You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by "Rosso, Roland" <Ro...@AdventHealth.com> on 2021/03/23 13:27:34 UTC
NiFi Registry SSL question
Hi all,
I am moving things around and moving from self-signed certs to corporate certs.
I've installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
I also added the server 'user' CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don't get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
Thanks,
Roland
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Bryan Bende <bb...@gmail.com>.
Also try adding the following NiFi Registry's logback.xml then see what is
in the nifi-registry-app log when you make a request from NiFi to start
version control:
<logger name="org.apache.nifi.registry.security" level="DEBUG"/>
On Tue, Mar 30, 2021 at 1:14 PM Bryan Bende <bb...@gmail.com> wrote:
> Not sure if this is related, but in one part it shows the Owner as:
>
> CN= server_name.domain.net, OU=NIFI
>
> There is a space between "CN=" and "server_name", but the identity in NiFi
> Registry does not have a space there.
>
> Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net,
> OU=NIFI" and shows the issuer as localhost, so I assume this is the one
> that came from NiFI Toolkit.
>
> If NiFI is a presenting a cert with this DN then you would need a user in
> registry with the identity "CN=server.domain.net, OU=NIFI" which is
> different from ""CN=server_domain.net, OU=NIFI"
>
> On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
>> Bryan, David,
>>
>>
>>
>> Where
>>
>> In NiFi Registry Truststore:
>>
>> Alias name: server_name-nifi-cert
>> Creation date: Mar 29, 2021
>> Entry type: trustedCertEntry
>>
>> Owner: CN= server_name.domain.net, OU=NIFI ß exact match to entry above
>> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
>> ST=XX, C=US ßcorporate CA switch
>>
>> This worked fine when we used the self-signed NiFi certs of the type:
>>
>>
>>
>> Alias name: server_name-nifi-cert
>>
>> Creation date: date
>>
>> Entry type: trustedCertEntry
>>
>> Owner: CN=server.domain.net, OU=NIFI
>>
>> Issuer: CN=localhost, OU=NIFI
>>
>>
>>
>> *Roland *
>>
>>
>>
>> *From:* Bryan Bende <bb...@gmail.com>
>> *Sent:* Tuesday, March 30, 2021 8:58 AM
>> *To:* users@nifi.apache.org
>> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>>
>>
>>
>> Since you aren't getting SSL errors and you are just getting no buckets,
>> I don't think it is a problem with certificates. I think it is a problem
>> with the authorization on NiFi Registry side.
>>
>>
>>
>> What version of NiFi Registry? and also, can you show what policies exist
>> for the NiFi server user in NiFi Registry?
>>
>>
>>
>> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>
>> wrote:
>>
>> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
>> couldnt get it to do what I needed, I wound up just running my own openssl
>> and keytool commands. I found it much more straightforward and then I could
>> know what all was going on. Im sure after i got these scars, and I
>> understood all the bits that toolkit would work and be simpler, but I did
>> find rolling my own, especially with the external CA was easier.
>>
>>
>>
>> also - if you are on slack, there is an active nifi community there that
>> may be helpful as well ..
>>
>>
>>
>> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <
>> Roland.Rosso@adventhealth.com> wrote:
>>
>> David,
>>
>> Thanks for the debug config.
>>
>> Here is an output when I try to connect to the registry from that new
>> server, Import a PG.
>>
>> Since we have a few servers running, it is a very verbose log.
>>
>> I may have missed the useful part of the log. 😊
>>
>>
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Handshake, length = 85
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: server
>> finished[20]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> change_cipher_spec[-1]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> finished[20]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Change Cipher Spec, length = 1
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut *** Finished
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
>> 108, 120, 14, 10, 42, 184 }
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut ***
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> change_cipher_spec[-1]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> finished[20]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Handshake, length = 96
>>
>> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
>> Change Cipher Spec, length = 1
>>
>> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>>
>> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> finished[20]
>>
>> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
>> Handshake, length = 96
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut *** Finished
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
>> 208, 90, 115, 111, 50, 85, 164 }
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut ***
>>
>> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 926
>>
>> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1100
>>
>> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 1018
>>
>> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1049
>>
>> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 1010
>>
>> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 928
>>
>> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 924
>>
>> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 920
>>
>> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 919
>>
>> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1007
>>
>> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 999
>>
>> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 916
>>
>> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 996
>>
>> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1102
>>
>> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 942
>>
>> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 920
>>
>> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 919
>>
>> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 938
>>
>> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 942
>>
>> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 923
>>
>> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 944
>>
>> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 946
>>
>> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 1006
>>
>> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 932
>>
>> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 912
>>
>> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 943
>>
>> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 1026
>>
>> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 975
>>
>> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 915
>>
>> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 914
>>
>> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 931
>>
>> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 929
>>
>> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 910
>>
>> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 920
>>
>> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 911
>>
>> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 918
>>
>> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 927
>>
>> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 913
>>
>> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 923
>>
>> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 928
>>
>> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 937
>>
>> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1042
>>
>> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 939
>>
>> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 939
>>
>> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 922
>>
>> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 919
>>
>> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 930
>>
>> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 933
>>
>> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 930
>>
>> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 931
>>
>> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 922
>>
>> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 947
>>
>> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 905
>>
>> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1166
>>
>> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 914
>>
>> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 898
>>
>> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 908
>>
>> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 989
>>
>> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 911
>>
>> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 920
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
>> Alert, length = 80
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
>> ALERT: warning, close_notify
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
>> closeInboundInternal()
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
>> closeOutboundInternal()
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
>> ALERT: warning, description = close_notify
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
>> Alert, length = 80
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
>> closeOutbound()
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
>> closeOutboundInternal()
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
>> Alert, length = 80
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
>> ALERT: warning, close_notify
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
>> closeInboundInternal()
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
>> closeOutboundInternal()
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
>> ALERT: warning, description = close_notify
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Alert, length = 80
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
>> closeOutbound()
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
>> closeOutboundInternal()
>>
>>
>>
>> *Roland *
>>
>>
>>
>> *From:* David Handermann <ex...@gmail.com>
>> *Sent:* Monday, March 29, 2021 11:56 PM
>> *To:* users@nifi.apache.org
>> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>>
>>
>>
>> Hi Roland,
>>
>>
>>
>> Thanks for the reply. If you are not seeing any warnings or errors in
>> the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
>> bootstrap.conf. Adding the following line to bootstrap.conf should enable
>> SSL debug output to the nifi-registry-bootstrap.log:
>>
>>
>>
>> java.arg.20=-Djavax.net.debug=ssl
>>
>>
>>
>> This setting produces a lot of output, but if you watch the log after the
>> initial application startup, you should be able to observe the TLS
>> handshake when NiFi attempts to list buckets from NiFi Registry. The log
>> output should at least confirm that the certificate exchange is occurring
>> as expected.
>>
>>
>>
>> Regards,
>>
>> David Handermann
>>
>>
>>
>> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
>> Roland.Rosso@adventhealth.com> wrote:
>>
>> Hi David,
>>
>>
>>
>> I use the nifi-toolkit to create the keystore and truststore to make sure
>> clientAuth and serverAuth is set properly.
>>
>>
>>
>> This is a ‘working’ config.
>>
>> Keystore:
>>
>> Alias name: nifi-key
>>
>> Creation date: date
>>
>> Entry type: PrivateKeyEntry
>>
>>
>>
>> Truststore:
>>
>> Alias name: server_name-nifi-cert
>>
>> Creation date: date
>>
>> Entry type: trustedCertEntry
>>
>>
>>
>> Owner: CN=server.domain.net, OU=NIFI
>>
>> Issuer: CN=localhost, OU=NIFI
>>
>>
>>
>> The issue with the new setup is using external CA, also created via the
>> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
>> Registry connecting but can’t list buckets.
>>
>>
>>
>> Alias name: server_name-nifi-cert
>> Creation date: Mar 29, 2021
>> Entry type: trustedCertEntry
>>
>> Owner: CN= server_name.domain.net, OU=NIFI
>> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
>> ST=XX, C=US
>>
>>
>>
>> Thanks,
>> Roland
>>
>>
>>
>> *From:* David Handermann <ex...@gmail.com>
>> *Sent:* Monday, March 29, 2021 9:27 PM
>> *To:* users@nifi.apache.org
>> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>>
>>
>>
>> Hi Roland,
>>
>>
>>
>> Can you provide the commands you are using to create the server
>> keystores? Listing the keystore contents using "keytool -list -v -keystore
>> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
>> would be helpful to confirm that the keystore includes a PrivateKeyEntry
>> and not a TrustedCertEntry.
>>
>>
>>
>> Regards,
>>
>> David Handermann
>>
>>
>>
>> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
>> Roland.Rosso@adventhealth.com> wrote:
>>
>> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
>> Re-signed/Re-imported the certs.
>>
>> The new "server" cert is of the type:
>>
>> Alias name: server_name-nifi-cert
>> Creation date: Mar 29, 2021
>> Entry type: trustedCertEntry
>>
>> Owner: CN= server_name.domain.net, OU=NIFI
>> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
>> ST=XX, C=US
>>
>> [blah]
>>
>> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
>> the registry with all the grants. I don't see any errors in the logs but
>> still cannot properly link it to the existing buckets. Should I add the
>> "server user" in a different manner since the cert issuer is not 'Issuer:
>> CN=localhost, OU=NIFI'?
>> The other servers certs that are signed with 'Issuer: CN=localhost,
>> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
>> Is there a way to increase the logs as well?
>>
>> Many thanks,
>> Roland
>>
>> -----Original Message-----
>> From: Rosso, Roland <Ro...@AdventHealth.com>
>> Sent: Thursday, March 25, 2021 2:21 PM
>> To: users@nifi.apache.org
>> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>>
>> Thank you Bryan,
>> I've tried all combinations I could think off.
>> I'll resign all the certs with the same key for nifi and registry and try
>> this again.
>>
>> Thanks,
>> Roland
>>
>> -----Original Message-----
>> From: Bryan Bende <bb...@gmail.com>
>> Sent: Tuesday, March 23, 2021 3:48 PM
>> To: users@nifi.apache.org
>> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>>
>> I think the issue might be related to the "server user" in nifi registry.
>> I would double check that the way the identity was entered in registry
>> exactly matches the identity from nifi's certificate, case-sensitive and
>> white-space sensitive. Also make sure this user in registry is granted all
>> of the Proxy permissions, it is broken out into three different actions now
>> (read, write, delete).
>>
>> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
>> Roland.Rosso@adventhealth.com> wrote:
>> >
>> > Hi all,
>> >
>> > I am moving things around and moving from self-signed certs to
>> corporate certs.
>> >
>> > I’ve installed nifi 1.12 with a new truststore and keystore (use
>> toolkit with external certs) and that seems fine.
>> >
>> > I added the cert from the registry server (old self signed) into the
>> new nifi 1.12 truststore and the new server cert (signed with corporate CA)
>> into the nifi registry truststore (again, self signed).
>> >
>> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
>> registry and made the permission grants (proxy, buckets). I don’t get any
>> SSL errors in the logs but cannot add a PG via registry (no available
>> bucket).
>> >
>> > Is this setup possible and am I missing something, or do all NiFi nodes
>> and registry need to be signed with the same key? The idea was to setup a
>> new instance (on new server), pull all PGs via registry into the new and
>> retiring the old.
>> >
>> >
>> >
>> > Thanks,
>> >
>> > Roland
>> >
>> >
>> >
>> >
>> >
>> > This message (including any attachments) is intended only for the use
>> of the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>> This message (including any attachments) is intended only for the use of
>> the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>> This message (including any attachments) is intended only for the use of
>> the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>>
>> This message (including any attachments) is intended only for the use of
>> the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>>
>> This message (including any attachments) is intended only for the use of
>> the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>>
>> This message (including any attachments) is intended only for the use of
>> the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>>
>
Re: [EXTERNAL] NiFi Registry SSL question
Posted by M Tien <mt...@gmail.com>.
Hi Roland,
I recently had a similar issue where my secured NiFi and Registry instances were able to connect but not list buckets. My problem traced back to my NiFi authorizers.xml in the conf directory, where I didn’t include the server certificate as a User Identity.
If possible, can you show what you have listed for <userGroupProvider> and <accessPolicyProvider> in your authorizers.xml?
Best,
Margot
> On Mar 30, 2021, at 11:08 AM, Bryan Bende <bb...@gmail.com> wrote:
>
> If the issue is related to the server user, then there would be something like this:
>
> "Untrusted proxy [%s] for %s operation."
>
> Where the first parameter would be the identity of the nifi server and the second parameter would be READ/WRITE/DELETE.
>
> Also search for whatever user identity you are using in nifi since that will be sent as a proxied entity.
>
> On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
> Bryan,
>
> Tried the below:
>
> “Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
>
> <logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
>
>
>
> I tried to add a flow to version control or pull a new PG. Since we have 5 instances connected to that registry, hard to say which is doing what, but I can find all the instances in nifi-registry-app.log but not the one that’s not connecting right.
>
> Anything specific you want me to look for in that log?
>
>
>
> Thanks,
>
> Roland Rosso
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Tuesday, March 30, 2021 1:28 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> So,
>
> CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI
>
>
>
> It decided to hyperlink it so the ‘_’ was hidden
>
>
>
> Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
>
>
>
> New Server Cert:
>
> Alias name: server_name-nifi-cert
>
> Creation date: Mar 29, 2021
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI ßexact match to entry above
>
> Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US corporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> Old Server Cert: (this was working but I need to use the above now)
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net <http://server.domain.net/>, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> Thanks,
>
> Roland Rosso
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> From: Bryan Bende <bbende@gmail.com <ma...@gmail.com>>
> Sent: Tuesday, March 30, 2021 1:14 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Not sure if this is related, but in one part it shows the Owner as:
>
>
>
> CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI
>
>
>
> There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
>
>
>
> Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net <http://server.domain.net/>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
>
>
>
> If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net <http://server.domain.net/>, OU=NIFI" which is different from ""CN=server_domain.net <http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
>
>
>
> On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
>
> Bryan, David,
>
>
>
> <image001.png>
>
> Where
>
> In NiFi Registry Truststore:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI ß exact match to entry above
> Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net <http://server.domain.net/>, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> Roland
>
>
>
> From: Bryan Bende <bbende@gmail.com <ma...@gmail.com>>
> Sent: Tuesday, March 30, 2021 8:58 AM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
>
>
>
> What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
>
>
>
> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cgmckeever@gmail.com <ma...@gmail.com>> wrote:
>
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
>
>
>
> also - if you are on slack, there is an active nifi community there that may be helpful as well ..
>
>
>
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
>
> David,
>
> Thanks for the debug config.
>
> Here is an output when I try to connect to the registry from that new server, Import a PG.
>
> Since we have a few servers running, it is a very verbose log.
