You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by veeresh <ve...@gmail.com> on 2015/11/13 10:35:37 UTC
https connection fails with ERR_CONNECTION_CLOSED
Hi All
I have installed nifi on Hortonworks cluster in Azure cloud. Everting works
just fine with non-secured mode (http). In this mode multiple users cannot
work on different templates. I followed the documentation
(https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration).
Question: For multiple users to work on different templates is it mandatory
to enable https connection enabled?
Referring to (http://wiki.eclipse.org/Jetty/Howto/Configure_SSL) I have
created keystore and trust store.
My security setting of nifi.properties file look as below.
nifi.security.keystore=/home/hortonhdp/nifi-0.3.0/keystore
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=nifi123
nifi.security.keyPasswd=nifi123
nifi.security.truststore=/home/hortonhdp/nifi-0.3.0/keystore
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=nifi123
nifi.security.needClientAuth=true
nifi.security.user.credential.cache.duration=24 hours
nifi.security.user.authority.provider=file-provider
nifi.security.support.new.account.requests=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
>From the browser I get ERR_CONNECTION_CLOSED error. When I try to connect to
nifi using curl locally on the server itself. I get below error
curl --verbose --insecure https://sandbox.hortonworks.com:8089/nifi
* About to connect() to sandbox.hortonworks.com port 8089 (#0)
* Trying 10.0.0.4... connected
* Connected to sandbox.hortonworks.com (10.0.0.4) port 8089 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* NSS error -5938
* Closing connection #0
curl: (35) NSS: client certificate not found (nickname not specified)
Also enabled DEBUG mode in logback.xml to see any issue. But I don’t see any
errors related to jetty security.
Is there a clear documentation on how to generate the keystore/truststore.
Is secured connections (https) tested on cloud/Azure. How can I enable
multiple users to access nifi without https mode?
Thanks in advance
--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/https-connection-fails-with-ERR-CONNECTION-CLOSED-tp4833.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.
Re: https connection fails with ERR_CONNECTION_CLOSED
Posted by john012 <jo...@yahoo.com>.
Here’s the mail I got recently for my problem
I have the same issue as Jeffrey.e.Lamb and I think your reply misses a key
point. I want to turn Activity Reporting ON, but leave Web Filtering OFF as
(for now) I only want to monitor sites my children use.
But even with Web Filtering set to OFF, I get an "ERR_CONNECTION_CLOSED"
error from Chrome trying to open google.com and other https sites - I have
to change from Child to Standard account or disable Family Safety altogether
for it to work. This seems pretty useless.
Strangely IE11 tells me that google.com has an invalid security certificate,
rather than block access.
Or otherwise try this: http://www.deskdecode.com/err_connection_closed/
<http://www.deskdecode.com/err_connection_closed/>
--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/https-connection-fails-with-ERR-CONNECTION-CLOSED-tp4833p14084.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.
Re: https connection fails with ERR_CONNECTION_CLOSED
Posted by Matthew Clarke <ma...@gmail.com>.
NIFi does not allow multiple users to make changes to the graph at the
same time. Securing your NiFi (while a very good thing to do) does not
change this behavior. This is a feature that we are looking to support at
some point in the future. I do not have a time table for when that will
occur.
That being said, you are receiving ERR_CONNECTION_CLOSED because you
do not have a user certificate loaded in your browser to pass to your
secured NiFi instance. Every user who wants to access a PKI enabled NiFi
will need to have a certificate issued to them. Those user certificates
will either need to be signed by a certificate Authority (CA) that is also
loaded in your NiFi's truststore or ever user's self-signed certificate
will need to be included in the trustore
The keystore and truststore are two different keystores in NiFi. The
keystore will contain the certificate for your server running your instance
of NiFi. It is typically signed by a CA rather then being self-signed.
The truststore typically includes the certificate for one or more CAs, but
in the case of self-signed server and user certificates, the truststore
would need to include them as well.
There is a free service you can use on the web that allows you to
create your own CA and sign multiple keys with it (user and server keys).
https://www.tinycert.org/
After creating your CA, you will need to create both a server keys and
user keys that at the same site. Users will load their key in to their web
browser and the server key will be loaded as your NiFi keystore. Take the
CA key and load it in to your trustsore. Accessing the HTTPS UI of NiFi
requires two-way SSL authentication. your browser passes your key to NiFi,
NiFi checks to see if it is signed by someone it trusts, NiFi passes it's
server key back to your browser to do the same. It is not necessary to
load the CA into your browser because your browser will tell you it is not
trusted and give you the option to continue anyway.
Their is one more step that is required in NiFi. The users CN from
user's certificate for the first user accessing NiFi, will need to be
manually added to the authorized-users.xml file found in the conf directory
of your NiFi installation. That user will need to be granted at a minimum
the "admin" role. Users with Admin role have the ability to access the UI
and change and grant other users the various access levels. Subsequent
users who access the UI and a matching CN is not found, will be prompted to
request access. The existing Admin user will be able to add their levels
of access via the UI.
We understand that this highly secure method of authentication in to a
NiFi instance is complicated, so in the next release we are adding support
for authentication via username and password.
Hope this helps,
Matt
On Fri, Nov 13, 2015 at 4:35 AM, veeresh <ve...@gmail.com> wrote:
> Hi All
> I have installed nifi on Hortonworks cluster in Azure cloud. Everting works
> just fine with non-secured mode (http). In this mode multiple users cannot
> work on different templates. I followed the documentation
> (
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration
> ).
>
> Question: For multiple users to work on different templates is it mandatory
> to enable https connection enabled?
>
> Referring to (http://wiki.eclipse.org/Jetty/Howto/Configure_SSL) I have
> created keystore and trust store.
