SSL and LDAP set-up in cluster mode

[Samarendra Sahoo <sa...@gmail.com>]

We are enabling LDAP and SSL, have been successful in one node cluster.
However while running this for 2 node cluster, unable to succeed, have put
exception below. While we are troubleshooting, wanted to check if there are
any handy references for this.

2020-03-12 18:54:36,222 WARN [Process Cluster Protocol Request-2]
o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol message
from bbsr02cloud10.ad.infosys.com due to
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with any
of the trust anchors
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with any
of the trust anchors
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at
sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983)
at
sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:931)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
at
org.apache.nifi.stream.io.ByteCountingInputStream.read(ByteCountingInputStream.java:42)
at java.io.FilterInputStream.read(FilterInputStream.java:83)
at
org.apache.nifi.cluster.protocol.jaxb.JaxbProtocolContext$2.unmarshal(JaxbProtocolContext.java:110)
at
org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:149)
at org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

Re: SSL and LDAP set-up in cluster mode

[Samarendra Sahoo <sa...@gmail.com>]

Hi Briyan,
Yes, those are copied/merged as it got created by running the tool kit
utility.

nifi.security.keyPasswd=DudP4db9WgtTjXz8Z9EhHkAOBmthPvH8btBCD3Iw7hk

On Fri, Mar 13, 2020 at 7:13 PM Bryan Bende <bb...@gmail.com> wrote:

> Hello,
>
> Can you confirm you have set nifi.security.keyPasswd=  in nifi.properties?
>
> Thanks,
>
> Bryan
>
> On Fri, Mar 13, 2020 at 8:34 AM Samarendra Sahoo <
> sahoo.samarendra@gmail.com> wrote:
>
>> Hi Folks - Have followed link -
>> https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#standalone and
>> ran
>>
>> sh tls-toolkit.sh standalone -n 'IPAdress_Server-1,IPAdress_Server-2' -B
>> 'cert_pwd' -P 'keystore_pwd' -C 'CN=admin_user,OU=NIFI'
>>
>> Post that updated nifi properties and replaced keystore.jks and
>> truststore.jks at respective conf directories.
>>
>> Still getting below exception
>>
>> javax.net.ssl.SSLPeerUnverifiedException: Hostname IPAdress_Server-1 not
>> verified: certificate: sha256/iFuXwuZnOCkARK72ayOHJk1KZywi6niooID9RMpTJ2Q=
>> DN: CN=IPAdress_Server-1, OU=NIFI subjectAltNames: [IPAdress_Server-1]
>>
>> Pls help.
>>
>> On Thu, Mar 12, 2020 at 8:33 PM Samarendra Sahoo <
>> sahoo.samarendra@gmail.com> wrote:
>>
>>> We are enabling LDAP and SSL, have been successful in one node cluster.
>>> However while running this for 2 node cluster, unable to succeed, have put
>>> exception below. While we are troubleshooting, wanted to check if there are
>>> any handy references for this.
>>>
>>> 2020-03-12 18:54:36,222 WARN [Process Cluster Protocol Request-2]
>>> o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol message
>>> from bbsr02cloud10.ad.infosys.com due to
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path validation failed:
>>> java.security.cert.CertPathValidatorException: Path does not chain with any
>>> of the trust anchors
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path validation failed:
>>> java.security.cert.CertPathValidatorException: Path does not chain with any
>>> of the trust anchors
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
>>> at
>>> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983)
>>> at
>>> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
>>> at
>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
>>> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:931)
>>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
>>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
>>> at
>>> org.apache.nifi.stream.io.ByteCountingInputStream.read(ByteCountingInputStream.java:42)
>>> at java.io.FilterInputStream.read(FilterInputStream.java:83)
>>> at
>>> org.apache.nifi.cluster.protocol.jaxb.JaxbProtocolContext$2.unmarshal(JaxbProtocolContext.java:110)
>>> at
>>> org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:149)
>>> at
>>> org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>> at java.lang.Thread.run(Thread.java:748)
>>>
>>

Re: SSL and LDAP set-up in cluster mode

[Bryan Bende <bb...@gmail.com>]

Hello,

Can you confirm you have set nifi.security.keyPasswd=  in nifi.properties?