>
> I may have missed the useful part of the log. 😊
>
>
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
>
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
>
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
>
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
>
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
>
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
>
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
>
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
>
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
>
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
>
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
>
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
>
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
>
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
>
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
>
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
>
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
>
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
>
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
>
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
>
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
>
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
>
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
>
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
>
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
>
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
>
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
>
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
>
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
>
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
>
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
>
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
>
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
>
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
>
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
>
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
>
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
>
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
>
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
>
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
>
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
>
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
>
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
>
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
>
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
>
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
>
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
>
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
>
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
>
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
>
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
>
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
>
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
>
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
>
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
>
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
>
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
>
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
>
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
>
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
>
>
>
> Roland
>
>
>
> From: David Handermann <exceptionfactory@gmail.com <ma...@gmail.com>>
> Sent: Monday, March 29, 2021 11:56 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
>
>
>
> java.arg.20=-Djavax.net.debug=ssl
>
>
>
> This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
>
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net <http://server.domain.net/>, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI
> Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> From: David Handermann <exceptionfactory@gmail.com <ma...@gmail.com>>
> Sent: Monday, March 29, 2021 9:27 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI
> Issuer: CN=nifi_ca.domain.net <http://nifi_ca.domain.net/>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net <http://server_name.domain.net/>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Roland.Rosso@AdventHealth.com <ma...@AdventHealth.com>>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bbende@gmail.com <ma...@gmail.com>>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org <ma...@nifi.apache.org>
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Roland.Rosso@adventhealth.com <ma...@adventhealth.com>> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
Bryan,
To ‘close’ this up: we did end up with going with option 2: so all nodes are signed with the same External CA and all is working fine.
I did look into bringing the public key (external CA) into the Registry’s truststore (self signed) but could not get this to work.
After getting a little more exposure to the toolkit, it’s really a welcome addition and many thanks to the NiFi team for building this tool.
Roland
From: Bryan Bende <bb...@gmail.com>
Sent: Thursday, April 1, 2021 9:33 AM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
If the "no buckets" issue is what we determined the other day where NiFi's server cert does not have the clientAuth usage, then it does not make sense why your #2 test works and #3 test does not, they would both fail since both have the same server cert on NiFi side.
In general, I think you would normally put the public key of the external CA into registry's truststore, not the specific NiFi server cert. The point of the truststore is to say "trust certificates signed by these authorities".
On Thu, Apr 1, 2021 at 9:10 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I exported the server cert .cer signed with the external CA and imported that in the registry truststore. That works for 1 and 2, not 3.
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Chris McKeever <cg...@gmail.com>>
Sent: Wednesday, March 31, 2021 11:40 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
did you add the external ca to the truststore of the registry?
On Wed, Mar 31, 2021 at 8:12 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Thanks Nathan. Very nice visual!
I tested some more today with External CA vs self-signed:
1. NiFi Node self signed to Registry self signed: works fine, all self-signed at different dates, but all using ‘localhost’
2. NiFI Node External CA signed to Registry External CA signed: works fine, using same nifi-key created via External CA
3. NiFi Node External CA signed to Registry self signed: no available buckets
For 3. , ideally this would work so it doesn’t force me to re-sign with External CA all of the nodes running in a separate cluster but connecting to the same registry, and allow for a good upgrade path…. But, can’t get that one to work.
Thanks to all who helped and advised!
Roland
From: Nathan Gough <th...@gmail.com>>
Sent: Wednesday, March 31, 2021 6:59 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
I believe I have captured the relevant information in this diagram:
https://drive.google.com/file/d/1KMGc7IMLTgJadooZ05H8grg7F6v0iLZ4/view?usp=sharing
If you have set up your configuration as in the diagram and are still having issues, I can perhaps add more detail about what certificate attributes are required where.
The key part for configuring Registry is that the initial Registry admin will have all accesses, and the individual NiFi node/s will need to be added and given "Can proxy user requests", in order to be able to see buckets.
Nathan
On Tue, Mar 30, 2021 at 5:03 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Thanks again Bryan. It need to be built into the .pem key.
Unfortunately, our time self-signing certs is coming to an end.
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 4:24 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
I'm not familiar with using toolkit with an external CA (if that is what's being done), but I regularly use localhost certs from the toolkit generated with a command like:
./bin/tls-toolkit.sh standalone -n 'localhost'
These work fine for me.
On Tue, Mar 30, 2021 at 3:47 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I did check this when I created the NiFi keystore using the toolkit but missed it on the second part of the cert. Certificate[2]:
I’ll try the toolkit again or is it an issue with the corporate keys that were issued?
>keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Mar 18, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Serial number: blah
Valid from: Thu Mar 18 10:28:03 EDT 2021 until: Wed Jun 21 10:28:03 EDT 2023
Certificate fingerprints:
MD5: 59:
SHA1: F2:
SHA256: 41:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
However, comparing it to the self signed ‘old’ cert, I do it in the second part of the keystore.
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: blah
Valid from: Fri Aug 03 11:10:13 EDT 2018 until: Mon Aug 02 11:10:13 EDT 2021
Certificate fingerprints:
MD5: 3F
SHA1: B7
SHA256: 42:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
In the new keystore.jks created with toolkit 1.12.1:
Certificate[2]:
Owner: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Issuer: CN=ORG Sub-CA, DC=domain, DC=net
Serial number: blah
Valid from: Wed Mar 17 13:27:07 EDT 2021 until: Mon Mar 16 13:27:07 EDT 2026
Certificate fingerprints:
MD5: 8A
SHA1: C9
SHA256: 17
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
0000: 30
0010: 1E
0020: 29
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:
,
accessMethod: caIssuers
accessLocation: URIName:
]
]
MISSING HERE
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C5
0010: 4E
]
]
#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:
]]
#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi_ca.domain.net<http://nifi_ca.domain.net>
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 3:15 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
The important lines are most likely:
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
Essentially there is no certificate being sent from NiFi -> NiFi Registry, and as a result, registry is treating you as an anonymous user and seeing if there are any public buckets to access, and there aren't, so you see an empty list.
This usually happens when the certificate in NiFi's keystore does not have the clientAuth extended usage, you can see this by performing a keytool listing of NiFI's keystore JKS and looking for:
ExtendedKeyUsages [
serverAuth
clientAuth
]
If you don't see clientAuth in there then that is the problem.
On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
I can’t seem to find those keywords anywhere following a request made by the ‘new’ server
This seems to follow an immediate request by this new server:
2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with anonymous token: 'anonymous'
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
[more of those]
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
Following an immediate request by a working ‘old’ servier (still NiFi 1.9.2, using self signed certs):
2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to be authenticated. Credentials extracted by X509IdentityProvider: AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e], skipping credentials extraction filter using JwtIdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}'
2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 2:09 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
If the issue is related to the server user, then there would be something like this:
"Untrusted proxy [%s] for %s operation."
Where the first parameter would be the identity of the nifi server and the second parameter would be READ/WRITE/DELETE.
Also search for whatever user identity you are using in nifi since that will be sent as a proxied entity.
On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
Tried the below:
“Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
<logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
I tried to add a flow to version control or pull a new PG. Since we have 5 instances connected to that registry, hard to say which is doing what, but I can find all the instances in nifi-registry-app.log but not the one that’s not connecting right.
Anything specific you want me to look for in that log?
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Tuesday, March 30, 2021 1:28 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
So,
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
It decided to hyperlink it so the ‘_’ was hidden
Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
New Server Cert:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <--exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US •corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Old Server Cert: (this was working but I need to use the above now)
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 1:14 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Not sure if this is related, but in one part it shows the Owner as:
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net<http://server.domain.net>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net<http://server.domain.net>, OU=NIFI" which is different from ""CN=server_domain.net<http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan, David,
[cid:image001.png@01D72810.2A36EF30]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Bryan Bende <bb...@gmail.com>.
If the "no buckets" issue is what we determined the other day where NiFi's
server cert does not have the clientAuth usage, then it does not make sense
why your #2 test works and #3 test does not, they would both fail since
both have the same server cert on NiFi side.
In general, I think you would normally put the public key of the external
CA into registry's truststore, not the specific NiFi server cert. The point
of the truststore is to say "trust certificates signed by these
authorities".
On Thu, Apr 1, 2021 at 9:10 AM Rosso, Roland <Ro...@adventhealth.com>
wrote:
> I exported the server cert .cer signed with the external CA and imported
> that in the registry truststore. That works for 1 and 2, not 3.
>
>
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Chris McKeever <cg...@gmail.com>
> *Sent:* Wednesday, March 31, 2021 11:40 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> did you add the external ca to the truststore of the registry?
>
>
>
> On Wed, Mar 31, 2021 at 8:12 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Thanks Nathan. Very nice visual!
>
>
>
> I tested some more today with External CA vs self-signed:
>
> 1. NiFi Node self signed to Registry self signed: works fine, all
> self-signed at different dates, but all using ‘localhost’
> 2. NiFI Node External CA signed to Registry External CA signed: works
> fine, using same nifi-key created via External CA
> 3. NiFi Node External CA signed to Registry self signed: no available
> buckets
>
>
>
> For 3. , ideally this would work so it doesn’t force me to re-sign with
> External CA all of the nodes running in a separate cluster but connecting
> to the same registry, and allow for a good upgrade path…. But, can’t get
> that one to work.
>
>
>
> Thanks to all who helped and advised!
>
> Roland
>
>
>
>
>
> *From:* Nathan Gough <th...@gmail.com>
> *Sent:* Wednesday, March 31, 2021 6:59 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> I believe I have captured the relevant information in this diagram:
>
>
> https://drive.google.com/file/d/1KMGc7IMLTgJadooZ05H8grg7F6v0iLZ4/view?usp=sharing
>
>
>
> If you have set up your configuration as in the diagram and are still
> having issues, I can perhaps add more detail about what certificate
> attributes are required where.
>
>
>
> The key part for configuring Registry is that the initial Registry admin
> will have all accesses, and the individual NiFi node/s will need to be
> added and given "Can proxy user requests", in order to be able to see
> buckets.
>
>
>
> Nathan
>
>
>
> On Tue, Mar 30, 2021 at 5:03 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Thanks again Bryan. It need to be built into the .pem key.
>
> Unfortunately, our time self-signing certs is coming to an end.
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 4:24 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> I'm not familiar with using toolkit with an external CA (if that is what's
> being done), but I regularly use localhost certs from the toolkit generated
> with a command like:
>
>
>
> ./bin/tls-toolkit.sh standalone -n 'localhost'
>
>
>
> These work fine for me.
>
>
>
>
>
> On Tue, Mar 30, 2021 at 3:47 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I did check this when I created the NiFi keystore using the toolkit but
> missed it on the second part of the cert. Certificate[2]:
>
> I’ll try the toolkit again or is it an issue with the corporate keys that
> were issued?
>
>
>
> >keytool -list -v -keystore keystore.jks
>
> Enter keystore password:
>
> Keystore type: jks
>
> Keystore provider: SUN
>
>
>
> Your keystore contains 1 entry
>
>
>
> Alias name: nifi-key
>
> Creation date: Mar 18, 2021
>
> Entry type: PrivateKeyEntry
>
> Certificate chain length: 2
>
> Certificate[1]:
>
> Owner: CN=server_name.domain.net, OU=NIFI
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
>
> Serial number: blah
>
> Valid from: Thu Mar 18 10:28:03 EDT 2021 until: Wed Jun 21 10:28:03 EDT
> 2023
>
> Certificate fingerprints:
>
> MD5: 59:
>
> SHA1: F2:
>
> SHA256: 41:
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 48
>
> 0010: 4C
>
> ]
>
> ]
>
>
>
> #2: ObjectId: 2.5.29.19 Criticality=false
>
> BasicConstraints:[
>
> CA:false
>
> PathLen: undefined
>
> ]
>
>
>
> #3: ObjectId: 2.5.29.37 Criticality=false
>
> ExtendedKeyUsages [
>
> clientAuth
>
> serverAuth
>
> ]
>
>
>
> However, comparing it to the self signed ‘old’ cert, I do it in the second
> part of the keystore.
>
>
>
> Certificate[2]:
>
> Owner: CN=localhost, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
> Serial number: blah
>
> Valid from: Fri Aug 03 11:10:13 EDT 2018 until: Mon Aug 02 11:10:13 EDT
> 2021
>
> Certificate fingerprints:
>
> MD5: 3F
>
> SHA1: B7
>
> SHA256: 42:
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 97
>
> 0010: 8E
>
> ]
>
> ]
>
>
>
> #2: ObjectId: 2.5.29.19 Criticality=false
>
> BasicConstraints:[
>
> CA:true
>
> PathLen:2147483647
>
> ]
>
>
>
> #3: ObjectId: 2.5.29.37 Criticality=false
>
> ExtendedKeyUsages [
>
> clientAuth
>
> serverAuth
>
> ]
>
>
>
> #4: ObjectId: 2.5.29.15 Criticality=true
>
> KeyUsage [
>
> DigitalSignature
>
> Non_repudiation
>
> Key_Encipherment
>
> Data_Encipherment
>
> Key_Agreement
>
> Key_CertSign
>
> Crl_Sign
>
> ]
>
>
>
> #5: ObjectId: 2.5.29.14 Criticality=false
>
> SubjectKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 97
>
> 0010: 8E
>
> ]
>
> ]
>
>
>
> In the new keystore.jks created with toolkit 1.12.1:
>
>
>
> Certificate[2]:
>
> Owner: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
>
> Issuer: CN=ORG Sub-CA, DC=domain, DC=net
>
> Serial number: blah
>
> Valid from: Wed Mar 17 13:27:07 EDT 2021 until: Mon Mar 16 13:27:07 EDT
> 2026
>
> Certificate fingerprints:
>
> MD5: 8A
>
> SHA1: C9
>
> SHA256: 17
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
>
> 0000: 30
>
> 0010: 1E
>
> 0020: 29
>
>
>
>
>
> #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
>
> AuthorityInfoAccess [
>
> [
>
> accessMethod: caIssuers
>
> accessLocation: URIName: ldap:
>
> ,
>
> accessMethod: caIssuers
>
> accessLocation: URIName:
>
> ]
>
> ]
>
> MISSING HERE
>
> #3: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: C5
>
> 0010: 4E
>
> ]
>
> ]
>
>
>
> #4: ObjectId: 2.5.29.19 Criticality=true
>
> BasicConstraints:[
>
> CA:true
>
> PathLen:0
>
> ]
>
>
>
> #5: ObjectId: 2.5.29.31 Criticality=false
>
> CRLDistributionPoints [
>
> [DistributionPoint:
>
> [URIName: ldap:
>
> ]]
>
>
>
> #6: ObjectId: 2.5.29.15 Criticality=false
>
> KeyUsage [
>
> DigitalSignature
>
> Key_CertSign
>
> Crl_Sign
>
> ]
>
>
>
> #7: ObjectId: 2.5.29.17 Criticality=false
>
> SubjectAlternativeName [
>
> DNSName: nifi_ca.domain.net
>
> ]
>
>
>
> #8: ObjectId: 2.5.29.14 Criticality=false
>
> SubjectKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 48
>
> 0010: 4C
>
> ]
>
> ]
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 3:15 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> The important lines are most likely:
>
>
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
>
>
>
> Essentially there is no certificate being sent from NiFi -> NiFi Registry,
> and as a result, registry is treating you as an anonymous user and seeing
> if there are any public buckets to access, and there aren't, so you see an
> empty list.
