You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by "Gregory M. Foreman" <gf...@spinnerconsulting.com> on 2021/09/22 14:56:39 UTC

S2S alternate TLS cert

Hello:

I am trying to configure site-to-site on a Nifi 1.12.1 cluster hosted on Kubernetes.

I would like one TLS cert to be used for communication outside the cluster.

Inbound s2s (cluster acting as s2s server) is handled by an nginx ingress proxy that presents the cert to clients.  No issues there.

For outbound s2s (cluster nodes acting as clients), the gui does not have an option to configure an alternate certificate to use.  Is there some way to provide this?

Thanks,
Greg

Re: S2S alternate TLS cert

Posted by "Gregory M. Foreman" <gf...@spinnerconsulting.com>.

Mark:

Thank you for clarifying.

Greg

> On Sep 27, 2021, at 1:55 PM, Mark Payne <ma...@apache.org> wrote:
> 
> Greg,
> 
> The short answer is no, at this point, whatever keystore/truststore is configured in nifi.properties is used for site-to-site communications - both incoming and outgoing.
> 
> It would be helpful to allow for specifying a different SSL Context per Remote Process Group, but at this point, it's just not something that's been implemented.
> 
> Thanks
> -Mark
> 
> 
> On 2021/09/22 14:56:39, "Gregory M. Foreman" <gf...@spinnerconsulting.com> wrote: 
>> Hello:
>> 
>> I am trying to configure site-to-site on a Nifi 1.12.1 cluster hosted on Kubernetes.
>> 
>> I would like one TLS cert to be used for communication outside the cluster.
>> 
>> Inbound s2s (cluster acting as s2s server) is handled by an nginx ingress proxy that presents the cert to clients.  No issues there.
>> 
>> For outbound s2s (cluster nodes acting as clients), the gui does not have an option to configure an alternate certificate to use.  Is there some way to provide this?
>> 
>> Thanks,
>> Greg

Re: S2S alternate TLS cert

Posted by Mark Payne <ma...@apache.org>.

Greg,

The short answer is no, at this point, whatever keystore/truststore is configured in nifi.properties is used for site-to-site communications - both incoming and outgoing.

It would be helpful to allow for specifying a different SSL Context per Remote Process Group, but at this point, it's just not something that's been implemented.

Thanks
-Mark

On 2021/09/22 14:56:39, "Gregory M. Foreman" <gf...@spinnerconsulting.com> wrote: 
> Hello:
> 
> I am trying to configure site-to-site on a Nifi 1.12.1 cluster hosted on Kubernetes.
> 
> I would like one TLS cert to be used for communication outside the cluster.
> 
> Inbound s2s (cluster acting as s2s server) is handled by an nginx ingress proxy that presents the cert to clients.  No issues there.
> 
> For outbound s2s (cluster nodes acting as clients), the gui does not have an option to configure an alternate certificate to use.  Is there some way to provide this?
> 
> Thanks,
> Greg