You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Jean-Sebastien Vachon <js...@brizodata.com> on 2022/05/12 01:23:11 UTC
Problem with using SSL certificates to authenticate users
Hi all,
I've been following this guide: https://www.linkedin.com/pulse/configuring-ssltls-authentication-apache-nifi-dhruv-sahu/
to configure Nifi to accept SSL certificates for user authentication.
I created all the components and imported and trusted the user cerificate but the browser still complains about the certificate not being valid.
[cid:25d40ef8-9395-4ef1-89e4-c52cc4a416c2] [cid:edb5da09-3781-4eb7-8a14-6afef486f8e1]
I tailed Nifi's log but there is nothing in there being reported so I figure the issue lies between the browser and the certificate.
If I use keytool to list the server's truststore content, I can see my user with the following DN
[cid:26e37ba9-6039-474e-992a-21f56aeb61a4]
Nifi is configured with the same DN
[cid:84f5ae69-198e-4275-a595-6e948146e0b1]
I'm using a FileAuthorizer
[cid:7c5abd55-7842-418b-a6b3-40a494ab0bcc]
Any idea where the problem lies?
Thanks
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
Re: Problem with using SSL certificates to authenticate users
Posted by Jean-Sebastien Vachon <js...@brizodata.com>.
I finally got it working by starting over and following this old guide:
https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
Apache NiFi 1.0.0 - Authorization and Multi-Tenancy<https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy>
The TLS toolkit has two modes, client/server and standalone. For this scenario we are interested in standalone mode. If you want to see all of the usage options for standalone mode, you can run ./bin/tls-toolkit.sh standalone -h to get a detailed listing.. We are going to setup a two node secure cluster, so we want to generate the keystore, truststore, and config for two nodes, as well as a ...
bryanbende.com
Thanks
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
________________________________
From: Jean-Sebastien Vachon <js...@brizodata.com>
Sent: Thursday, May 12, 2022 8:21 AM
To: users@nifi.apache.org <us...@nifi.apache.org>
Subject: Re: Problem with using SSL certificates to authenticate users
Thanks for the hint. I do have a keystore that includes the certificate. Here are the steps I did...
Create Client certificate:
openssl req -x509 -newkey rsa:2048 -keyout admin-private-key.pem -out admin-cert.pem -days 365 -subj "/CN=admin User/C=CA/L=Quebec" -nodes
openssl pkcs12 -inkey admin-private-key.pem -in admin-cert.pem -export -out admin-user.pfx -passout pass:"somepass"
I then imported the admin-user.pfx file in my browser into the "Personnal" tab but then I saw this message when viewing the imported certificate.
"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."
So, I imported it into the Trusted Root CA as well.
On the server side, I did the following:
I copied my admin-cert.pem file to the server.
keytool -genkeypair -alias nifiserver -keyalg RSA -keypass somepass -storepass somepass -keystore server_keystore.jks -dname "CN=NiFi Server" -noprompt
keytool -importcert -v -trustcacerts -alias admin -file admin-cert.pem -keystore server_truststore.jks -storepass somepass -noprompt
I configured Nifi to use the two stores:
nifi.security.keystore=/root/ssl/server_keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=somepass
nifi.security.keyPasswd=somepass
nifi.security.truststore=/root/ssl/server_truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=somepass
nifi.security.user.authorizer=file-provider
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
I am, obviously, missing something .
Thanks
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
________________________________
From: Juan Pablo Gardella <ga...@gmail.com>
Sent: Wednesday, May 11, 2022 10:50 PM
To: users@nifi.apache.org <us...@nifi.apache.org>
Subject: Re: Problem with using SSL certificates to authenticate users
You have to use a keystore file including the CA that signed the certificate to make TLS authentication for one side and then nifi authorization. Without TLS it will complain. Try importing the certificate as p12 on Firefox.
Juan
On Wed, May 11, 2022 at 10:23 PM Jean-Sebastien Vachon <js...@brizodata.com>> wrote:
Hi all,
I've been following this guide: https://www.linkedin.com/pulse/configuring-ssltls-authentication-apache-nifi-dhruv-sahu/
to configure Nifi to accept SSL certificates for user authentication.
I created all the components and imported and trusted the user cerificate but the browser still complains about the certificate not being valid.
[cid:180b62ac5c0cb971f161] [cid:180b62ac5c1cb971f162]
I tailed Nifi's log but there is nothing in there being reported so I figure the issue lies between the browser and the certificate.