>
>
>
> This usually happens when the certificate in NiFi's keystore does not have
> the clientAuth extended usage, you can see this by performing a keytool
> listing of NiFI's keystore JKS and looking for:
>
> ExtendedKeyUsages [
> serverAuth
> clientAuth
> ]
>
> If you don't see clientAuth in there then that is the problem.
>
>
>
>
>
> On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan,
>
> I can’t seem to find those keywords anywhere following a request made by
> the ‘new’ server
>
> This seems to follow an immediate request by this new server:
>
>
>
> 2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> JwtIdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not
> present. Not attempting to extract credentials for authentication.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with
> anonymous token: 'anonymous'
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> [more of those]
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
>
>
> Following an immediate request by a working ‘old’ servier (still NiFi
> 1.9.2, using self signed certs):
>
>
>
> 2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to
> be authenticated. Credentials extracted by X509IdentityProvider:
> AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for
> [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e],
> skipping credentials extraction filter using JwtIdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated
> with anonymous token, as it already contained:
> 'AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }'
>
> 2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
>
>
>
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 2:09 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> If the issue is related to the server user, then there would be something
> like this:
>
>
>
> "Untrusted proxy [%s] for %s operation."
>
>
>
> Where the first parameter would be the identity of the nifi server and the
> second parameter would be READ/WRITE/DELETE.
>
>
>
> Also search for whatever user identity you are using in nifi since that
> will be sent as a proxied entity.
>
>
>
> On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan,
>
> Tried the below:
>
> “Also try adding the following NiFi Registry's logback.xml then see what
> is in the nifi-registry-app log when you make a request from NiFi to start
> version control:
>
> <logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
>
>
>
> I tried to add a flow to version control or pull a new PG. Since we have 5
> instances connected to that registry, hard to say which is doing what, but
> I can find all the instances in nifi-registry-app.log but not the one
> that’s not connecting right.
>
> Anything specific you want me to look for in that log?
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Rosso, Roland <Ro...@AdventHealth.com>
> *Sent:* Tuesday, March 30, 2021 1:28 PM
> *To:* users@nifi.apache.org
> *Subject:* RE: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> So,
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> It decided to hyperlink it so the ‘_’ was hidden
>
>
>
> Both sets of certs were generated with the toolkit, albeit the first one 2
> years ago with self-signed certs, and I need to move it to corporate CA.
>
>
>
> *New Server Cert:*
>
> Alias name: server_name-nifi-cert
>
> Creation date: Mar 29, 2021
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN= server_name.domain.net, OU=NIFI *ßexact match to entry above*
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> *Old Server Cert: (this was working but I need to use the above now)*
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 1:14 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Not sure if this is related, but in one part it shows the Owner as:
>
>
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> There is a space between "CN=" and "server_name", but the identity in NiFi
> Registry does not have a space there.
>
>
>
> Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net,
> OU=NIFI" and shows the issuer as localhost, so I assume this is the one
> that came from NiFI Toolkit.
>
>
>
> If NiFI is a presenting a cert with this DN then you would need a user in
> registry with the identity "CN=server.domain.net, OU=NIFI" which is
> different from ""CN=server_domain.net
> <http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>,
> OU=NIFI"
>
>
>
> On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan, David,
>
>
>
> Where
>
> In NiFi Registry Truststore:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI ß exact match to entry above
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 8:58 AM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Since you aren't getting SSL errors and you are just getting no buckets, I
> don't think it is a problem with certificates. I think it is a problem with
> the authorization on NiFi Registry side.
>
>
>
> What version of NiFi Registry? and also, can you show what policies exist
> for the NiFi server user in NiFi Registry?
>
>
>
> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>
> wrote:
>
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
> couldnt get it to do what I needed, I wound up just running my own openssl
> and keytool commands. I found it much more straightforward and then I could
> know what all was going on. Im sure after i got these scars, and I
> understood all the bits that toolkit would work and be simpler, but I did
> find rolling my own, especially with the external CA was easier.
>
>
>
> also - if you are on slack, there is an active nifi community there that
> may be helpful as well ..
>
>
>
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> David,
>
> Thanks for the debug config.
>
> Here is an output when I try to connect to the registry from that new
> server, Import a PG.
>
> Since we have a few servers running, it is a very verbose log.
>
> I may have missed the useful part of the log. 😊
>
>
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 85
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: server
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
> 108, 120, 14, 10, 42, 184 }
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
> 208, 90, 115, 111, 50, 85, 164 }
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 926
>
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1100
>
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1018
>
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1049
>
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1010
>
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 924
>
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1007
>
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 999
>
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 916
>
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 996
>
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1102
>
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 938
>
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 944
>
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 946
>
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1006
>
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 932
>
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 912
>
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 943
>
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1026
>
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 975
>
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 915
>
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 929
>
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 910
>
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 918
>
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 927
>
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 913
>
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 937
>
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1042
>
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 933
>
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 947
>
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 905
>
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1166
>
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 898
>
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 908
>
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 989
>
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeInboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
> closeOutbound()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeInboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
> closeOutbound()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
>
>
> *Roland *
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 11:56 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Thanks for the reply. If you are not seeing any warnings or errors in the
> NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
> bootstrap.conf. Adding the following line to bootstrap.conf should enable
> SSL debug output to the nifi-registry-bootstrap.log:
>
>
>
> java.arg.20=-Djavax.net.debug=ssl
>
>
>
> This setting produces a lot of output, but if you watch the log after the
> initial application startup, you should be able to observe the TLS
> handshake when NiFi attempts to list buckets from NiFi Registry. The log
> output should at least confirm that the certificate exchange is occurring
> as expected.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure
> clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the
> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
> Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 9:27 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server
> keystores? Listing the keystore contents using "keytool -list -v -keystore
> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
> would be helpful to confirm that the keystore includes a PrivateKeyEntry
> and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
I exported the server cert .cer signed with the external CA and imported that in the registry truststore. That works for 1 and 2, not 3.
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Chris McKeever <cg...@gmail.com>
Sent: Wednesday, March 31, 2021 11:40 PM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
did you add the external ca to the truststore of the registry?
On Wed, Mar 31, 2021 at 8:12 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Thanks Nathan. Very nice visual!
I tested some more today with External CA vs self-signed:
1. NiFi Node self signed to Registry self signed: works fine, all self-signed at different dates, but all using ‘localhost’
2. NiFI Node External CA signed to Registry External CA signed: works fine, using same nifi-key created via External CA
3. NiFi Node External CA signed to Registry self signed: no available buckets
For 3. , ideally this would work so it doesn’t force me to re-sign with External CA all of the nodes running in a separate cluster but connecting to the same registry, and allow for a good upgrade path…. But, can’t get that one to work.
Thanks to all who helped and advised!
Roland
From: Nathan Gough <th...@gmail.com>>
Sent: Wednesday, March 31, 2021 6:59 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
I believe I have captured the relevant information in this diagram:
https://drive.google.com/file/d/1KMGc7IMLTgJadooZ05H8grg7F6v0iLZ4/view?usp=sharing
If you have set up your configuration as in the diagram and are still having issues, I can perhaps add more detail about what certificate attributes are required where.
The key part for configuring Registry is that the initial Registry admin will have all accesses, and the individual NiFi node/s will need to be added and given "Can proxy user requests", in order to be able to see buckets.
Nathan
On Tue, Mar 30, 2021 at 5:03 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Thanks again Bryan. It need to be built into the .pem key.
Unfortunately, our time self-signing certs is coming to an end.
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 4:24 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
I'm not familiar with using toolkit with an external CA (if that is what's being done), but I regularly use localhost certs from the toolkit generated with a command like:
./bin/tls-toolkit.sh standalone -n 'localhost'
These work fine for me.
On Tue, Mar 30, 2021 at 3:47 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I did check this when I created the NiFi keystore using the toolkit but missed it on the second part of the cert. Certificate[2]:
I’ll try the toolkit again or is it an issue with the corporate keys that were issued?
>keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Mar 18, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Serial number: blah
Valid from: Thu Mar 18 10:28:03 EDT 2021 until: Wed Jun 21 10:28:03 EDT 2023
Certificate fingerprints:
MD5: 59:
SHA1: F2:
SHA256: 41:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
However, comparing it to the self signed ‘old’ cert, I do it in the second part of the keystore.
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: blah
Valid from: Fri Aug 03 11:10:13 EDT 2018 until: Mon Aug 02 11:10:13 EDT 2021
Certificate fingerprints:
MD5: 3F
SHA1: B7
SHA256: 42:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
In the new keystore.jks created with toolkit 1.12.1:
Certificate[2]:
Owner: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Issuer: CN=ORG Sub-CA, DC=domain, DC=net
Serial number: blah
Valid from: Wed Mar 17 13:27:07 EDT 2021 until: Mon Mar 16 13:27:07 EDT 2026
Certificate fingerprints:
MD5: 8A
SHA1: C9
SHA256: 17
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
0000: 30
0010: 1E
0020: 29
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:
,
accessMethod: caIssuers
accessLocation: URIName:
]
]
MISSING HERE
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C5
0010: 4E
]
]
#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:
]]
#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi_ca.domain.net<http://nifi_ca.domain.net>
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 3:15 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
The important lines are most likely:
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
Essentially there is no certificate being sent from NiFi -> NiFi Registry, and as a result, registry is treating you as an anonymous user and seeing if there are any public buckets to access, and there aren't, so you see an empty list.
This usually happens when the certificate in NiFi's keystore does not have the clientAuth extended usage, you can see this by performing a keytool listing of NiFI's keystore JKS and looking for:
ExtendedKeyUsages [
serverAuth
clientAuth
]
If you don't see clientAuth in there then that is the problem.
On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
I can’t seem to find those keywords anywhere following a request made by the ‘new’ server
This seems to follow an immediate request by this new server:
2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with anonymous token: 'anonymous'
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
[more of those]
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
Following an immediate request by a working ‘old’ servier (still NiFi 1.9.2, using self signed certs):
2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to be authenticated. Credentials extracted by X509IdentityProvider: AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e], skipping credentials extraction filter using JwtIdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}'
2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 2:09 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
If the issue is related to the server user, then there would be something like this:
"Untrusted proxy [%s] for %s operation."
Where the first parameter would be the identity of the nifi server and the second parameter would be READ/WRITE/DELETE.
Also search for whatever user identity you are using in nifi since that will be sent as a proxied entity.
On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
Tried the below:
“Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
<logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
I tried to add a flow to version control or pull a new PG. Since we have 5 instances connected to that registry, hard to say which is doing what, but I can find all the instances in nifi-registry-app.log but not the one that’s not connecting right.
Anything specific you want me to look for in that log?
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Tuesday, March 30, 2021 1:28 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
So,
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
It decided to hyperlink it so the ‘_’ was hidden
Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
New Server Cert:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <--exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US •corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Old Server Cert: (this was working but I need to use the above now)
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 1:14 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Not sure if this is related, but in one part it shows the Owner as:
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net<http://server.domain.net>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net<http://server.domain.net>, OU=NIFI" which is different from ""CN=server_domain.net<http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan, David,
[cid:image001.png@01D726D6.865E41E0]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Chris McKeever <cg...@gmail.com>.
did you add the external ca to the truststore of the registry?
On Wed, Mar 31, 2021 at 8:12 PM Rosso, Roland <Ro...@adventhealth.com>
wrote:
> Thanks Nathan. Very nice visual!
>
>
>
> I tested some more today with External CA vs self-signed:
>
> 1. NiFi Node self signed to Registry self signed: works fine, all
> self-signed at different dates, but all using ‘localhost’
> 2. NiFI Node External CA signed to Registry External CA signed: works
> fine, using same nifi-key created via External CA
> 3. NiFi Node External CA signed to Registry self signed: no available
> buckets
>
>
>
> For 3. , ideally this would work so it doesn’t force me to re-sign with
> External CA all of the nodes running in a separate cluster but connecting
> to the same registry, and allow for a good upgrade path…. But, can’t get
> that one to work.
>
>
>
> Thanks to all who helped and advised!
>
> Roland
>
>
>
>
>
> *From:* Nathan Gough <th...@gmail.com>
> *Sent:* Wednesday, March 31, 2021 6:59 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> I believe I have captured the relevant information in this diagram:
>
>
> https://drive.google.com/file/d/1KMGc7IMLTgJadooZ05H8grg7F6v0iLZ4/view?usp=sharing
>
>
>
> If you have set up your configuration as in the diagram and are still
> having issues, I can perhaps add more detail about what certificate
> attributes are required where.
>
>
>
> The key part for configuring Registry is that the initial Registry admin
> will have all accesses, and the individual NiFi node/s will need to be
> added and given "Can proxy user requests", in order to be able to see
> buckets.
>
>
>
> Nathan
>
>
>
> On Tue, Mar 30, 2021 at 5:03 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Thanks again Bryan. It need to be built into the .pem key.
>
> Unfortunately, our time self-signing certs is coming to an end.
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 4:24 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> I'm not familiar with using toolkit with an external CA (if that is what's
> being done), but I regularly use localhost certs from the toolkit generated
> with a command like:
>
>
>
> ./bin/tls-toolkit.sh standalone -n 'localhost'
>
>
>
> These work fine for me.
>
>
>
>
>
> On Tue, Mar 30, 2021 at 3:47 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I did check this when I created the NiFi keystore using the toolkit but
> missed it on the second part of the cert. Certificate[2]:
>
> I’ll try the toolkit again or is it an issue with the corporate keys that
> were issued?
>
>
>
> >keytool -list -v -keystore keystore.jks
>
> Enter keystore password:
>
> Keystore type: jks
>
> Keystore provider: SUN
>
>
>
> Your keystore contains 1 entry
>
>
>
> Alias name: nifi-key
>
> Creation date: Mar 18, 2021
>
> Entry type: PrivateKeyEntry
>
> Certificate chain length: 2
>
> Certificate[1]:
>
> Owner: CN=server_name.domain.net, OU=NIFI
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
>
> Serial number: blah
>
> Valid from: Thu Mar 18 10:28:03 EDT 2021 until: Wed Jun 21 10:28:03 EDT
> 2023
>
> Certificate fingerprints:
>
> MD5: 59:
>
> SHA1: F2:
>
> SHA256: 41:
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 48
>
> 0010: 4C
>
> ]
>
> ]
>
>
>
> #2: ObjectId: 2.5.29.19 Criticality=false
>
> BasicConstraints:[
>
> CA:false
>
> PathLen: undefined
>
> ]
>
>
>
> #3: ObjectId: 2.5.29.37 Criticality=false
>
> ExtendedKeyUsages [
>
> clientAuth
>
> serverAuth
>
> ]
>
>
>
> However, comparing it to the self signed ‘old’ cert, I do it in the second
> part of the keystore.