Thanks,

Bryan

On Fri, Mar 13, 2020 at 8:34 AM Samarendra Sahoo <sa...@gmail.com>
wrote:

> Hi Folks - Have followed link -
> https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#standalone and
> ran
>
> sh tls-toolkit.sh standalone -n 'IPAdress_Server-1,IPAdress_Server-2' -B
> 'cert_pwd' -P 'keystore_pwd' -C 'CN=admin_user,OU=NIFI'
>
> Post that updated nifi properties and replaced keystore.jks and
> truststore.jks at respective conf directories.
>
> Still getting below exception
>
> javax.net.ssl.SSLPeerUnverifiedException: Hostname IPAdress_Server-1 not
> verified: certificate: sha256/iFuXwuZnOCkARK72ayOHJk1KZywi6niooID9RMpTJ2Q=
> DN: CN=IPAdress_Server-1, OU=NIFI subjectAltNames: [IPAdress_Server-1]
>
> Pls help.
>
> On Thu, Mar 12, 2020 at 8:33 PM Samarendra Sahoo <
> sahoo.samarendra@gmail.com> wrote:
>
>> We are enabling LDAP and SSL, have been successful in one node cluster.
>> However while running this for 2 node cluster, unable to succeed, have put
>> exception below. While we are troubleshooting, wanted to check if there are
>> any handy references for this.
>>
>> 2020-03-12 18:54:36,222 WARN [Process Cluster Protocol Request-2]
>> o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol message
>> from bbsr02cloud10.ad.infosys.com due to
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path validation failed:
>> java.security.cert.CertPathValidatorException: Path does not chain with any
>> of the trust anchors
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path validation failed:
>> java.security.cert.CertPathValidatorException: Path does not chain with any
>> of the trust anchors
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
>> at
>> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983)
>> at
>> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
>> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:931)
>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
>> at
>> org.apache.nifi.stream.io.ByteCountingInputStream.read(ByteCountingInputStream.java:42)
>> at java.io.FilterInputStream.read(FilterInputStream.java:83)
>> at
>> org.apache.nifi.cluster.protocol.jaxb.JaxbProtocolContext$2.unmarshal(JaxbProtocolContext.java:110)
>> at
>> org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:149)
>> at
>> org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>> at java.lang.Thread.run(Thread.java:748)
>>
>

Re: SSL and LDAP set-up in cluster mode

[Samarendra Sahoo <sa...@gmail.com>]

Hi Folks - Have followed link -
https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#standalone and
ran

sh tls-toolkit.sh standalone -n 'IPAdress_Server-1,IPAdress_Server-2' -B
'cert_pwd' -P 'keystore_pwd' -C 'CN=admin_user,OU=NIFI'

Post that updated nifi properties and replaced keystore.jks and
truststore.jks at respective conf directories.

Still getting below exception

javax.net.ssl.SSLPeerUnverifiedException: Hostname IPAdress_Server-1 not
verified: certificate: sha256/iFuXwuZnOCkARK72ayOHJk1KZywi6niooID9RMpTJ2Q=
DN: CN=IPAdress_Server-1, OU=NIFI subjectAltNames: [IPAdress_Server-1]

Pls help.

On Thu, Mar 12, 2020 at 8:33 PM Samarendra Sahoo <sa...@gmail.com>
wrote:

> We are enabling LDAP and SSL, have been successful in one node cluster.
> However while running this for 2 node cluster, unable to succeed, have put
> exception below. While we are troubleshooting, wanted to check if there are
> any handy references for this.
>
> 2020-03-12 18:54:36,222 WARN [Process Cluster Protocol Request-2]
> o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol message
> from bbsr02cloud10.ad.infosys.com due to
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: Path does not chain with any
> of the trust anchors
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: Path does not chain with any
> of the trust anchors
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> at
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1983)
> at
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:931)
> at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
> at sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
> at
> org.apache.nifi.stream.io.ByteCountingInputStream.read(ByteCountingInputStream.java:42)
> at java.io.FilterInputStream.read(FilterInputStream.java:83)
> at
> org.apache.nifi.cluster.protocol.jaxb.JaxbProtocolContext$2.unmarshal(JaxbProtocolContext.java:110)
> at
> org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:149)
> at
> org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
>