Re: [EXTERNAL] NiFi Registry SSL question

[M Tien <mt...@gmail.com>]

Hi Roland,
I recently had a similar issue where my secured NiFi and Registry instances were able to connect but not list buckets. My problem traced back to my NiFi authorizers.xml in the conf directory, where I didn’t include the server certificate as a User Identity.

If possible, can you show what you have listed for <userGroupProvider> and <accessPolicyProvider> in your authorizers.xml?

Best,
Margot

> On Mar 30, 2021, at 11:08 AM, Bryan Bende <bb...@gmail.com> wrote:
> 
> If the issue is related to the server user, then there would be something like this:
> 
> "Untrusted proxy [%s] for %s operation."
> 
> Where the first parameter would be the identity of the nifi server and the second parameter would be READ/WRITE/DELETE.
> 
> Also search for whatever user identity you are using in nifi since that will be sent as a proxied entity.
> 
> On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
> Bryan,
> 
> Tried the below:
> 
> “Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
> 
> <logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
> 
>  
> 
> I tried to add a flow to version control or pull a new PG. Since we have 5 instances connected to that registry, hard to say which is doing what, but I can find all the instances in nifi-registry-app.log but not the one that’s not connecting right.
> 
> Anything specific you want me to look for in that log?
> 
>  
> 
> Thanks,
> 
> Roland Rosso
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
> 
>  
> 
> From: Rosso, Roland <Ro...@AdventHealth.com> 
> Sent: Tuesday, March 30, 2021 1:28 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
> 
>  
> 
> So,
> 
> CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI
> 
>  
> 
> It decided to hyperlink it so the ‘_’ was hidden
> 
>  
> 
> Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
> 
>  
> 
> New Server Cert:
> 
> Alias name: server_name-nifi-cert
> 
> Creation date: Mar 29, 2021
> 
> Entry type: trustedCertEntry
> 
>  
> 
> Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI  ßexact match to entry above
> 
> Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US corporate CA switch
> 
> This worked fine when we used the self-signed NiFi certs of the type:
> 
>  
> 
> Old Server Cert: (this was working but I need to use the above now)
> 
> Alias name: server_name-nifi-cert
> 
> Creation date: date
> 
> Entry type: trustedCertEntry
> 
> Owner: CN=server.domain.net <http://server.domain.net/>, OU=NIFI
> 
> Issuer: CN=localhost, OU=NIFI
> 
>  
> 
> Thanks,
> 
> Roland Rosso
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
> 
>  
> 
> From: Bryan Bende <bbende@gmail.com <ma...@gmail.com>> 
> Sent: Tuesday, March 30, 2021 1:14 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
> 
>  
> 
> Not sure if this is related, but in one part it shows the Owner as:
> 
>  
> 
> CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI
> 
>  
> 
> There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
> 
>  
> 
> Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net <http://server.domain.net/>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
> 
>  
> 
> If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net <http://server.domain.net/>, OU=NIFI" which is different from ""CN=server_domain.net <http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
> 
>  
> 
> On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
> 
> Bryan, David,
> 
>  
> 
> <image001.png>
> 
> Where
> 
> In NiFi Registry Truststore:
> 
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
> 
> Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI  ß exact match to entry above
> Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US ßcorporate CA switch
> 
> This worked fine when we used the self-signed NiFi certs of the type:
> 
>  
> 
> Alias name: server_name-nifi-cert
> 
> Creation date: date
> 
> Entry type: trustedCertEntry
> 
> Owner: CN=server.domain.net <http://server.domain.net/>, OU=NIFI
> 
> Issuer: CN=localhost, OU=NIFI
> 
>  
> 
> Roland
> 
>  
> 
> From: Bryan Bende <bbende@gmail.com <ma...@gmail.com>> 
> Sent: Tuesday, March 30, 2021 8:58 AM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
> 
>  
> 
> Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
> 
>  
> 
> What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
> 
>  
> 
> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cgmckeever@gmail.com <ma...@gmail.com>> wrote:
> 
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
> 
>  
> 
> also - if you are on slack, there is an active nifi community there that may be helpful as well .. 
> 
>  
> 
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
> 
> David,
> 
> Thanks for the debug config.
> 
> Here is an output when I try to connect to the registry from that new server, Import a PG.
> 
> Since we have a few servers running, it is a very verbose log.
> 
> I may have missed the useful part of the log. 😊
> 
>  
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data:  { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
> 
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
> 
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
> 
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
> 
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
> 
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
> 
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
> 
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
> 
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
> 
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data:  { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
> 
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
> 
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
> 
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
> 
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
> 
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
> 
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
> 
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
> 
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
> 
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
> 
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
> 
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
> 
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
> 
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
> 
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
> 
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
> 
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
> 
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