>
>
>
> Certificate[2]:
>
> Owner: CN=localhost, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
> Serial number: blah
>
> Valid from: Fri Aug 03 11:10:13 EDT 2018 until: Mon Aug 02 11:10:13 EDT
> 2021
>
> Certificate fingerprints:
>
> MD5: 3F
>
> SHA1: B7
>
> SHA256: 42:
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 97
>
> 0010: 8E
>
> ]
>
> ]
>
>
>
> #2: ObjectId: 2.5.29.19 Criticality=false
>
> BasicConstraints:[
>
> CA:true
>
> PathLen:2147483647
>
> ]
>
>
>
> #3: ObjectId: 2.5.29.37 Criticality=false
>
> ExtendedKeyUsages [
>
> clientAuth
>
> serverAuth
>
> ]
>
>
>
> #4: ObjectId: 2.5.29.15 Criticality=true
>
> KeyUsage [
>
> DigitalSignature
>
> Non_repudiation
>
> Key_Encipherment
>
> Data_Encipherment
>
> Key_Agreement
>
> Key_CertSign
>
> Crl_Sign
>
> ]
>
>
>
> #5: ObjectId: 2.5.29.14 Criticality=false
>
> SubjectKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 97
>
> 0010: 8E
>
> ]
>
> ]
>
>
>
> In the new keystore.jks created with toolkit 1.12.1:
>
>
>
> Certificate[2]:
>
> Owner: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
>
> Issuer: CN=ORG Sub-CA, DC=domain, DC=net
>
> Serial number: blah
>
> Valid from: Wed Mar 17 13:27:07 EDT 2021 until: Mon Mar 16 13:27:07 EDT
> 2026
>
> Certificate fingerprints:
>
> MD5: 8A
>
> SHA1: C9
>
> SHA256: 17
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
>
> 0000: 30
>
> 0010: 1E
>
> 0020: 29
>
>
>
>
>
> #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
>
> AuthorityInfoAccess [
>
> [
>
> accessMethod: caIssuers
>
> accessLocation: URIName: ldap:
>
> ,
>
> accessMethod: caIssuers
>
> accessLocation: URIName:
>
> ]
>
> ]
>
> MISSING HERE
>
> #3: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: C5
>
> 0010: 4E
>
> ]
>
> ]
>
>
>
> #4: ObjectId: 2.5.29.19 Criticality=true
>
> BasicConstraints:[
>
> CA:true
>
> PathLen:0
>
> ]
>
>
>
> #5: ObjectId: 2.5.29.31 Criticality=false
>
> CRLDistributionPoints [
>
> [DistributionPoint:
>
> [URIName: ldap:
>
> ]]
>
>
>
> #6: ObjectId: 2.5.29.15 Criticality=false
>
> KeyUsage [
>
> DigitalSignature
>
> Key_CertSign
>
> Crl_Sign
>
> ]
>
>
>
> #7: ObjectId: 2.5.29.17 Criticality=false
>
> SubjectAlternativeName [
>
> DNSName: nifi_ca.domain.net
>
> ]
>
>
>
> #8: ObjectId: 2.5.29.14 Criticality=false
>
> SubjectKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 48
>
> 0010: 4C
>
> ]
>
> ]
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 3:15 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> The important lines are most likely:
>
>
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
>
>
>
> Essentially there is no certificate being sent from NiFi -> NiFi Registry,
> and as a result, registry is treating you as an anonymous user and seeing
> if there are any public buckets to access, and there aren't, so you see an
> empty list.
>
>
>
> This usually happens when the certificate in NiFi's keystore does not have
> the clientAuth extended usage, you can see this by performing a keytool
> listing of NiFI's keystore JKS and looking for:
>
> ExtendedKeyUsages [
> serverAuth
> clientAuth
> ]
>
> If you don't see clientAuth in there then that is the problem.
>
>
>
>
>
> On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan,
>
> I can’t seem to find those keywords anywhere following a request made by
> the ‘new’ server
>
> This seems to follow an immediate request by this new server:
>
>
>
> 2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> JwtIdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not
> present. Not attempting to extract credentials for authentication.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with
> anonymous token: 'anonymous'
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> [more of those]
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
>
>
> Following an immediate request by a working ‘old’ servier (still NiFi
> 1.9.2, using self signed certs):
>
>
>
> 2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to
> be authenticated. Credentials extracted by X509IdentityProvider:
> AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for
> [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e],
> skipping credentials extraction filter using JwtIdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated
> with anonymous token, as it already contained:
> 'AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }'
>
> 2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
>
>
>
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 2:09 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> If the issue is related to the server user, then there would be something
> like this:
>
>
>
> "Untrusted proxy [%s] for %s operation."
>
>
>
> Where the first parameter would be the identity of the nifi server and the
> second parameter would be READ/WRITE/DELETE.
>
>
>
> Also search for whatever user identity you are using in nifi since that
> will be sent as a proxied entity.
>
>
>
> On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan,
>
> Tried the below:
>
> “Also try adding the following NiFi Registry's logback.xml then see what
> is in the nifi-registry-app log when you make a request from NiFi to start
> version control:
>
> <logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
>
>
>
> I tried to add a flow to version control or pull a new PG. Since we have 5
> instances connected to that registry, hard to say which is doing what, but
> I can find all the instances in nifi-registry-app.log but not the one
> that’s not connecting right.
>
> Anything specific you want me to look for in that log?
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Rosso, Roland <Ro...@AdventHealth.com>
> *Sent:* Tuesday, March 30, 2021 1:28 PM
> *To:* users@nifi.apache.org
> *Subject:* RE: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> So,
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> It decided to hyperlink it so the ‘_’ was hidden
>
>
>
> Both sets of certs were generated with the toolkit, albeit the first one 2
> years ago with self-signed certs, and I need to move it to corporate CA.
>
>
>
> *New Server Cert:*
>
> Alias name: server_name-nifi-cert
>
> Creation date: Mar 29, 2021
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN= server_name.domain.net, OU=NIFI *ßexact match to entry above*
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> *Old Server Cert: (this was working but I need to use the above now)*
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 1:14 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Not sure if this is related, but in one part it shows the Owner as:
>
>
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> There is a space between "CN=" and "server_name", but the identity in NiFi
> Registry does not have a space there.
>
>
>
> Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net,
> OU=NIFI" and shows the issuer as localhost, so I assume this is the one
> that came from NiFI Toolkit.
>
>
>
> If NiFI is a presenting a cert with this DN then you would need a user in
> registry with the identity "CN=server.domain.net, OU=NIFI" which is
> different from ""CN=server_domain.net
> <http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>,
> OU=NIFI"
>
>
>
> On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan, David,
>
>
>
> Where
>
> In NiFi Registry Truststore:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI ß exact match to entry above
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 8:58 AM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Since you aren't getting SSL errors and you are just getting no buckets, I
> don't think it is a problem with certificates. I think it is a problem with
> the authorization on NiFi Registry side.
>
>
>
> What version of NiFi Registry? and also, can you show what policies exist
> for the NiFi server user in NiFi Registry?
>
>
>
> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>
> wrote:
>
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
> couldnt get it to do what I needed, I wound up just running my own openssl
> and keytool commands. I found it much more straightforward and then I could
> know what all was going on. Im sure after i got these scars, and I
> understood all the bits that toolkit would work and be simpler, but I did
> find rolling my own, especially with the external CA was easier.
>
>
>
> also - if you are on slack, there is an active nifi community there that
> may be helpful as well ..
>
>
>
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> David,
>
> Thanks for the debug config.
>
> Here is an output when I try to connect to the registry from that new
> server, Import a PG.
>
> Since we have a few servers running, it is a very verbose log.
>
> I may have missed the useful part of the log. 😊
>
>
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 85
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: server
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
> 108, 120, 14, 10, 42, 184 }
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
> 208, 90, 115, 111, 50, 85, 164 }
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 926
>
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1100
>
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1018
>
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1049
>
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1010
>
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 924
>
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1007
>
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 999
>
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 916
>
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 996
>
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1102
>
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 938
>
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 944
>
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 946
>
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1006
>
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 932
>
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 912
>
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 943
>
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1026
>
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 975
>
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 915
>
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 929
>
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 910
>
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 918
>
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 927
>
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 913
>
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 937
>
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1042
>
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 933
>
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 947
>
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 905
>
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1166
>
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 898
>
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 908
>
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 989
>
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeInboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
> closeOutbound()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeInboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
> closeOutbound()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
>
>
> *Roland *
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 11:56 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Thanks for the reply. If you are not seeing any warnings or errors in the
> NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
> bootstrap.conf. Adding the following line to bootstrap.conf should enable
> SSL debug output to the nifi-registry-bootstrap.log:
>
>
>
> java.arg.20=-Djavax.net.debug=ssl
>
>
>
> This setting produces a lot of output, but if you watch the log after the
> initial application startup, you should be able to observe the TLS
> handshake when NiFi attempts to list buckets from NiFi Registry. The log
> output should at least confirm that the certificate exchange is occurring
> as expected.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure
> clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the
> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
> Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 9:27 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server
> keystores? Listing the keystore contents using "keytool -list -v -keystore
> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
> would be helpful to confirm that the keystore includes a PrivateKeyEntry
> and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
Thanks Nathan. Very nice visual!
I tested some more today with External CA vs self-signed:
1. NiFi Node self signed to Registry self signed: works fine, all self-signed at different dates, but all using ‘localhost’
2. NiFI Node External CA signed to Registry External CA signed: works fine, using same nifi-key created via External CA
3. NiFi Node External CA signed to Registry self signed: no available buckets
For 3. , ideally this would work so it doesn’t force me to re-sign with External CA all of the nodes running in a separate cluster but connecting to the same registry, and allow for a good upgrade path…. But, can’t get that one to work.
Thanks to all who helped and advised!
Roland
From: Nathan Gough <th...@gmail.com>
Sent: Wednesday, March 31, 2021 6:59 PM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
I believe I have captured the relevant information in this diagram:
https://drive.google.com/file/d/1KMGc7IMLTgJadooZ05H8grg7F6v0iLZ4/view?usp=sharing
If you have set up your configuration as in the diagram and are still having issues, I can perhaps add more detail about what certificate attributes are required where.
The key part for configuring Registry is that the initial Registry admin will have all accesses, and the individual NiFi node/s will need to be added and given "Can proxy user requests", in order to be able to see buckets.
Nathan
On Tue, Mar 30, 2021 at 5:03 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Thanks again Bryan. It need to be built into the .pem key.
Unfortunately, our time self-signing certs is coming to an end.
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 4:24 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
I'm not familiar with using toolkit with an external CA (if that is what's being done), but I regularly use localhost certs from the toolkit generated with a command like:
./bin/tls-toolkit.sh standalone -n 'localhost'
These work fine for me.
On Tue, Mar 30, 2021 at 3:47 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I did check this when I created the NiFi keystore using the toolkit but missed it on the second part of the cert. Certificate[2]:
I’ll try the toolkit again or is it an issue with the corporate keys that were issued?
>keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Mar 18, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Serial number: blah
Valid from: Thu Mar 18 10:28:03 EDT 2021 until: Wed Jun 21 10:28:03 EDT 2023
Certificate fingerprints:
MD5: 59:
SHA1: F2:
SHA256: 41:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
However, comparing it to the self signed ‘old’ cert, I do it in the second part of the keystore.
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: blah
Valid from: Fri Aug 03 11:10:13 EDT 2018 until: Mon Aug 02 11:10:13 EDT 2021
Certificate fingerprints:
MD5: 3F
SHA1: B7
SHA256: 42:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
In the new keystore.jks created with toolkit 1.12.1:
Certificate[2]:
Owner: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Issuer: CN=ORG Sub-CA, DC=domain, DC=net
Serial number: blah
Valid from: Wed Mar 17 13:27:07 EDT 2021 until: Mon Mar 16 13:27:07 EDT 2026
Certificate fingerprints:
MD5: 8A
SHA1: C9
SHA256: 17
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
0000: 30
0010: 1E
0020: 29
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:
,
accessMethod: caIssuers
accessLocation: URIName:
]
]
MISSING HERE
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C5
0010: 4E
]
]
#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:
]]
#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi_ca.domain.net<http://nifi_ca.domain.net>
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 3:15 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
The important lines are most likely:
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
Essentially there is no certificate being sent from NiFi -> NiFi Registry, and as a result, registry is treating you as an anonymous user and seeing if there are any public buckets to access, and there aren't, so you see an empty list.
This usually happens when the certificate in NiFi's keystore does not have the clientAuth extended usage, you can see this by performing a keytool listing of NiFI's keystore JKS and looking for:
ExtendedKeyUsages [
serverAuth
clientAuth
]
If you don't see clientAuth in there then that is the problem.
On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
I can’t seem to find those keywords anywhere following a request made by the ‘new’ server
This seems to follow an immediate request by this new server:
2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with anonymous token: 'anonymous'
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
[more of those]
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
Following an immediate request by a working ‘old’ servier (still NiFi 1.9.2, using self signed certs):
2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to be authenticated. Credentials extracted by X509IdentityProvider: AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e], skipping credentials extraction filter using JwtIdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}'
2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 2:09 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
If the issue is related to the server user, then there would be something like this:
"Untrusted proxy [%s] for %s operation."
Where the first parameter would be the identity of the nifi server and the second parameter would be READ/WRITE/DELETE.
Also search for whatever user identity you are using in nifi since that will be sent as a proxied entity.
On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
Tried the below:
“Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
<logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
I tried to add a flow to version control or pull a new PG. Since we have 5 instances connected to that registry, hard to say which is doing what, but I can find all the instances in nifi-registry-app.log but not the one that’s not connecting right.
Anything specific you want me to look for in that log?
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Tuesday, March 30, 2021 1:28 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
So,
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
It decided to hyperlink it so the ‘_’ was hidden
Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
New Server Cert:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <--exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US •corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Old Server Cert: (this was working but I need to use the above now)
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 1:14 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Not sure if this is related, but in one part it shows the Owner as:
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net<http://server.domain.net>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net<http://server.domain.net>, OU=NIFI" which is different from ""CN=server_domain.net<http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan, David,
[cid:image001.png@01D7266F.3BF8DEB0]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Nathan Gough <th...@gmail.com>.
