You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Ryan H <ry...@gmail.com> on 2018/03/08 13:15:37 UTC
TLS Toolkit Certs: Knox to NiFi
Hi All,
I have been working on getting a secure NiFi cluster to work with Knox. I
would like to have Knox be the entry point to NiFi. I have a NiFi cluster
running in secure mode without error. Now I would like to place Knox in
front of the Cluster. I have KnoxSSO setup which is configured with an
external OpenID provider for which users are redirected to authN. This
setup works fine when NiFi cluster is insecure.
The error that I am getting is on the Knox side:
...
*Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target*
...
I am pretty sure it is a cert issue (I reached out to the Knox Users Group
and they think that it is a cert issue). I used the TLS Toolkit
(Client/Server mode) to generate certs for the Knox machine. I imported the
keystore.jks and truststore.jks to the Knox gateway.jks keystore. This did
not solve the issue though. Is there something else that I should be
importing into the Knox gateway.jks store based on what is generated by the
TLS Toolkit?
Any help is appreciated!
Cheers,
Ryan
Re: TLS Toolkit Certs: Knox to NiFi
Posted by Ryan H <ry...@gmail.com>.
Hi Jeff,
Yes, I wasn't sure where to post on this specific question since it
involved the TLS Toolkit. But I have responded over on the Knox thread for
this. Thanks for the help so far!
-Ryan
On Thu, Mar 8, 2018 at 12:48 PM, Jeff <jt...@gmail.com> wrote:
> Hi Ryan,
>
> I responded to your question over on the Knox user list, but I can include
> my response here as well.
>
> I'm glad you're using the TLS Toolkit, I was going to suggest you give
> that a try, initially. The cert from the keystore generated by the toolkit
> that identifies the cert to use for Knox needs to be added to gateway.jks,
> along with the nifi-cert key from the truststore. Just importing both the
> keystore and truststore generated by the toolkit for Knox should be all you
> have to do there, since the toolkit generates those stores with just the
> nifi-key and nifi-cert in the keystore and truststore respectively. You
> should end up with three keys in gateway.jks afterward; the
> gateway-identity, nifi-key, and nifi-cert keys. Once both of those are
> added to gateway.jks, and you have configured the service definition for
> NiFi in your topology with useTwoWaySsl set to true, the two-way SSL
> handshake should succeed.
>
> Also, you will want to add the DN from that nifi-key as a node identity
> (in the same place you set the initial admin identity) so that NiFi can
> create a "user" to represent the Knox node and add a policy for you to
> allow that node/identity to proxy requests, if you haven't already done so.
>
> In nifi.properties, set nifi.web.proxy.context.path to
> "/gateway/sandbox/nifi-app". The host and port of the Knox service should
> also be set for nifi.web.proxy.host.
>
> After adding the keystore and truststore material to gateway.jks, added a
> user and policy for NiFi to identify and authorize Knox for proxying, and
> updated nifi.properties mentioned above, Knox should be able to proxy NiFi
> securely.
>
> On Thu, Mar 8, 2018 at 8:15 AM Ryan H <ry...@gmail.com>
> wrote:
>
>> Hi All,
>>
>> I have been working on getting a secure NiFi cluster to work with Knox. I
>> would like to have Knox be the entry point to NiFi. I have a NiFi cluster
>> running in secure mode without error. Now I would like to place Knox in
>> front of the Cluster. I have KnoxSSO setup which is configured with an
>> external OpenID provider for which users are redirected to authN. This
>> setup works fine when NiFi cluster is insecure.
>>
>> The error that I am getting is on the Knox side:
>> ...
>> *Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find valid certification path to requested target*
>> ...
>>
>> I am pretty sure it is a cert issue (I reached out to the Knox Users
>> Group and they think that it is a cert issue). I used the TLS Toolkit
>> (Client/Server mode) to generate certs for the Knox machine. I imported the
>> keystore.jks and truststore.jks to the Knox gateway.jks keystore. This did
>> not solve the issue though. Is there something else that I should be
>> importing into the Knox gateway.jks store based on what is generated by the
>> TLS Toolkit?
>>
>> Any help is appreciated!
>>
>> Cheers,
>>
>> Ryan
>>
>
Re: TLS Toolkit Certs: Knox to NiFi
Posted by Jeff <jt...@gmail.com>.
Hi Ryan,
I responded to your question over on the Knox user list, but I can include
my response here as well.
I'm glad you're using the TLS Toolkit, I was going to suggest you give that
a try, initially. The cert from the keystore generated by the toolkit that
identifies the cert to use for Knox needs to be added to gateway.jks, along
with the nifi-cert key from the truststore. Just importing both the
keystore and truststore generated by the toolkit for Knox should be all you
have to do there, since the toolkit generates those stores with just the
nifi-key and nifi-cert in the keystore and truststore respectively. You
should end up with three keys in gateway.jks afterward; the
gateway-identity, nifi-key, and nifi-cert keys. Once both of those are
added to gateway.jks, and you have configured the service definition for
NiFi in your topology with useTwoWaySsl set to true, the two-way SSL
handshake should succeed.
Also, you will want to add the DN from that nifi-key as a node identity (in
the same place you set the initial admin identity) so that NiFi can create
a "user" to represent the Knox node and add a policy for you to allow that
node/identity to proxy requests, if you haven't already done so.
In nifi.properties, set nifi.web.proxy.context.path to
"/gateway/sandbox/nifi-app". The host and port of the Knox service should
also be set for nifi.web.proxy.host.
After adding the keystore and truststore material to gateway.jks, added a
user and policy for NiFi to identify and authorize Knox for proxying, and
updated nifi.properties mentioned above, Knox should be able to proxy NiFi
securely.
On Thu, Mar 8, 2018 at 8:15 AM Ryan H <ry...@gmail.com>
wrote:
> Hi All,
>
> I have been working on getting a secure NiFi cluster to work with Knox. I
> would like to have Knox be the entry point to NiFi. I have a NiFi cluster
> running in secure mode without error. Now I would like to place Knox in
> front of the Cluster. I have KnoxSSO setup which is configured with an
> external OpenID provider for which users are redirected to authN. This
> setup works fine when NiFi cluster is insecure.
>
> The error that I am getting is on the Knox side:
> ...
> *Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target*
> ...
>
> I am pretty sure it is a cert issue (I reached out to the Knox Users Group
> and they think that it is a cert issue). I used the TLS Toolkit
> (Client/Server mode) to generate certs for the Knox machine. I imported the
> keystore.jks and truststore.jks to the Knox gateway.jks keystore. This did
> not solve the issue though. Is there something else that I should be
> importing into the Knox gateway.jks store based on what is generated by the
> TLS Toolkit?
>
> Any help is appreciated!
>
> Cheers,
>
> Ryan
>