasedVariableRegistry Loaded a total of 90 properties. Including precedence overrides effective accessible registry key size is 90 2022-12-28 13:59:22,117 WARN [main] o.a.nifi.security.util.SslContextFactory Some truststore properties are populated (./conf/truststore.p12, null, PKCS12) but not valid 2022-12-28 13:59:22,117 ERROR [main] o.apache.nifi.controller.FlowController Unable to start the flow controller because the TLS configuration was invalid: The truststore properties are not valid 2022-12-28 13:59:22,154 ERROR [main] o.s.web.context.ContextLoader Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfig uration': Initialization of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.n ifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setJwtAuthenticationProvider' parameter 0; nested exception is org.springframew ork.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.JwtAuthenticationSecurityConfiguration': Unsat isfied dependency expressed through constructor parameter 3; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'f lowController': FactoryBean threw exception on object creation; nested exception is java.lang.IllegalStateException: Flow controller TLS configuration is invalid Bryan, if you see this can you please comment? On Tue, Dec 27, 2022 at 4:13 PM James McMahon <jsmcmah...@gmail.com> wrote: > Hello. I am trying to start a secure instance of nifi version 1.16.3. I am > getting this error on start attempt: > > 2022-12-27 20:44:21,765 INFO [main] o.a.n.r.v.FileBasedVariableRegistry > Loaded a total of 90 properties. Including precedence overrides effective > accessible registry key size is 90 > 2022-12-27 20:44:21,972 WARN [main] > o.a.nifi.security.util.SslContextFactory Some keystore properties are > populated (/opt/nifi/config_resources/keys/server.jks, ********, ********, > JKS) but not valid > 2022-12-27 20:44:21,972 ERROR [main] > o.apache.nifi.controller.FlowController Unable to start the flow controller > because the TLS configuration was invalid: The keystore properties are not > valid > 2022-12-27 20:44:22,009 ERROR [main] o.s.web.context.ContextLoader Context > initialization failed > org.springframework.beans.factory.BeanCreationException: Error creating > bean with name > 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': > Initialization of bean failed; nested exception is > org.springframework.beans.factory.UnsatisfiedDependencyException: Error > creating bean with name > 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied > dependency expressed through method 'setJwtAuthenticationProvider' > parameter 0; nested exception is > org.springframework.beans.factory.UnsatisfiedDependencyException: Error > creating bean with name > 'org.apache.nifi.web.security.configuration.JwtAuthenticationSecurityConfiguration': > Unsatisfied dependency expressed through constructor parameter 3; nested > exception is org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'flowController': FactoryBean threw exception on > object creation; nested exception is java.lang.IllegalStateException: Flow > controller TLS configuration is invalid > > > > This is what my nifi.properties file looks like in this section: > > # security properties # > nifi.sensitive.props.key=A_KEY_HERE > nifi.sensitive.props.key.protected= > nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 > nifi.sensitive.props.additional.keys= > > nifi.security.autoreload.enabled=false > nifi.security.autoreload.interval=10 secs > nifi.security.keystore=/opt/nifi/config_resources/keys/server.jks > nifi.security.keystoreType=JKS > nifi.security.keystorePasswd=b0gu5passw0r2! > nifi.security.keyPasswd=b0gu5passw0r2! > nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks > nifi.security.truststoreType=JKS > nifi.security.truststorePasswd=Diff3r3ntBoguspwd# > nifi.security.user.authorizer=managed-authorizer > nifi.security.allow.anonymous.authentication=false > nifi.security.user.login.identity.provider= > nifi.security.user.jws.key.rotation.period= > nifi.security.ocsp.responder.url= > nifi.security.ocsp.responder.certificate= > > I have verified the password for my keystore at the command line (this > works): > > sudo keytool -list -v -keystore server.jks > Enter keystore password: b0gu5passw0r2! > (....I see the result....) > > These JKS files were converted by me from a cacert.pem (to truststore.jks) > and a server.pfx (for server.jks) using keytool. The cacert.pem and the > server.pfx were created by me at TinyCert.org. > > I thought my keyPasswd should be the same as my keystorePasswd, but am I > wrong about that? Is it possible that the keyPasswd is the password or > passphrase I employed when I created the original server.pfx file? > > What is this error telling me, and how can I fix it? > > To summarize, this is how I got to where I am: > I created a cacert.pem, an admin.pfx, server.pfx, and client1.pfx using > TinyCert. > While in TinyCert.org I was in with a password and a passphrase. > I transferred those to my keys directory under my nifi install and used > keytool to create a truststore.jks, a server.jks, a client1.jks, and an > admin.jks keystore file. > Each jks has its own password. > I can look at the contents of my truststore,jks, my admin.jks, my > server.jks, and my client1.jks using keytool, with the password I provided > to keytool for admin at the time of conversion. > > Jim > > > >