Hi Roland,
I believe I have captured the relevant information in this diagram:
https://drive.google.com/file/d/1KMGc7IMLTgJadooZ05H8grg7F6v0iLZ4/view?usp=sharing
If you have set up your configuration as in the diagram and are still
having issues, I can perhaps add more detail about what certificate
attributes are required where.
The key part for configuring Registry is that the initial Registry admin
will have all accesses, and the individual NiFi node/s will need to be
added and given "Can proxy user requests", in order to be able to see
buckets.
Nathan
On Tue, Mar 30, 2021 at 5:03 PM Rosso, Roland <Ro...@adventhealth.com>
wrote:
> Thanks again Bryan. It need to be built into the .pem key.
>
> Unfortunately, our time self-signing certs is coming to an end.
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 4:24 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> I'm not familiar with using toolkit with an external CA (if that is what's
> being done), but I regularly use localhost certs from the toolkit generated
> with a command like:
>
>
>
> ./bin/tls-toolkit.sh standalone -n 'localhost'
>
>
>
> These work fine for me.
>
>
>
>
>
> On Tue, Mar 30, 2021 at 3:47 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I did check this when I created the NiFi keystore using the toolkit but
> missed it on the second part of the cert. Certificate[2]:
>
> I’ll try the toolkit again or is it an issue with the corporate keys that
> were issued?
>
>
>
> >keytool -list -v -keystore keystore.jks
>
> Enter keystore password:
>
> Keystore type: jks
>
> Keystore provider: SUN
>
>
>
> Your keystore contains 1 entry
>
>
>
> Alias name: nifi-key
>
> Creation date: Mar 18, 2021
>
> Entry type: PrivateKeyEntry
>
> Certificate chain length: 2
>
> Certificate[1]:
>
> Owner: CN=server_name.domain.net, OU=NIFI
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
>
> Serial number: blah
>
> Valid from: Thu Mar 18 10:28:03 EDT 2021 until: Wed Jun 21 10:28:03 EDT
> 2023
>
> Certificate fingerprints:
>
> MD5: 59:
>
> SHA1: F2:
>
> SHA256: 41:
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 48
>
> 0010: 4C
>
> ]
>
> ]
>
>
>
> #2: ObjectId: 2.5.29.19 Criticality=false
>
> BasicConstraints:[
>
> CA:false
>
> PathLen: undefined
>
> ]
>
>
>
> #3: ObjectId: 2.5.29.37 Criticality=false
>
> ExtendedKeyUsages [
>
> clientAuth
>
> serverAuth
>
> ]
>
>
>
> However, comparing it to the self signed ‘old’ cert, I do it in the second
> part of the keystore.
>
>
>
> Certificate[2]:
>
> Owner: CN=localhost, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
> Serial number: blah
>
> Valid from: Fri Aug 03 11:10:13 EDT 2018 until: Mon Aug 02 11:10:13 EDT
> 2021
>
> Certificate fingerprints:
>
> MD5: 3F
>
> SHA1: B7
>
> SHA256: 42:
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 97
>
> 0010: 8E
>
> ]
>
> ]
>
>
>
> #2: ObjectId: 2.5.29.19 Criticality=false
>
> BasicConstraints:[
>
> CA:true
>
> PathLen:2147483647
>
> ]
>
>
>
> #3: ObjectId: 2.5.29.37 Criticality=false
>
> ExtendedKeyUsages [
>
> clientAuth
>
> serverAuth
>
> ]
>
>
>
> #4: ObjectId: 2.5.29.15 Criticality=true
>
> KeyUsage [
>
> DigitalSignature
>
> Non_repudiation
>
> Key_Encipherment
>
> Data_Encipherment
>
> Key_Agreement
>
> Key_CertSign
>
> Crl_Sign
>
> ]
>
>
>
> #5: ObjectId: 2.5.29.14 Criticality=false
>
> SubjectKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 97
>
> 0010: 8E
>
> ]
>
> ]
>
>
>
> In the new keystore.jks created with toolkit 1.12.1:
>
>
>
> Certificate[2]:
>
> Owner: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
>
> Issuer: CN=ORG Sub-CA, DC=domain, DC=net
>
> Serial number: blah
>
> Valid from: Wed Mar 17 13:27:07 EDT 2021 until: Mon Mar 16 13:27:07 EDT
> 2026
>
> Certificate fingerprints:
>
> MD5: 8A
>
> SHA1: C9
>
> SHA256: 17
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
>
> 0000: 30
>
> 0010: 1E
>
> 0020: 29
>
>
>
>
>
> #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
>
> AuthorityInfoAccess [
>
> [
>
> accessMethod: caIssuers
>
> accessLocation: URIName: ldap:
>
> ,
>
> accessMethod: caIssuers
>
> accessLocation: URIName:
>
> ]
>
> ]
>
> MISSING HERE
>
> #3: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: C5
>
> 0010: 4E
>
> ]
>
> ]
>
>
>
> #4: ObjectId: 2.5.29.19 Criticality=true
>
> BasicConstraints:[
>
> CA:true
>
> PathLen:0
>
> ]
>
>
>
> #5: ObjectId: 2.5.29.31 Criticality=false
>
> CRLDistributionPoints [
>
> [DistributionPoint:
>
> [URIName: ldap:
>
> ]]
>
>
>
> #6: ObjectId: 2.5.29.15 Criticality=false
>
> KeyUsage [
>
> DigitalSignature
>
> Key_CertSign
>
> Crl_Sign
>
> ]
>
>
>
> #7: ObjectId: 2.5.29.17 Criticality=false
>
> SubjectAlternativeName [
>
> DNSName: nifi_ca.domain.net
>
> ]
>
>
>
> #8: ObjectId: 2.5.29.14 Criticality=false
>
> SubjectKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 48
>
> 0010: 4C
>
> ]
>
> ]
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 3:15 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> The important lines are most likely:
>
>
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
>
>
>
> Essentially there is no certificate being sent from NiFi -> NiFi Registry,
> and as a result, registry is treating you as an anonymous user and seeing
> if there are any public buckets to access, and there aren't, so you see an
> empty list.
>
>
>
> This usually happens when the certificate in NiFi's keystore does not have
> the clientAuth extended usage, you can see this by performing a keytool
> listing of NiFI's keystore JKS and looking for:
>
> ExtendedKeyUsages [
> serverAuth
> clientAuth
> ]
>
> If you don't see clientAuth in there then that is the problem.
>
>
>
>
>
> On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan,
>
> I can’t seem to find those keywords anywhere following a request made by
> the ‘new’ server
>
> This seems to follow an immediate request by this new server:
>
>
>
> 2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> JwtIdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not
> present. Not attempting to extract credentials for authentication.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with
> anonymous token: 'anonymous'
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> [more of those]
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
>
>
> Following an immediate request by a working ‘old’ servier (still NiFi
> 1.9.2, using self signed certs):
>
>
>
> 2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to
> be authenticated. Credentials extracted by X509IdentityProvider:
> AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for
> [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e],
> skipping credentials extraction filter using JwtIdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated
> with anonymous token, as it already contained:
> 'AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }'
>
> 2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
>
>
>
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 2:09 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> If the issue is related to the server user, then there would be something
> like this:
>
>
>
> "Untrusted proxy [%s] for %s operation."
>
>
>
> Where the first parameter would be the identity of the nifi server and the
> second parameter would be READ/WRITE/DELETE.
>
>
>
> Also search for whatever user identity you are using in nifi since that
> will be sent as a proxied entity.
>
>
>
> On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan,
>
> Tried the below:
>
> “Also try adding the following NiFi Registry's logback.xml then see what
> is in the nifi-registry-app log when you make a request from NiFi to start
> version control:
>
> <logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
>
>
>
> I tried to add a flow to version control or pull a new PG. Since we have 5
> instances connected to that registry, hard to say which is doing what, but
> I can find all the instances in nifi-registry-app.log but not the one
> that’s not connecting right.
>
> Anything specific you want me to look for in that log?
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Rosso, Roland <Ro...@AdventHealth.com>
> *Sent:* Tuesday, March 30, 2021 1:28 PM
> *To:* users@nifi.apache.org
> *Subject:* RE: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> So,
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> It decided to hyperlink it so the ‘_’ was hidden
>
>
>
> Both sets of certs were generated with the toolkit, albeit the first one 2
> years ago with self-signed certs, and I need to move it to corporate CA.
>
>
>
> *New Server Cert:*
>
> Alias name: server_name-nifi-cert
>
> Creation date: Mar 29, 2021
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN= server_name.domain.net, OU=NIFI *ßexact match to entry above*
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> *Old Server Cert: (this was working but I need to use the above now)*
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 1:14 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Not sure if this is related, but in one part it shows the Owner as:
>
>
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> There is a space between "CN=" and "server_name", but the identity in NiFi
> Registry does not have a space there.
>
>
>
> Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net,
> OU=NIFI" and shows the issuer as localhost, so I assume this is the one
> that came from NiFI Toolkit.
>
>
>
> If NiFI is a presenting a cert with this DN then you would need a user in
> registry with the identity "CN=server.domain.net, OU=NIFI" which is
> different from ""CN=server_domain.net
> <http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>,
> OU=NIFI"
>
>
>
> On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan, David,
>
>
>
> Where
>
> In NiFi Registry Truststore:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI ß exact match to entry above
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 8:58 AM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Since you aren't getting SSL errors and you are just getting no buckets, I
> don't think it is a problem with certificates. I think it is a problem with
> the authorization on NiFi Registry side.
>
>
>
> What version of NiFi Registry? and also, can you show what policies exist
> for the NiFi server user in NiFi Registry?
>
>
>
> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>
> wrote:
>
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
> couldnt get it to do what I needed, I wound up just running my own openssl
> and keytool commands. I found it much more straightforward and then I could
> know what all was going on. Im sure after i got these scars, and I
> understood all the bits that toolkit would work and be simpler, but I did
> find rolling my own, especially with the external CA was easier.
>
>
>
> also - if you are on slack, there is an active nifi community there that
> may be helpful as well ..
>
>
>
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> David,
>
> Thanks for the debug config.
>
> Here is an output when I try to connect to the registry from that new
> server, Import a PG.
>
> Since we have a few servers running, it is a very verbose log.
>
> I may have missed the useful part of the log. 😊
>
>
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 85
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: server
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
> 108, 120, 14, 10, 42, 184 }
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
> 208, 90, 115, 111, 50, 85, 164 }
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 926
>
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1100
>
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1018
>
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1049
>
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1010
>
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 924
>
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1007
>
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 999
>
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 916
>
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 996
>
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1102
>
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 938
>
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 944
>
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 946
>
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1006
>
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 932
>
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 912
>
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 943
>
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1026
>
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 975
>
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 915
>
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 929
>
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 910
>
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 918
>
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 927
>
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 913
>
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 937
>
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1042
>
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 933
>
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 947
>
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 905
>
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1166
>
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 898
>
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 908
>
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 989
>
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeInboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
> closeOutbound()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeInboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
> closeOutbound()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
>
>
> *Roland *
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 11:56 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Thanks for the reply. If you are not seeing any warnings or errors in the
> NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
> bootstrap.conf. Adding the following line to bootstrap.conf should enable
> SSL debug output to the nifi-registry-bootstrap.log:
>
>
>
> java.arg.20=-Djavax.net.debug=ssl
>
>
>
> This setting produces a lot of output, but if you watch the log after the
> initial application startup, you should be able to observe the TLS
> handshake when NiFi attempts to list buckets from NiFi Registry. The log
> output should at least confirm that the certificate exchange is occurring
> as expected.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure
> clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the
> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
> Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 9:27 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server
> keystores? Listing the keystore contents using "keytool -list -v -keystore
> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
> would be helpful to confirm that the keystore includes a PrivateKeyEntry
> and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
Thanks again Bryan. It need to be built into the .pem key.
Unfortunately, our time self-signing certs is coming to an end.
Roland
From: Bryan Bende <bb...@gmail.com>
Sent: Tuesday, March 30, 2021 4:24 PM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
I'm not familiar with using toolkit with an external CA (if that is what's being done), but I regularly use localhost certs from the toolkit generated with a command like:
./bin/tls-toolkit.sh standalone -n 'localhost'
These work fine for me.
On Tue, Mar 30, 2021 at 3:47 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I did check this when I created the NiFi keystore using the toolkit but missed it on the second part of the cert. Certificate[2]:
I’ll try the toolkit again or is it an issue with the corporate keys that were issued?
>keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Mar 18, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Serial number: blah
Valid from: Thu Mar 18 10:28:03 EDT 2021 until: Wed Jun 21 10:28:03 EDT 2023
Certificate fingerprints:
MD5: 59:
SHA1: F2:
SHA256: 41:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
However, comparing it to the self signed ‘old’ cert, I do it in the second part of the keystore.
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: blah
Valid from: Fri Aug 03 11:10:13 EDT 2018 until: Mon Aug 02 11:10:13 EDT 2021
Certificate fingerprints:
MD5: 3F
SHA1: B7
SHA256: 42:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
In the new keystore.jks created with toolkit 1.12.1:
Certificate[2]:
Owner: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Issuer: CN=ORG Sub-CA, DC=domain, DC=net
Serial number: blah
Valid from: Wed Mar 17 13:27:07 EDT 2021 until: Mon Mar 16 13:27:07 EDT 2026
Certificate fingerprints:
MD5: 8A
SHA1: C9
SHA256: 17
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
0000: 30
0010: 1E
0020: 29
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:
,
accessMethod: caIssuers
accessLocation: URIName:
]
]
MISSING HERE
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C5
0010: 4E
]
]
#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:
]]
#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi_ca.domain.net<http://nifi_ca.domain.net>
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 3:15 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
The important lines are most likely:
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
Essentially there is no certificate being sent from NiFi -> NiFi Registry, and as a result, registry is treating you as an anonymous user and seeing if there are any public buckets to access, and there aren't, so you see an empty list.
This usually happens when the certificate in NiFi's keystore does not have the clientAuth extended usage, you can see this by performing a keytool listing of NiFI's keystore JKS and looking for:
ExtendedKeyUsages [
serverAuth
clientAuth
]
If you don't see clientAuth in there then that is the problem.
On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
I can’t seem to find those keywords anywhere following a request made by the ‘new’ server
This seems to follow an immediate request by this new server:
2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with anonymous token: 'anonymous'
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
[more of those]
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
Following an immediate request by a working ‘old’ servier (still NiFi 1.9.2, using self signed certs):
2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to be authenticated. Credentials extracted by X509IdentityProvider: AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e], skipping credentials extraction filter using JwtIdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}'
2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 2:09 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
If the issue is related to the server user, then there would be something like this:
"Untrusted proxy [%s] for %s operation."
