No Response from NiFi to Http POST Request

[James McMahon <js...@gmail.com>]

I am unable to get a response from my NiFi server HandleHttpRequest
processor when I issue a POST from Python code on a remote box. I suspect
my configuration of certs is somehow missing a vital piece of the puzzle,
though that seems contrary to my configuration of HandleHttpRequest (No
Authentication in parm Client Authentication). From the calling program
window all we see is a message that we have made an unverified https
request.
My HandleHttpRequest processor is configured with No Authentication in parm
Client Authentication. I assumed that this meant no client cert is required
for a posting program to post, but now I suspect that I am wrong about that.
I do include in the config for this processor an SSL Context Service,
StandarSSLContextService. The service is Enabled. The service configuration
references my keystore and truststore.
Currently we are executing the python program as user root on the remote
server. We are not including any cert reference in our POST call.
What is lacking in my configuration?
We are able to get a response back from the NiFi server when we issue the
POST via a curl command. Thanks in advance for your help. -Jim

Re: No Response from NiFi to Http POST Request

[Andy LoPresto <al...@apache.org>]

There’s a typo in there. The short flag for —insecure in curl is -k, not -i (—include).

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Feb 17, 2017, at 4:52 PM, Andy LoPresto <al...@apache.org> wrote:
> 
> Jim,
> 
> In the curl command, do you use the “-i”/“—insecure” flag? The issue sounds like one where Python does not trust the NiFi server certificate presented when it attempts to make the connection. “No Authentication” in the Client Authentication setting means that NiFi is not enforcing the presence of a client certificate (one presented by Python), but it is still presenting one if you configured the StandardSSLContextService with a keystore. If NiFi is presenting a cert and using TLS, it won’t accept incoming connections on plain HTTP. You’ll have to tell Python to trust that specific certificate or the signer [1]. Luckily it looks pretty simple to provide it the PEM-encoded public certificate directly in the code to make the request.
> 
> Perhaps this crude drawing will help:
> 
> <Python HTTP request to NiFi.png>
> 
> [1] http://stackoverflow.com/a/30405947/70465 <http://stackoverflow.com/a/30405947/70465>
> [2] http://security.stackexchange.com/a/20847/16485 <http://security.stackexchange.com/a/20847/16485>
> 
> Andy LoPresto
> alopresto@apache.org <ma...@apache.org>
> alopresto.apache@gmail.com <ma...@gmail.com>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> 
>> On Feb 16, 2017, at 11:27 AM, James McMahon <jsmcmahon3@gmail.com <ma...@gmail.com>> wrote:
>> 
>> I am unable to get a response from my NiFi server HandleHttpRequest processor when I issue a POST from Python code on a remote box. I suspect my configuration of certs is somehow missing a vital piece of the puzzle, though that seems contrary to my configuration of HandleHttpRequest (No Authentication in parm Client Authentication). From the calling program window all we see is a message that we have made an unverified https request.
>> My HandleHttpRequest processor is configured with No Authentication in parm Client Authentication. I assumed that this meant no client cert is required for a posting program to post, but now I suspect that I am wrong about that.
>> I do include in the config for this processor an SSL Context Service, StandarSSLContextService. The service is Enabled. The service configuration references my keystore and truststore.
>> Currently we are executing the python program as user root on the remote server. We are not including any cert reference in our POST call.
>> What is lacking in my configuration?
>> We are able to get a response back from the NiFi server when we issue the POST via a curl command. Thanks in advance for your help. -Jim
> 

Re: No Response from NiFi to Http POST Request

[James McMahon <js...@gmail.com>]

This sounds like it could be the problem Andy. Thank you very much for the
insights. First thing early tomorrow when I am back at site I will try this
and see if I can establish a connection from Python and send a response.
-Jim

On Fri, Feb 17, 2017 at 7:52 PM, Andy LoPresto <al...@apache.org> wrote:

> Jim,
>
> In the curl command, do you use the “-i”/“—insecure” flag? The issue
> sounds like one where Python does not trust the NiFi server certificate
> presented when it attempts to make the connection. “No Authentication” in
> the Client Authentication setting means that NiFi is not enforcing the
> presence of a client certificate (one presented by Python), but it is still
> presenting one if you configured the StandardSSLContextService with a
> keystore. If NiFi is presenting a cert and using TLS, it won’t accept
> incoming connections on plain HTTP. You’ll have to tell Python to trust
> that specific certificate or the signer [1]. Luckily it looks pretty simple
> to provide it the PEM-encoded public certificate directly in the code to
> make the request.
>
> Perhaps this crude drawing will help:
>
>
> [1] http://stackoverflow.com/a/30405947/70465
> [2] http://security.stackexchange.com/a/20847/16485
>
> Andy LoPresto
> alopresto@apache.org
> *alopresto.apache@gmail.com <al...@gmail.com>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Feb 16, 2017, at 11:27 AM, James McMahon <js...@gmail.com> wrote:
>
> I am unable to get a response from my NiFi server HandleHttpRequest
> processor when I issue a POST from Python code on a remote box. I suspect
> my configuration of certs is somehow missing a vital piece of the puzzle,
> though that seems contrary to my configuration of HandleHttpRequest (No
> Authentication in parm Client Authentication). From the calling program
> window all we see is a message that we have made an unverified https
> request.
> My HandleHttpRequest processor is configured with No Authentication in
> parm Client Authentication. I assumed that this meant no client cert is
> required for a posting program to post, but now I suspect that I am wrong
> about that.
> I do include in the config for this processor an SSL Context Service,
> StandarSSLContextService. The service is Enabled. The service configuration
> references my keystore and truststore.
> Currently we are executing the python program as user root on the remote
> server. We are not including any cert reference in our POST call.
> What is lacking in my configuration?
> We are able to get a response back from the NiFi server when we issue the
> POST via a curl command. Thanks in advance for your help. -Jim
>
>
>

Re: No Response from NiFi to Http POST Request

[Andy LoPresto <al...@apache.org>]

Jim,

In the curl command, do you use the “-i”/“—insecure” flag? The issue sounds like one where Python does not trust the NiFi server certificate presented when it attempts to make the connection. “No Authentication” in the Client Authentication setting means that NiFi is not enforcing the presence of a client certificate (one presented by Python), but it is still presenting one if you configured the StandardSSLContextService with a keystore. If NiFi is presenting a cert and using TLS, it won’t accept incoming connections on plain HTTP. You’ll have to tell Python to trust that specific certificate or the signer [1]. Luckily it looks pretty simple to provide it the PEM-encoded public certificate directly in the code to make the request.

Perhaps this crude drawing will help:



[1] http://stackoverflow.com/a/30405947/70465
[2] http://security.stackexchange.com/a/20847/16485

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Feb 16, 2017, at 11:27 AM, James McMahon <js...@gmail.com> wrote:
> 
> I am unable to get a response from my NiFi server HandleHttpRequest processor when I issue a POST from Python code on a remote box. I suspect my configuration of certs is somehow missing a vital piece of the puzzle, though that seems contrary to my configuration of HandleHttpRequest (No Authentication in parm Client Authentication). From the calling program window all we see is a message that we have made an unverified https request.
> My HandleHttpRequest processor is configured with No Authentication in parm Client Authentication. I assumed that this meant no client cert is required for a posting program to post, but now I suspect that I am wrong about that.
> I do include in the config for this processor an SSL Context Service, StandarSSLContextService. The service is Enabled. The service configuration references my keystore and truststore.
> Currently we are executing the python program as user root on the remote server. We are not including any cert reference in our POST call.
> What is lacking in my configuration?
> We are able to get a response back from the NiFi server when we issue the POST via a curl command. Thanks in advance for your help. -Jim