You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by Michael Nacey <mn...@gmail.com> on 2017/10/19 22:00:11 UTC

MiNiFi & Certs/Keys

Hi,

We have been working on security our nifi/minifi setup, and we have been
marginally successful, but there are a few things I can't seem to figure
out. For our setup we have:

CA: created in openssl, intermediate issuer created as well; chain cert
created
NIFI Cert: issued by the intermediate
User Cert: issued by the intermediate (CN=admin)

NIFI
=======
Keystore: nifi_server.key.pem
Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem

With this setup, secure cert based browser connection to NIFI works like a
champ using the "admin" identity. I can create an S2S connection to my own
NIFI, and I notice it uses the 'nifi_server' identity to authenticate.

MINIFI
========
Keystore: nifi_server.key.pem
Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem

With this setup, MINIFI will connect securely to NIFI, again using the
'nifi_server' identity. This is not really desirable, since I would want
MINIFI to connect using the "admin" identity (or in real life, one specific
to that instance of MINIFI).

Any ideas how to accomplish this? Am I doing something wrong? I'm kind of
new to the Java keystore stuff.

Thanks

-- 
“Try to never run out of smokes, ammo, and luck all at the same time. But
remember, if you have ammo, you can always get more smokes, and make your
own luck." G.K. Shirpa

Re: MiNiFi & Certs/Keys

Posted by Bryan Bende <bb...@gmail.com>.

Hi Michael,

You would want to generate a different certificate for MiNiFi (using
the same CA) and put it in a different keystore like
minifi_server.key.pem.

You would then need to create a user in NiFi for the DN of the MiNiFi
certificate, to represent MiNiFi as a user and assign proper
permissions for site-to-site, etc.

So all of your systems would use the same truststore that trusts certs
from the CA, but each system should have their own cert to identify
them.

Thanks,

Bryan


On Thu, Oct 19, 2017 at 6:00 PM, Michael Nacey <mn...@gmail.com> wrote:
> Hi,
>
> We have been working on security our nifi/minifi setup, and we have been
> marginally successful, but there are a few things I can't seem to figure
> out. For our setup we have:
>
> CA: created in openssl, intermediate issuer created as well; chain cert
> created
> NIFI Cert: issued by the intermediate
> User Cert: issued by the intermediate (CN=admin)
>
> NIFI
> =======
> Keystore: nifi_server.key.pem
> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem
>
> With this setup, secure cert based browser connection to NIFI works like a
> champ using the "admin" identity. I can create an S2S connection to my own
> NIFI, and I notice it uses the 'nifi_server' identity to authenticate.
>
> MINIFI
> ========
> Keystore: nifi_server.key.pem
> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem
>
> With this setup, MINIFI will connect securely to NIFI, again using the
> 'nifi_server' identity. This is not really desirable, since I would want
> MINIFI to connect using the "admin" identity (or in real life, one specific
> to that instance of MINIFI).
>
> Any ideas how to accomplish this? Am I doing something wrong? I'm kind of
> new to the Java keystore stuff.
>
> Thanks
>
> --
> “Try to never run out of smokes, ammo, and luck all at the same time. But
> remember, if you have ammo, you can always get more smokes, and make your
> own luck." G.K. Shirpa

Re: MiNiFi & Certs/Keys

Posted by Mike Nacey <mn...@gmail.com>.

Thanks. I got it. The key was to get the correct key in the keystore. I just imported the PKCS12 file into the keystore and all is well.

Sent from my iPhone

> On Oct 20, 2017, at 9:23 AM, Aldrin Piri <al...@gmail.com> wrote:
> 
> I am a far cry from a cert pro, but it looks like the results are what I would anticipate given your reuse of nifi_server.key.pem in your JKS.  I don't think you are far away from your intended setup and should be able to create another "user" cert for your minifi instance(s), as you had for your User Cert,  that would uniquely identify it/them.
> 
> Additionally, if you are just doing self signed certificates, you could additionally consider the NiFi TLS Toolkit (http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit) which can help facilitate this process as well.  
> 
>> On Thu, Oct 19, 2017 at 6:00 PM, Michael Nacey <mn...@gmail.com> wrote:
>> Hi, 
>> 
>> We have been working on security our nifi/minifi setup, and we have been marginally successful, but there are a few things I can't seem to figure out. For our setup we have:
>> 
>> CA: created in openssl, intermediate issuer created as well; chain cert created
>> NIFI Cert: issued by the intermediate
>> User Cert: issued by the intermediate (CN=admin)
>> 
>> NIFI
>> =======
>> Keystore: nifi_server.key.pem
>> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem
>> 
>> With this setup, secure cert based browser connection to NIFI works like a champ using the "admin" identity. I can create an S2S connection to my own NIFI, and I notice it uses the 'nifi_server' identity to authenticate.
>> 
>> MINIFI
>> ========
>> Keystore: nifi_server.key.pem
>> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem
>> 
>> With this setup, MINIFI will connect securely to NIFI, again using the 'nifi_server' identity. This is not really desirable, since I would want MINIFI to connect using the "admin" identity (or in real life, one specific to that instance of MINIFI).
>> 
>> Any ideas how to accomplish this? Am I doing something wrong? I'm kind of new to the Java keystore stuff.
>> 
>> Thanks
>> 
>> -- 
>> “Try to never run out of smokes, ammo, and luck all at the same time. But remember, if you have ammo, you can always get more smokes, and make your own luck." G.K. Shirpa
>

Re: MiNiFi & Certs/Keys

Posted by Aldrin Piri <al...@gmail.com>.

I am a far cry from a cert pro, but it looks like the results are what I
would anticipate given your reuse of nifi_server.key.pem in your JKS.  I
don't think you are far away from your intended setup and should be able to
create another "user" cert for your minifi instance(s), as you had for your
User Cert,  that would uniquely identify it/them.

Additionally, if you are just doing self signed certificates, you could
additionally consider the NiFi TLS Toolkit (http://nifi.apache.org/docs/
nifi-docs/html/administration-guide.html#tls-generation-toolkit) which can
help facilitate this process as well.

On Thu, Oct 19, 2017 at 6:00 PM, Michael Nacey <mn...@gmail.com> wrote:

> Hi,
>
> We have been working on security our nifi/minifi setup, and we have been
> marginally successful, but there are a few things I can't seem to figure
> out. For our setup we have:
>
> CA: created in openssl, intermediate issuer created as well; chain cert
> created
> NIFI Cert: issued by the intermediate
> User Cert: issued by the intermediate (CN=admin)
>
> NIFI
> =======
> Keystore: nifi_server.key.pem
> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem
>
> With this setup, secure cert based browser connection to NIFI works like a
> champ using the "admin" identity. I can create an S2S connection to my own
> NIFI, and I notice it uses the 'nifi_server' identity to authenticate.
>
> MINIFI
> ========
> Keystore: nifi_server.key.pem
> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem
>
> With this setup, MINIFI will connect securely to NIFI, again using the
> 'nifi_server' identity. This is not really desirable, since I would want
> MINIFI to connect using the "admin" identity (or in real life, one specific
> to that instance of MINIFI).
>
> Any ideas how to accomplish this? Am I doing something wrong? I'm kind of
> new to the Java keystore stuff.
>
> Thanks
>
> --
> “Try to never run out of smokes, ammo, and luck all at the same time. But
> remember, if you have ammo, you can always get more smokes, and make your
> own luck." G.K. Shirpa
>