Where the first parameter would be the identity of the nifi server and the second parameter would be READ/WRITE/DELETE.
Also search for whatever user identity you are using in nifi since that will be sent as a proxied entity.
On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
Tried the below:
“Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
<logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
I tried to add a flow to version control or pull a new PG. Since we have 5 instances connected to that registry, hard to say which is doing what, but I can find all the instances in nifi-registry-app.log but not the one that’s not connecting right.
Anything specific you want me to look for in that log?
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Tuesday, March 30, 2021 1:28 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
So,
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
It decided to hyperlink it so the ‘_’ was hidden
Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
New Server Cert:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <--exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US •corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Old Server Cert: (this was working but I need to use the above now)
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 1:14 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Not sure if this is related, but in one part it shows the Owner as:
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net<http://server.domain.net>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net<http://server.domain.net>, OU=NIFI" which is different from ""CN=server_domain.net<http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan, David,
[cid:image001.png@01D72585.EE4A3E00]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Bryan Bende <bb...@gmail.com>.
I'm not familiar with using toolkit with an external CA (if that is what's
being done), but I regularly use localhost certs from the toolkit generated
with a command like:
./bin/tls-toolkit.sh standalone -n 'localhost'
These work fine for me.
On Tue, Mar 30, 2021 at 3:47 PM Rosso, Roland <Ro...@adventhealth.com>
wrote:
> I did check this when I created the NiFi keystore using the toolkit but
> missed it on the second part of the cert. Certificate[2]:
>
> I’ll try the toolkit again or is it an issue with the corporate keys that
> were issued?
>
>
>
> >keytool -list -v -keystore keystore.jks
>
> Enter keystore password:
>
> Keystore type: jks
>
> Keystore provider: SUN
>
>
>
> Your keystore contains 1 entry
>
>
>
> Alias name: nifi-key
>
> Creation date: Mar 18, 2021
>
> Entry type: PrivateKeyEntry
>
> Certificate chain length: 2
>
> Certificate[1]:
>
> Owner: CN=server_name.domain.net, OU=NIFI
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
>
> Serial number: blah
>
> Valid from: Thu Mar 18 10:28:03 EDT 2021 until: Wed Jun 21 10:28:03 EDT
> 2023
>
> Certificate fingerprints:
>
> MD5: 59:
>
> SHA1: F2:
>
> SHA256: 41:
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 48
>
> 0010: 4C
>
> ]
>
> ]
>
>
>
> #2: ObjectId: 2.5.29.19 Criticality=false
>
> BasicConstraints:[
>
> CA:false
>
> PathLen: undefined
>
> ]
>
>
>
> #3: ObjectId: 2.5.29.37 Criticality=false
>
> ExtendedKeyUsages [
>
> clientAuth
>
> serverAuth
>
> ]
>
>
>
> However, comparing it to the self signed ‘old’ cert, I do it in the second
> part of the keystore.
>
>
>
> Certificate[2]:
>
> Owner: CN=localhost, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
> Serial number: blah
>
> Valid from: Fri Aug 03 11:10:13 EDT 2018 until: Mon Aug 02 11:10:13 EDT
> 2021
>
> Certificate fingerprints:
>
> MD5: 3F
>
> SHA1: B7
>
> SHA256: 42:
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 97
>
> 0010: 8E
>
> ]
>
> ]
>
>
>
> #2: ObjectId: 2.5.29.19 Criticality=false
>
> BasicConstraints:[
>
> CA:true
>
> PathLen:2147483647
>
> ]
>
>
>
> #3: ObjectId: 2.5.29.37 Criticality=false
>
> ExtendedKeyUsages [
>
> clientAuth
>
> serverAuth
>
> ]
>
>
>
> #4: ObjectId: 2.5.29.15 Criticality=true
>
> KeyUsage [
>
> DigitalSignature
>
> Non_repudiation
>
> Key_Encipherment
>
> Data_Encipherment
>
> Key_Agreement
>
> Key_CertSign
>
> Crl_Sign
>
> ]
>
>
>
> #5: ObjectId: 2.5.29.14 Criticality=false
>
> SubjectKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 97
>
> 0010: 8E
>
> ]
>
> ]
>
>
>
> In the new keystore.jks created with toolkit 1.12.1:
>
>
>
> Certificate[2]:
>
> Owner: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
>
> Issuer: CN=ORG Sub-CA, DC=domain, DC=net
>
> Serial number: blah
>
> Valid from: Wed Mar 17 13:27:07 EDT 2021 until: Mon Mar 16 13:27:07 EDT
> 2026
>
> Certificate fingerprints:
>
> MD5: 8A
>
> SHA1: C9
>
> SHA256: 17
>
> Signature algorithm name: SHA256withRSA
>
> Subject Public Key Algorithm: 2048-bit RSA key
>
> Version: 3
>
>
>
> Extensions:
>
>
>
> #1: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
>
> 0000: 30
>
> 0010: 1E
>
> 0020: 29
>
>
>
>
>
> #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
>
> AuthorityInfoAccess [
>
> [
>
> accessMethod: caIssuers
>
> accessLocation: URIName: ldap:
>
> ,
>
> accessMethod: caIssuers
>
> accessLocation: URIName:
>
> ]
>
> ]
>
> MISSING HERE
>
> #3: ObjectId: 2.5.29.35 Criticality=false
>
> AuthorityKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: C5
>
> 0010: 4E
>
> ]
>
> ]
>
>
>
> #4: ObjectId: 2.5.29.19 Criticality=true
>
> BasicConstraints:[
>
> CA:true
>
> PathLen:0
>
> ]
>
>
>
> #5: ObjectId: 2.5.29.31 Criticality=false
>
> CRLDistributionPoints [
>
> [DistributionPoint:
>
> [URIName: ldap:
>
> ]]
>
>
>
> #6: ObjectId: 2.5.29.15 Criticality=false
>
> KeyUsage [
>
> DigitalSignature
>
> Key_CertSign
>
> Crl_Sign
>
> ]
>
>
>
> #7: ObjectId: 2.5.29.17 Criticality=false
>
> SubjectAlternativeName [
>
> DNSName: nifi_ca.domain.net
>
> ]
>
>
>
> #8: ObjectId: 2.5.29.14 Criticality=false
>
> SubjectKeyIdentifier [
>
> KeyIdentifier [
>
> 0000: 48
>
> 0010: 4C
>
> ]
>
> ]
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 3:15 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> The important lines are most likely:
>
>
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
>
>
>
> Essentially there is no certificate being sent from NiFi -> NiFi Registry,
> and as a result, registry is treating you as an anonymous user and seeing
> if there are any public buckets to access, and there aren't, so you see an
> empty list.
>
>
>
> This usually happens when the certificate in NiFi's keystore does not have
> the clientAuth extended usage, you can see this by performing a keytool
> listing of NiFI's keystore JKS and looking for:
>
> ExtendedKeyUsages [
> serverAuth
> clientAuth
> ]
>
> If you don't see clientAuth in there then that is the problem.
>
>
>
>
>
> On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan,
>
> I can’t seem to find those keywords anywhere following a request made by
> the ‘new’ server
>
> This seems to follow an immediate request by this new server:
>
>
>
> 2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> JwtIdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not
> present. Not attempting to extract credentials for authentication.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with
> anonymous token: 'anonymous'
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> [more of those]
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
>
>
> Following an immediate request by a working ‘old’ servier (still NiFi
> 1.9.2, using self signed certs):
>
>
>
> 2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to
> be authenticated. Credentials extracted by X509IdentityProvider:
> AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for
> [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e],
> skipping credentials extraction filter using JwtIdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated
> with anonymous token, as it already contained:
> 'AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }'
>
> 2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
>
>
>
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 2:09 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> If the issue is related to the server user, then there would be something
> like this:
>
>
>
> "Untrusted proxy [%s] for %s operation."
>
>
>
> Where the first parameter would be the identity of the nifi server and the
> second parameter would be READ/WRITE/DELETE.
>
>
>
> Also search for whatever user identity you are using in nifi since that
> will be sent as a proxied entity.
>
>
>
> On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan,
>
> Tried the below:
>
> “Also try adding the following NiFi Registry's logback.xml then see what
> is in the nifi-registry-app log when you make a request from NiFi to start
> version control:
>
> <logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
>
>
>
> I tried to add a flow to version control or pull a new PG. Since we have 5
> instances connected to that registry, hard to say which is doing what, but
> I can find all the instances in nifi-registry-app.log but not the one
> that’s not connecting right.
>
> Anything specific you want me to look for in that log?
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Rosso, Roland <Ro...@AdventHealth.com>
> *Sent:* Tuesday, March 30, 2021 1:28 PM
> *To:* users@nifi.apache.org
> *Subject:* RE: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> So,
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> It decided to hyperlink it so the ‘_’ was hidden
>
>
>
> Both sets of certs were generated with the toolkit, albeit the first one 2
> years ago with self-signed certs, and I need to move it to corporate CA.
>
>
>
> *New Server Cert:*
>
> Alias name: server_name-nifi-cert
>
> Creation date: Mar 29, 2021
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN= server_name.domain.net, OU=NIFI *ßexact match to entry above*
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> *Old Server Cert: (this was working but I need to use the above now)*
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 1:14 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Not sure if this is related, but in one part it shows the Owner as:
>
>
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> There is a space between "CN=" and "server_name", but the identity in NiFi
> Registry does not have a space there.
>
>
>
> Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net,
> OU=NIFI" and shows the issuer as localhost, so I assume this is the one
> that came from NiFI Toolkit.
>
>
>
> If NiFI is a presenting a cert with this DN then you would need a user in
> registry with the identity "CN=server.domain.net, OU=NIFI" which is
> different from ""CN=server_domain.net
> <http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>,
> OU=NIFI"
>
>
>
> On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan, David,
>
>
>
> Where
>
> In NiFi Registry Truststore:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI ß exact match to entry above
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 8:58 AM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Since you aren't getting SSL errors and you are just getting no buckets, I
> don't think it is a problem with certificates. I think it is a problem with
> the authorization on NiFi Registry side.
>
>
>
> What version of NiFi Registry? and also, can you show what policies exist
> for the NiFi server user in NiFi Registry?
>
>
>
> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>
> wrote:
>
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
> couldnt get it to do what I needed, I wound up just running my own openssl
> and keytool commands. I found it much more straightforward and then I could
> know what all was going on. Im sure after i got these scars, and I
> understood all the bits that toolkit would work and be simpler, but I did
> find rolling my own, especially with the external CA was easier.
>
>
>
> also - if you are on slack, there is an active nifi community there that
> may be helpful as well ..
>
>
>
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> David,
>
> Thanks for the debug config.
>
> Here is an output when I try to connect to the registry from that new
> server, Import a PG.
>
> Since we have a few servers running, it is a very verbose log.
>
> I may have missed the useful part of the log. 😊
>
>
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 85
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: server
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
> 108, 120, 14, 10, 42, 184 }
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
> 208, 90, 115, 111, 50, 85, 164 }
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 926
>
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1100
>
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1018
>
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1049
>
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1010
>
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 924
>
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1007
>
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 999
>
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 916
>
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 996
>
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1102
>
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 938
>
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 944
>
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 946
>
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1006
>
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 932
>
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 912
>
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 943
>
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1026
>
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 975
>
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 915
>
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 929
>
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 910
>
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 918
>
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 927
>
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 913
>
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 937
>
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1042
>
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 933
>
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 947
>
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 905
>
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1166
>
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 898
>
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 908
>
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 989
>
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeInboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
> closeOutbound()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeInboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
> closeOutbound()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
>
>
> *Roland *
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 11:56 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Thanks for the reply. If you are not seeing any warnings or errors in the
> NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
> bootstrap.conf. Adding the following line to bootstrap.conf should enable
> SSL debug output to the nifi-registry-bootstrap.log:
>
>
>
> java.arg.20=-Djavax.net.debug=ssl
>
>
>
> This setting produces a lot of output, but if you watch the log after the
> initial application startup, you should be able to observe the TLS
> handshake when NiFi attempts to list buckets from NiFi Registry. The log
> output should at least confirm that the certificate exchange is occurring
> as expected.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure
> clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the
> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
> Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 9:27 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server
> keystores? Listing the keystore contents using "keytool -list -v -keystore
> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
> would be helpful to confirm that the keystore includes a PrivateKeyEntry
> and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
I did check this when I created the NiFi keystore using the toolkit but missed it on the second part of the cert. Certificate[2]:
I’ll try the toolkit again or is it an issue with the corporate keys that were issued?
>keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Mar 18, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=server_name.domain.net, OU=NIFI
Issuer: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Serial number: blah
Valid from: Thu Mar 18 10:28:03 EDT 2021 until: Wed Jun 21 10:28:03 EDT 2023
Certificate fingerprints:
MD5: 59:
SHA1: F2:
SHA256: 41:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
However, comparing it to the self signed ‘old’ cert, I do it in the second part of the keystore.
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: blah
Valid from: Fri Aug 03 11:10:13 EDT 2018 until: Mon Aug 02 11:10:13 EDT 2021
Certificate fingerprints:
MD5: 3F
SHA1: B7
SHA256: 42:
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97
0010: 8E
]
]
In the new keystore.jks created with toolkit 1.12.1:
Certificate[2]:
Owner: CN=nifi_ca.domain.net, OU=ORG, O=ORG_NAME, L=CITY, ST=FL, C=US
Issuer: CN=ORG Sub-CA, DC=domain, DC=net
Serial number: blah
Valid from: Wed Mar 17 13:27:07 EDT 2021 until: Mon Mar 16 13:27:07 EDT 2026
Certificate fingerprints:
MD5: 8A
SHA1: C9
SHA256: 17
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
0000: 30
0010: 1E
0020: 29
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:
,
accessMethod: caIssuers
accessLocation: URIName:
]
]
MISSING HERE
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C5
0010: 4E
]
]
#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:
]]
#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi_ca.domain.net
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 48
0010: 4C
]
]
From: Bryan Bende <bb...@gmail.com>
Sent: Tuesday, March 30, 2021 3:15 PM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
The important lines are most likely:
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
Essentially there is no certificate being sent from NiFi -> NiFi Registry, and as a result, registry is treating you as an anonymous user and seeing if there are any public buckets to access, and there aren't, so you see an empty list.
This usually happens when the certificate in NiFi's keystore does not have the clientAuth extended usage, you can see this by performing a keytool listing of NiFI's keystore JKS and looking for:
ExtendedKeyUsages [
serverAuth
clientAuth
]
If you don't see clientAuth in there then that is the problem.