> 
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
> 
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
> 
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
> 
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
> 
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
> 
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
> 
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
> 
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
> 
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
> 
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
> 
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
> 
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
> 
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
> 
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
> 
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
> 
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
> 
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
> 
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
> 
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
> 
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
> 
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
> 
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
> 
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
> 
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
> 
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
> 
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
> 
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
> 
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
> 
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
> 
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
> 
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
> 
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
> 
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
> 
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
> 
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
> 
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
> 
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
> 
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
> 
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
> 
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
> 
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
> 
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
> 
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
> 
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
> 
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
> 
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT:  warning, close_notify
> 
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
> 
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
> 
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT:  warning, description = close_notify
> 
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
> 
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
> 
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
> 
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
> 
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT:  warning, close_notify
> 
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
> 
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
> 
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT:  warning, description = close_notify
> 
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
> 
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
> 
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
> 
>  
> 
> Roland
> 
>  
> 
> From: David Handermann <exceptionfactory@gmail.com <ma...@gmail.com>> 
> Sent: Monday, March 29, 2021 11:56 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
> 
>  
> 
> Hi Roland,
> 
>  
> 
> Thanks for the reply.  If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf.  Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
> 
>  
> 
> java.arg.20=-Djavax.net.debug=ssl
> 
>  
> 
> This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry.  The log output should at least confirm that the certificate exchange is occurring as expected.
> 
>  
> 
> Regards,
> 
> David Handermann
> 
>  
> 
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
> 
> Hi David,
> 
>  
> 
> I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
> 
>  
> 
> This is a ‘working’ config.
> 
> Keystore:
> 
> Alias name: nifi-key
> 
> Creation date: date
> 
> Entry type: PrivateKeyEntry
> 
>  
> 
> Truststore:
> 
> Alias name: server_name-nifi-cert
> 
> Creation date: date
> 
> Entry type: trustedCertEntry
> 
>  
> 
> Owner: CN=server.domain.net <http://server.domain.net/>, OU=NIFI
> 
> Issuer: CN=localhost, OU=NIFI
> 
>  
> 
> The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
> 
>  
> 
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
> 
> Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI
> Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
> 
>  
> 
> Thanks,
> Roland
> 
>  
> 
> From: David Handermann <exceptionfactory@gmail.com <ma...@gmail.com>> 
> Sent: Monday, March 29, 2021 9:27 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
> 
>  
> 
> Hi Roland,
> 
>  
> 
> Can you provide the commands you are using to create the server keystores?  Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
> 
>  
> 
> Regards,
> 
> David Handermann
> 
>  
> 
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
> 
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
> 
> The new "server" cert is of the type:
> 
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
> 
> Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI
> Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
> 
> [blah]
> 
> I am adding the "server user" 'CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
> 
> Many thanks,
> Roland
> 
> -----Original Message-----
> From: Rosso, Roland <Roland.Rosso@AdventHealth.com <ma...@AdventHealth.com>> 
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
> 
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try this again.
> 
> Thanks,
> Roland
> 
> -----Original Message-----
> From: Bryan Bende <bbende@gmail.com <ma...@gmail.com>> 
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
> 
> I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
> 
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> 
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> 
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> 
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> 
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> 
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.