> My security setting of nifi.properties file look as below.
>
> nifi.security.keystore=/home/hortonhdp/nifi-0.3.0/keystore
> nifi.security.keystoreType=JKS
> nifi.security.keystorePasswd=nifi123
> nifi.security.keyPasswd=nifi123
> nifi.security.truststore=/home/hortonhdp/nifi-0.3.0/keystore
> nifi.security.truststoreType=JKS
> nifi.security.truststorePasswd=nifi123
> nifi.security.needClientAuth=true
> nifi.security.user.credential.cache.duration=24 hours
> nifi.security.user.authority.provider=file-provider
> nifi.security.support.new.account.requests=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
>
> From the browser I get ERR_CONNECTION_CLOSED error. When I try to connect
> to
> nifi using curl locally on the server itself. I get below error
>
> curl --verbose --insecure https://sandbox.hortonworks.com:8089/nifi
> * About to connect() to sandbox.hortonworks.com port 8089 (#0)
> * Trying 10.0.0.4... connected
> * Connected to sandbox.hortonworks.com (10.0.0.4) port 8089 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * warning: ignoring value of ssl.verifyhost
> * skipping SSL peer certificate verification
> * NSS: client certificate not found (nickname not specified)
> * NSS error -5938
> * Closing connection #0
> curl: (35) NSS: client certificate not found (nickname not specified)
>
> Also enabled DEBUG mode in logback.xml to see any issue. But I don’t see
> any
> errors related to jetty security.
>
> Is there a clear documentation on how to generate the keystore/truststore.
> Is secured connections (https) tested on cloud/Azure. How can I enable
> multiple users to access nifi without https mode?
>
> Thanks in advance
>
>
>
>
>
>
> --
> View this message in context:
> http://apache-nifi-developer-list.39713.n7.nabble.com/https-connection-fails-with-ERR-CONNECTION-CLOSED-tp4833.html
> Sent from the Apache NiFi Developer List mailing list archive at
> Nabble.com.
>
Re: https connection fails with ERR_CONNECTION_CLOSED
Posted by Joe Witt <jo...@gmail.com>.
Hello
So keep in mind the term 'template' in NiFi means a section of capture
configuration that if put on the graph becomes a live flow. In Nifi
you're interacting with 'the flow' which can be one connecting thing
or many disconnected things. The manipulation of the flow on the
graph is altering the actual running flow. This a very different
model than the design and deploy approach one may be accustom to from
other tools.
Multiple users accessing different parts of the flow is certainly
possible whether it is secure or non-secure. In secure mode you can
control their level of access to the entire flow (all flows) through
the user management screen. However, if you are looking for
multi-tenant authorization whereby different users have different
levels of access to different parts of flow graph then that is on the
roadmap. Here you can find more about it [1].
Regarding the certificate configuration I'll defer to others to
provide pointers there but perhaps you're also looking for username
and password based authentication. That is also a roadmap item and is
slated to be part of the 0.4.0 release. You can see more about that
here [2] and [3].
Thanks
Joe
[1] https://cwiki.apache.org/confluence/display/NIFI/Multi-Tentant+Dataflow
[2] https://issues.apache.org/jira/browse/NIFI-655
[3] https://cwiki.apache.org/confluence/display/NIFI/Pluggable+Authentication
On Fri, Nov 13, 2015 at 4:35 AM, veeresh <ve...@gmail.com> wrote:
> Hi All
> I have installed nifi on Hortonworks cluster in Azure cloud. Everting works
> just fine with non-secured mode (http). In this mode multiple users cannot
> work on different templates. I followed the documentation
> (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration).
>
> Question: For multiple users to work on different templates is it mandatory
> to enable https connection enabled?
>
> Referring to (http://wiki.eclipse.org/Jetty/Howto/Configure_SSL) I have
> created keystore and trust store.
> My security setting of nifi.properties file look as below.
>
> nifi.security.keystore=/home/hortonhdp/nifi-0.3.0/keystore
> nifi.security.keystoreType=JKS
> nifi.security.keystorePasswd=nifi123
> nifi.security.keyPasswd=nifi123
> nifi.security.truststore=/home/hortonhdp/nifi-0.3.0/keystore
> nifi.security.truststoreType=JKS
> nifi.security.truststorePasswd=nifi123
> nifi.security.needClientAuth=true
> nifi.security.user.credential.cache.duration=24 hours
> nifi.security.user.authority.provider=file-provider
> nifi.security.support.new.account.requests=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
>
> From the browser I get ERR_CONNECTION_CLOSED error. When I try to connect to
> nifi using curl locally on the server itself. I get below error
>
> curl --verbose --insecure https://sandbox.hortonworks.com:8089/nifi
> * About to connect() to sandbox.hortonworks.com port 8089 (#0)
> * Trying 10.0.0.4... connected
> * Connected to sandbox.hortonworks.com (10.0.0.4) port 8089 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * warning: ignoring value of ssl.verifyhost
> * skipping SSL peer certificate verification
> * NSS: client certificate not found (nickname not specified)
> * NSS error -5938
> * Closing connection #0
> curl: (35) NSS: client certificate not found (nickname not specified)
>
> Also enabled DEBUG mode in logback.xml to see any issue. But I don’t see any
> errors related to jetty security.
>
> Is there a clear documentation on how to generate the keystore/truststore.
> Is secured connections (https) tested on cloud/Azure. How can I enable
> multiple users to access nifi without https mode?
>
> Thanks in advance
>
>
>
>
>
>
> --
> View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/https-connection-fails-with-ERR-CONNECTION-CLOSED-tp4833.html
> Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.