On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
I can’t seem to find those keywords anywhere following a request made by the ‘new’ server
This seems to follow an immediate request by this new server:
2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with anonymous token: 'anonymous'
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
[more of those]
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
Following an immediate request by a working ‘old’ servier (still NiFi 1.9.2, using self signed certs):
2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to be authenticated. Credentials extracted by X509IdentityProvider: AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e], skipping credentials extraction filter using JwtIdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'AuthenticationRequest{username='CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74<ma...@7abb2a74>}'
2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net<http://working_server.domain.net>, OU=NIFI], groups[nifi-admin]] for read
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 2:09 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
If the issue is related to the server user, then there would be something like this:
"Untrusted proxy [%s] for %s operation."
Where the first parameter would be the identity of the nifi server and the second parameter would be READ/WRITE/DELETE.
Also search for whatever user identity you are using in nifi since that will be sent as a proxied entity.
On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
Tried the below:
“Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
<logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
I tried to add a flow to version control or pull a new PG. Since we have 5 instances connected to that registry, hard to say which is doing what, but I can find all the instances in nifi-registry-app.log but not the one that’s not connecting right.
Anything specific you want me to look for in that log?
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Tuesday, March 30, 2021 1:28 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
So,
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
It decided to hyperlink it so the ‘_’ was hidden
Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
New Server Cert:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <--exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US •corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Old Server Cert: (this was working but I need to use the above now)
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 1:14 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Not sure if this is related, but in one part it shows the Owner as:
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net<http://server.domain.net>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net<http://server.domain.net>, OU=NIFI" which is different from ""CN=server_domain.net<http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan, David,
[cid:image001.png@01D7257A.39BF11A0]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Bryan Bende <bb...@gmail.com>.
The important lines are most likely:
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
request.
Essentially there is no certificate being sent from NiFi -> NiFi Registry,
and as a result, registry is treating you as an anonymous user and seeing
if there are any public buckets to access, and there aren't, so you see an
empty list.
This usually happens when the certificate in NiFi's keystore does not have
the clientAuth extended usage, you can see this by performing a keytool
listing of NiFI's keystore JKS and looking for:
ExtendedKeyUsages [
serverAuth
clientAuth
]
If you don't see clientAuth in there then that is the problem.
On Tue, Mar 30, 2021 at 2:49 PM Rosso, Roland <Ro...@adventhealth.com>
wrote:
> Bryan,
>
> I can’t seem to find those keywords anywhere following a request made by
> the ‘new’ server
>
> This seems to follow an immediate request by this new server:
>
>
>
> 2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in
> request.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> JwtIdentityProvider
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not
> present. Not attempting to extract credentials for authentication.
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with
> anonymous token: 'anonymous'
>
> 2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> [more of those]
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
>
> 2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
>
>
> Following an immediate request by a working ‘old’ servier (still NiFi
> 1.9.2, using self signed certs):
>
>
>
> 2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap]
> o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using
> X509IdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to
> be authenticated. Credentials extracted by X509IdentityProvider:
> AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for
> [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e],
> skipping credentials extraction filter using JwtIdentityProvider
>
> 2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated
> with anonymous token, as it already contained:
> 'AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI',
> credentials=[PROTECTED],
> details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74
> }'
>
> 2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization
> check is not required for this HTTP Method on this resource. Allowing
> request to proceed. An additional authorization check might be performed
> downstream of this filter.
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
>
> 2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is
> /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting
> authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is
> /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
>
> 2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46]
> o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=
> working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
>
>
>
>
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 2:09 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> If the issue is related to the server user, then there would be something
> like this:
>
>
>
> "Untrusted proxy [%s] for %s operation."
>
>
>
> Where the first parameter would be the identity of the nifi server and the
> second parameter would be READ/WRITE/DELETE.
>
>
>
> Also search for whatever user identity you are using in nifi since that
> will be sent as a proxied entity.
>
>
>
> On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan,
>
> Tried the below:
>
> “Also try adding the following NiFi Registry's logback.xml then see what
> is in the nifi-registry-app log when you make a request from NiFi to start
> version control:
>
> <logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
>
>
>
> I tried to add a flow to version control or pull a new PG. Since we have 5
> instances connected to that registry, hard to say which is doing what, but
> I can find all the instances in nifi-registry-app.log but not the one
> that’s not connecting right.
>
> Anything specific you want me to look for in that log?
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Rosso, Roland <Ro...@AdventHealth.com>
> *Sent:* Tuesday, March 30, 2021 1:28 PM
> *To:* users@nifi.apache.org
> *Subject:* RE: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> So,
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> It decided to hyperlink it so the ‘_’ was hidden
>
>
>
> Both sets of certs were generated with the toolkit, albeit the first one 2
> years ago with self-signed certs, and I need to move it to corporate CA.
>
>
>
> *New Server Cert:*
>
> Alias name: server_name-nifi-cert
>
> Creation date: Mar 29, 2021
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN= server_name.domain.net, OU=NIFI *ßexact match to entry above*
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> *Old Server Cert: (this was working but I need to use the above now)*
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 1:14 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Not sure if this is related, but in one part it shows the Owner as:
>
>
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> There is a space between "CN=" and "server_name", but the identity in NiFi
> Registry does not have a space there.
>
>
>
> Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net,
> OU=NIFI" and shows the issuer as localhost, so I assume this is the one
> that came from NiFI Toolkit.
>
>
>
> If NiFI is a presenting a cert with this DN then you would need a user in
> registry with the identity "CN=server.domain.net, OU=NIFI" which is
> different from ""CN=server_domain.net
> <http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>,
> OU=NIFI"
>
>
>
> On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan, David,
>
>
>
> Where
>
> In NiFi Registry Truststore:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI ß exact match to entry above
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 8:58 AM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Since you aren't getting SSL errors and you are just getting no buckets, I
> don't think it is a problem with certificates. I think it is a problem with
> the authorization on NiFi Registry side.
>
>
>
> What version of NiFi Registry? and also, can you show what policies exist
> for the NiFi server user in NiFi Registry?
>
>
>
> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>
> wrote:
>
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
> couldnt get it to do what I needed, I wound up just running my own openssl
> and keytool commands. I found it much more straightforward and then I could
> know what all was going on. Im sure after i got these scars, and I
> understood all the bits that toolkit would work and be simpler, but I did
> find rolling my own, especially with the external CA was easier.
>
>
>
> also - if you are on slack, there is an active nifi community there that
> may be helpful as well ..
>
>
>
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> David,
>
> Thanks for the debug config.
>
> Here is an output when I try to connect to the registry from that new
> server, Import a PG.
>
> Since we have a few servers running, it is a very verbose log.
>
> I may have missed the useful part of the log. 😊
>
>
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 85
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: server
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
> 108, 120, 14, 10, 42, 184 }
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
> 208, 90, 115, 111, 50, 85, 164 }
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 926
>
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1100
>
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1018
>
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1049
>
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1010
>
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 924
>
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1007
>
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 999
>
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 916
>
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 996
>
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1102
>
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 938
>
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 944
>
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 946
>
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1006
>
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 932
>
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 912
>
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 943
>
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1026
>
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 975
>
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 915
>
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 929
>
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 910
>
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 918
>
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 927
>
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 913
>
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 937
>
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1042
>
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 933
>
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 947
>
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 905
>
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1166
>
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 898
>
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 908
>
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 989
>
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeInboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
> closeOutbound()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeInboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
> closeOutbound()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
>
>
> *Roland *
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 11:56 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Thanks for the reply. If you are not seeing any warnings or errors in the
> NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
> bootstrap.conf. Adding the following line to bootstrap.conf should enable
> SSL debug output to the nifi-registry-bootstrap.log:
>
>
>
> java.arg.20=-Djavax.net.debug=ssl
>
>
>
> This setting produces a lot of output, but if you watch the log after the
> initial application startup, you should be able to observe the TLS
> handshake when NiFi attempts to list buckets from NiFi Registry. The log
> output should at least confirm that the certificate exchange is occurring
> as expected.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure
> clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the
> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
> Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 9:27 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server
> keystores? Listing the keystore contents using "keytool -list -v -keystore
> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
> would be helpful to confirm that the keystore includes a PrivateKeyEntry
> and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
Bryan,
I can’t seem to find those keywords anywhere following a request made by the ‘new’ server
This seems to follow an immediate request by this new server:
2021-03-30 14:34:54,666 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:56,667 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.x.X509CertificateExtractor No client certificate found in request.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using JwtIdentityProvider
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.BearerAuthIdentityProvider HTTP Bearer Auth credentials not present. Not attempting to extract credentials for authentication.
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter Populated SecurityContextHolder with anonymous token: 'anonymous'
2021-03-30 14:34:57,794 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:34:57,795 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
[more of those]
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:57,798 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/15d2d1e0-09ba-4373-a000-ea4a1eca3b66
2021-03-30 14:34:58,669 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
Following an immediate request by a working ‘old’ servier (still NiFi 1.9.2, using self signed certs):
2021-03-30 14:41:57,057 DEBUG [Listen to Bootstrap] o.apache.nifi.registry.BootstrapListener Listening for Bootstrap Requests
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Attempting to extract user credentials using X509IdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Adding credentials claim to SecurityContext to be authenticated. Credentials extracted by X509IdentityProvider: AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74}
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.IdentityFilter Credentials already extracted for [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@6c118a5e], skipping credentials extraction filter using JwtIdentityProvider
2021-03-30 14:41:58,276 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.AnonymousIdentityFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'AuthenticationRequest{username='CN=working_server.domain.net, OU=NIFI', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@7abb2a74}'
2021-03-30 14:41:58,278 DEBUG [NiFi Registry Web Server-46] o.a.n.r.w.s.a.ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets
2021-03-30 14:41:58,279 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/700a1989-864e-45af-a6b2-d7f4a937e7fd
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/38633449-ea50-46eb-ad99-f0ffd7c4524e
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,281 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/02c4a32a-8e15-4bc8-872d-c325ea82a886
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/5094aad9-30b6-4c94-829c-685ba96fa78c
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Requested resource is /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.PublicCheckingAuthorizable Delegating to inheriting authorizable for /buckets/a6ceb1c5-fed6-4f59-a0b1-24c87eb27186
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Requested resource is /buckets/01b4dd78-fb1a-4910-916e-879ad3ee34c1
2021-03-30 14:41:58,282 DEBUG [NiFi Registry Web Server-46] o.a.n.r.s.a.r.ProxyChainAuthorizable Authorizing proxy [identity[CN=working_server.domain.net, OU=NIFI], groups[nifi-admin]] for read
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>
Sent: Tuesday, March 30, 2021 2:09 PM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
If the issue is related to the server user, then there would be something like this:
"Untrusted proxy [%s] for %s operation."
Where the first parameter would be the identity of the nifi server and the second parameter would be READ/WRITE/DELETE.
Also search for whatever user identity you are using in nifi since that will be sent as a proxied entity.
On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan,
Tried the below:
“Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
<logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
I tried to add a flow to version control or pull a new PG. Since we have 5 instances connected to that registry, hard to say which is doing what, but I can find all the instances in nifi-registry-app.log but not the one that’s not connecting right.
Anything specific you want me to look for in that log?
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Tuesday, March 30, 2021 1:28 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
So,
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
It decided to hyperlink it so the ‘_’ was hidden
Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
New Server Cert:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <--exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US •corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Old Server Cert: (this was working but I need to use the above now)
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 1:14 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Not sure if this is related, but in one part it shows the Owner as:
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net<http://server.domain.net>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net<http://server.domain.net>, OU=NIFI" which is different from ""CN=server_domain.net<http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan, David,
[cid:image001.png@01D72572.CFE94630]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Bryan Bende <bb...@gmail.com>.
If the issue is related to the server user, then there would be something
like this:
"Untrusted proxy [%s] for %s operation."
Where the first parameter would be the identity of the nifi server and the
second parameter would be READ/WRITE/DELETE.
Also search for whatever user identity you are using in nifi since that
will be sent as a proxied entity.
On Tue, Mar 30, 2021 at 1:54 PM Rosso, Roland <Ro...@adventhealth.com>
wrote:
> Bryan,
>
> Tried the below:
>
> “Also try adding the following NiFi Registry's logback.xml then see what
> is in the nifi-registry-app log when you make a request from NiFi to start
> version control:
>
> <logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
>
>
>
> I tried to add a flow to version control or pull a new PG. Since we have 5
> instances connected to that registry, hard to say which is doing what, but
> I can find all the instances in nifi-registry-app.log but not the one
> that’s not connecting right.
>
> Anything specific you want me to look for in that log?
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Rosso, Roland <Ro...@AdventHealth.com>
> *Sent:* Tuesday, March 30, 2021 1:28 PM
> *To:* users@nifi.apache.org
> *Subject:* RE: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> So,
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> It decided to hyperlink it so the ‘_’ was hidden
>
>
>
> Both sets of certs were generated with the toolkit, albeit the first one 2
> years ago with self-signed certs, and I need to move it to corporate CA.
>
>
>
> *New Server Cert:*
>
> Alias name: server_name-nifi-cert
>
> Creation date: Mar 29, 2021
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN= server_name.domain.net, OU=NIFI *ßexact match to entry above*
>
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US corporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> *Old Server Cert: (this was working but I need to use the above now)*
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> Thanks,
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 1:14 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Not sure if this is related, but in one part it shows the Owner as:
>
>
>
> CN= server_name.domain.net, OU=NIFI
>
>
>
> There is a space between "CN=" and "server_name", but the identity in NiFi
> Registry does not have a space there.
>
>
>
> Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net,
> OU=NIFI" and shows the issuer as localhost, so I assume this is the one
> that came from NiFI Toolkit.
>
>
>
> If NiFI is a presenting a cert with this DN then you would need a user in
> registry with the identity "CN=server.domain.net, OU=NIFI" which is
> different from ""CN=server_domain.net
> <http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>,
> OU=NIFI"
>
>
>
> On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Bryan, David,
>
>
>
> Where
>
> In NiFi Registry Truststore:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI ß exact match to entry above
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 8:58 AM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Since you aren't getting SSL errors and you are just getting no buckets, I
> don't think it is a problem with certificates. I think it is a problem with
> the authorization on NiFi Registry side.
>
>
>
> What version of NiFi Registry? and also, can you show what policies exist
> for the NiFi server user in NiFi Registry?
>
>
>
> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>
> wrote:
>
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
> couldnt get it to do what I needed, I wound up just running my own openssl
> and keytool commands. I found it much more straightforward and then I could
> know what all was going on. Im sure after i got these scars, and I
> understood all the bits that toolkit would work and be simpler, but I did
> find rolling my own, especially with the external CA was easier.
>
>
>
> also - if you are on slack, there is an active nifi community there that
> may be helpful as well ..
>
>
>
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> David,
>
> Thanks for the debug config.
>
> Here is an output when I try to connect to the registry from that new
> server, Import a PG.
>
> Since we have a few servers running, it is a very verbose log.