If I use keytool to list the server's truststore content, I can see my user with the following DN
[cid:180b62ac5c1cb971f163]
Nifi is configured with the same DN
[cid:180b62ac5c2cb971f164]
I'm using a FileAuthorizer
[cid:180b62ac5c2cb971f165]
Any idea where the problem lies?
Thanks
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
Re: Problem with using SSL certificates to authenticate users
Posted by Jean-Sebastien Vachon <js...@brizodata.com>.
Thanks for the hint. I do have a keystore that includes the certificate. Here are the steps I did...
Create Client certificate:
openssl req -x509 -newkey rsa:2048 -keyout admin-private-key.pem -out admin-cert.pem -days 365 -subj "/CN=admin User/C=CA/L=Quebec" -nodes
openssl pkcs12 -inkey admin-private-key.pem -in admin-cert.pem -export -out admin-user.pfx -passout pass:"somepass"
I then imported the admin-user.pfx file in my browser into the "Personnal" tab but then I saw this message when viewing the imported certificate.
"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."
So, I imported it into the Trusted Root CA as well.
On the server side, I did the following:
I copied my admin-cert.pem file to the server.
keytool -genkeypair -alias nifiserver -keyalg RSA -keypass somepass -storepass somepass -keystore server_keystore.jks -dname "CN=NiFi Server" -noprompt
keytool -importcert -v -trustcacerts -alias admin -file admin-cert.pem -keystore server_truststore.jks -storepass somepass -noprompt
I configured Nifi to use the two stores:
nifi.security.keystore=/root/ssl/server_keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=somepass
nifi.security.keyPasswd=somepass
nifi.security.truststore=/root/ssl/server_truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=somepass
nifi.security.user.authorizer=file-provider
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
I am, obviously, missing something .
Thanks
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
________________________________
From: Juan Pablo Gardella <ga...@gmail.com>
Sent: Wednesday, May 11, 2022 10:50 PM
To: users@nifi.apache.org <us...@nifi.apache.org>
Subject: Re: Problem with using SSL certificates to authenticate users
You have to use a keystore file including the CA that signed the certificate to make TLS authentication for one side and then nifi authorization. Without TLS it will complain. Try importing the certificate as p12 on Firefox.
Juan
On Wed, May 11, 2022 at 10:23 PM Jean-Sebastien Vachon <js...@brizodata.com>> wrote:
Hi all,
I've been following this guide: https://www.linkedin.com/pulse/configuring-ssltls-authentication-apache-nifi-dhruv-sahu/
to configure Nifi to accept SSL certificates for user authentication.
I created all the components and imported and trusted the user cerificate but the browser still complains about the certificate not being valid.
[cid:180b62ac5c0cb971f161] [cid:180b62ac5c1cb971f162]
I tailed Nifi's log but there is nothing in there being reported so I figure the issue lies between the browser and the certificate.
If I use keytool to list the server's truststore content, I can see my user with the following DN
[cid:180b62ac5c1cb971f163]
Nifi is configured with the same DN
[cid:180b62ac5c2cb971f164]
I'm using a FileAuthorizer
[cid:180b62ac5c2cb971f165]
Any idea where the problem lies?
Thanks
Jean-Sébastien Vachon
Co-Founder & Architect
Brizo Data, Inc.
www.brizodata.com<https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
Re: Problem with using SSL certificates to authenticate users
Posted by Juan Pablo Gardella <ga...@gmail.com>.
You have to use a keystore file including the CA that signed the
certificate to make TLS authentication for one side and then nifi
authorization. Without TLS it will complain. Try importing the certificate
as p12 on Firefox.
Juan
On Wed, May 11, 2022 at 10:23 PM Jean-Sebastien Vachon <
jsvachon@brizodata.com> wrote:
> Hi all,
>
> I've been following this guide:
> https://www.linkedin.com/pulse/configuring-ssltls-authentication-apache-nifi-dhruv-sahu/
> to configure Nifi to accept SSL certificates for user authentication.
>
> I created all the components and imported and trusted the user cerificate
> but the browser still complains about the certificate not being valid.
>
>
>
>
> I tailed Nifi's log but there is nothing in there being reported so I
> figure the issue lies between the browser and the certificate.
>
> If I use keytool to list the server's truststore content, I can see my
> user with the following DN
>
>
>
>
>
> Nifi is configured with the same DN
>
>
>
> I'm using a FileAuthorizer
>
>
>
> Any idea where the problem lies?
>
> Thanks
>
>
> *Jean-Sébastien Vachon *
> Co-Founder & Architect
>
>
> *Brizo Data, Inc. www.brizodata.com
> <https://outlook.office365.com/mail/options/mail/messageContent/www.brizodata.com>
> *
>