>
> I may have missed the useful part of the log. 😊
>
>
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 85
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: server
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
> 108, 120, 14, 10, 42, 184 }
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
> 208, 90, 115, 111, 50, 85, 164 }
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 926
>
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1100
>
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1018
>
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1049
>
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1010
>
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 924
>
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1007
>
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 999
>
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 916
>
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 996
>
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1102
>
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 938
>
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 944
>
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 946
>
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1006
>
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 932
>
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 912
>
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 943
>
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1026
>
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 975
>
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 915
>
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 929
>
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 910
>
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 918
>
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 927
>
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 913
>
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 937
>
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1042
>
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 933
>
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 947
>
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 905
>
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1166
>
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 898
>
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 908
>
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 989
>
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeInboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
> closeOutbound()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeInboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
> closeOutbound()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
>
>
> *Roland *
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 11:56 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Thanks for the reply. If you are not seeing any warnings or errors in the
> NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
> bootstrap.conf. Adding the following line to bootstrap.conf should enable
> SSL debug output to the nifi-registry-bootstrap.log:
>
>
>
> java.arg.20=-Djavax.net.debug=ssl
>
>
>
> This setting produces a lot of output, but if you watch the log after the
> initial application startup, you should be able to observe the TLS
> handshake when NiFi attempts to list buckets from NiFi Registry. The log
> output should at least confirm that the certificate exchange is occurring
> as expected.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure
> clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the
> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
> Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 9:27 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server
> keystores? Listing the keystore contents using "keytool -list -v -keystore
> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
> would be helpful to confirm that the keystore includes a PrivateKeyEntry
> and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
Bryan,
Tried the below:
“Also try adding the following NiFi Registry's logback.xml then see what is in the nifi-registry-app log when you make a request from NiFi to start version control:
<logger name="org.apache.nifi.registry.security" level="DEBUG"/>”
I tried to add a flow to version control or pull a new PG. Since we have 5 instances connected to that registry, hard to say which is doing what, but I can find all the instances in nifi-registry-app.log but not the one that’s not connecting right.
Anything specific you want me to look for in that log?
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Rosso, Roland <Ro...@AdventHealth.com>
Sent: Tuesday, March 30, 2021 1:28 PM
To: users@nifi.apache.org
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
So,
CN= server_name.domain.net, OU=NIFI
It decided to hyperlink it so the ‘_’ was hidden
Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
New Server Cert:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net, OU=NIFI <--exact match to entry above
Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Old Server Cert: (this was working but I need to use the above now)
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 1:14 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Not sure if this is related, but in one part it shows the Owner as:
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net<http://server.domain.net>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net<http://server.domain.net>, OU=NIFI" which is different from ""CN=server_domain.net<http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan, David,
[cid:image001.png@01D7256B.BED5CCD0]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
So,
CN= server_name.domain.net, OU=NIFI
It decided to hyperlink it so the ‘_’ was hidden
Both sets of certs were generated with the toolkit, albeit the first one 2 years ago with self-signed certs, and I need to move it to corporate CA.
New Server Cert:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net, OU=NIFI <--exact match to entry above
Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Old Server Cert: (this was working but I need to use the above now)
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: Bryan Bende <bb...@gmail.com>
Sent: Tuesday, March 30, 2021 1:14 PM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Not sure if this is related, but in one part it shows the Owner as:
CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
There is a space between "CN=" and "server_name", but the identity in NiFi Registry does not have a space there.
Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net<http://server.domain.net>, OU=NIFI" and shows the issuer as localhost, so I assume this is the one that came from NiFI Toolkit.
If NiFI is a presenting a cert with this DN then you would need a user in registry with the identity "CN=server.domain.net<http://server.domain.net>, OU=NIFI" which is different from ""CN=server_domain.net<http://secure-web.cisco.com/1cKgRO-65D4r-DzJCeIfLQggAwqHviyLqSSluok9of_y0rg-TWa7n_C5JYALzxqisGDrUyBMkLh2dvfk2cOgKZbjMfhq6r71hJPdJqYZa-dFduW6PcuqtjmM96gQ6u8PaJ7WDISvbBgmcYl2ADU03scyUqlvDuURTHqOtaYrktc-iqnK4j4CIepjN-iFxwGMhnMEqTU6Cz58yDAx93lMyGA8lf4ZyCdEXxfLsHvpkaCG-yAfLspsHoDQB2CRXFveNtsNTzpCAP1pfODnce7wcnPqqdxkxPSg9fOELj9HSd89eIQQHEeybw-cDwVDAIaiAMSlW8RxEEXXQ0MlngkNpqXOWT9Ew94HCcJTYT_8tm84iRF3_5pNoB2eJX8_ZQjWvgbprmutv4fvj8KUoA5DNPIe1zITFZbWjkvtyIsNRrbU/http%3A%2F%2Fserver_domain.net>, OU=NIFI"
On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Bryan, David,
[cid:image001.png@01D72567.ECE6B200]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Bryan Bende <bb...@gmail.com>.
Not sure if this is related, but in one part it shows the Owner as:
CN= server_name.domain.net, OU=NIFI
There is a space between "CN=" and "server_name", but the identity in NiFi
Registry does not have a space there.
Also, in the second trustedCertEntry, the Owner is "CN=server.domain.net,
OU=NIFI" and shows the issuer as localhost, so I assume this is the one
that came from NiFI Toolkit.
If NiFI is a presenting a cert with this DN then you would need a user in
registry with the identity "CN=server.domain.net, OU=NIFI" which is
different from ""CN=server_domain.net, OU=NIFI"
On Tue, Mar 30, 2021 at 12:35 PM Rosso, Roland <
Roland.Rosso@adventhealth.com> wrote:
> Bryan, David,
>
>
>
> Where
>
> In NiFi Registry Truststore:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI ß exact match to entry above
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US ßcorporate CA switch
>
> This worked fine when we used the self-signed NiFi certs of the type:
>
>
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> *Roland *
>
>
>
> *From:* Bryan Bende <bb...@gmail.com>
> *Sent:* Tuesday, March 30, 2021 8:58 AM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Since you aren't getting SSL errors and you are just getting no buckets, I
> don't think it is a problem with certificates. I think it is a problem with
> the authorization on NiFi Registry side.
>
>
>
> What version of NiFi Registry? and also, can you show what policies exist
> for the NiFi server user in NiFi Registry?
>
>
>
> On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>
> wrote:
>
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
> couldnt get it to do what I needed, I wound up just running my own openssl
> and keytool commands. I found it much more straightforward and then I could
> know what all was going on. Im sure after i got these scars, and I
> understood all the bits that toolkit would work and be simpler, but I did
> find rolling my own, especially with the external CA was easier.
>
>
>
> also - if you are on slack, there is an active nifi community there that
> may be helpful as well ..
>
>
>
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> David,
>
> Thanks for the debug config.
>
> Here is an output when I try to connect to the registry from that new
> server, Import a PG.
>
> Since we have a few servers running, it is a very verbose log.
>
> I may have missed the useful part of the log. 😊
>
>
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 85
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: server
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
> 108, 120, 14, 10, 42, 184 }
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
> 208, 90, 115, 111, 50, 85, 164 }
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 926
>
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1100
>
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1018
>
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1049
>
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1010
>
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 924
>
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1007
>
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 999
>
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 916
>
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 996
>
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1102
>
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 938
>
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 944
>
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 946
>
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1006
>
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 932
>
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 912
>
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 943
>
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1026
>
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 975
>
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 915
>
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 929
>
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 910
>
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 918
>
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 927
>
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 913
>
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 937
>
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1042
>
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 933
>
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 947
>
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 905
>
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1166
>
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 898
>
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 908
>
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 989
>
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeInboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
> closeOutbound()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeInboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
> closeOutbound()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
>
>
> *Roland *
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 11:56 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Thanks for the reply. If you are not seeing any warnings or errors in the
> NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
> bootstrap.conf. Adding the following line to bootstrap.conf should enable
> SSL debug output to the nifi-registry-bootstrap.log:
>
>
>
> java.arg.20=-Djavax.net.debug=ssl
>
>
>
> This setting produces a lot of output, but if you watch the log after the
> initial application startup, you should be able to observe the TLS
> handshake when NiFi attempts to list buckets from NiFi Registry. The log
> output should at least confirm that the certificate exchange is occurring
> as expected.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure
> clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the
> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
> Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 9:27 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server
> keystores? Listing the keystore contents using "keytool -list -v -keystore
> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
> would be helpful to confirm that the keystore includes a PrivateKeyEntry
> and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
Forgot the version on the previous email: Nifi 1.12.1 connecting to Registry 0.6.0
Roland
From: Rosso, Roland <Ro...@AdventHealth.com>
Sent: Tuesday, March 30, 2021 12:34 PM
To: users@nifi.apache.org
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Bryan, David,
[cid:image001.png@01D72565.CA21DB20]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
Bryan, David,
[cid:image001.png@01D72561.021E8910]
Where
In NiFi Registry Truststore:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net, OU=NIFI <-- exact match to entry above
Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US <--corporate CA switch
This worked fine when we used the self-signed NiFi certs of the type:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Roland
From: Bryan Bende <bb...@gmail.com>
Sent: Tuesday, March 30, 2021 8:58 AM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Since you aren't getting SSL errors and you are just getting no buckets, I don't think it is a problem with certificates. I think it is a problem with the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com>> wrote:
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just couldnt get it to do what I needed, I wound up just running my own openssl and keytool commands. I found it much more straightforward and then I could know what all was going on. Im sure after i got these scars, and I understood all the bits that toolkit would work and be simpler, but I did find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Bryan Bende <bb...@gmail.com>.
Since you aren't getting SSL errors and you are just getting no buckets, I
don't think it is a problem with certificates. I think it is a problem with
the authorization on NiFi Registry side.
What version of NiFi Registry? and also, can you show what policies exist
for the NiFi server user in NiFi Registry?
On Tue, Mar 30, 2021 at 8:12 AM Chris McKeever <cg...@gmail.com> wrote:
> Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
> couldnt get it to do what I needed, I wound up just running my own openssl
> and keytool commands. I found it much more straightforward and then I could
> know what all was going on. Im sure after i got these scars, and I
> understood all the bits that toolkit would work and be simpler, but I did
> find rolling my own, especially with the external CA was easier.
>
> also - if you are on slack, there is an active nifi community there that
> may be helpful as well ..
>
> On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
>> David,
>>
>> Thanks for the debug config.
>>
>> Here is an output when I try to connect to the registry from that new
>> server, Import a PG.
>>
>> Since we have a few servers running, it is a very verbose log.
>>
>> I may have missed the useful part of the log. 😊
>>
>>
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Handshake, length = 85
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: server
>> finished[20]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> change_cipher_spec[-1]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> finished[20]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Change Cipher Spec, length = 1
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut *** Finished
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
>> 108, 120, 14, 10, 42, 184 }
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut ***
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> change_cipher_spec[-1]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> finished[20]
>>
>> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Handshake, length = 96
>>
>> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
>> Change Cipher Spec, length = 1
>>
>> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>>
>> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut upcoming handshake states: client
>> finished[20]
>>
>> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
>> Handshake, length = 96
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut *** Finished
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
>> 208, 90, 115, 111, 50, 85, 164 }
>>
>> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut ***
>>
>> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 926
>>
>> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1100
>>
>> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 1018
>>
>> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1049
>>
>> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 1010
>>
>> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 928
>>
>> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 924
>>
>> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 920
>>
>> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 919
>>
>> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1007
>>
>> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 999
>>
>> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 916
>>
>> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 996
>>
>> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1102
>>
>> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 942
>>
>> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 920
>>
>> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 919
>>
>> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 938
>>
>> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 942
>>
>> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 923
>>
>> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 944
>>
>> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 946
>>
>> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 1006
>>
>> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 932
>>
>> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 912
>>
>> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 943
>>
>> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 1026
>>
>> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 975
>>
>> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 915
>>
>> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 914
>>
>> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 931
>>
>> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 929
>>
>> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 910
>>
>> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 920
>>
>> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 911
>>
>> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 918
>>
>> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 927
>>
>> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 913
>>
>> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 923
>>
>> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 928
>>
>> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 937
>>
>> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1042
>>
>> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 939
>>
>> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 939
>>
>> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 922
>>
>> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 919
>>
>> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 930
>>
>> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 933
>>
>> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 930
>>
>> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 931
>>
>> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 922
>>
>> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 947
>>
>> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 905
>>
>> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 1166
>>
>> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 914
>>
>> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 898
>>
>> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 908
>>
>> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 989
>>
>> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Application Data, length = 911
>>
>> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
>> Application Data, length = 920
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
>> Alert, length = 80
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
>> ALERT: warning, close_notify
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
>> closeInboundInternal()
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
>> closeOutboundInternal()
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
>> ALERT: warning, description = close_notify
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
>> Alert, length = 80
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
>> closeOutbound()
>>
>> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
>> closeOutboundInternal()
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
>> Alert, length = 80
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
>> ALERT: warning, close_notify
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
>> closeInboundInternal()
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
>> closeOutboundInternal()
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
>> ALERT: warning, description = close_notify
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
>> Alert, length = 80
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
>> closeOutbound()
>>
>> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
>> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
>> closeOutboundInternal()
>>
>>
>>
>> *Roland Rosso*
>> AdventHealth
>> Big Data Administrator | Corporate Analytics
>> O: 407-805-8532
>>
>>
>>
>> *From:* David Handermann <ex...@gmail.com>
>> *Sent:* Monday, March 29, 2021 11:56 PM
>> *To:* users@nifi.apache.org
>> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>>
>>
>>
>> Hi Roland,
>>
>>
>>
>> Thanks for the reply. If you are not seeing any warnings or errors in
>> the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
>> bootstrap.conf. Adding the following line to bootstrap.conf should enable
>> SSL debug output to the nifi-registry-bootstrap.log:
>>
>>
>>
>> java.arg.20=-Djavax.net.debug=ssl
>>
>>
>>
>> This setting produces a lot of output, but if you watch the log after the
>> initial application startup, you should be able to observe the TLS
>> handshake when NiFi attempts to list buckets from NiFi Registry. The log
>> output should at least confirm that the certificate exchange is occurring
>> as expected.
>>
>>
>>
>> Regards,
>>
>> David Handermann
>>
>>
>>
>> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
>> Roland.Rosso@adventhealth.com> wrote:
>>
>> Hi David,
>>
>>
>>
>> I use the nifi-toolkit to create the keystore and truststore to make sure
>> clientAuth and serverAuth is set properly.
>>
>>
>>
>> This is a ‘working’ config.
>>
>> Keystore:
>>
>> Alias name: nifi-key
>>
>> Creation date: date
>>
>> Entry type: PrivateKeyEntry
>>
>>
>>
>> Truststore:
>>
>> Alias name: server_name-nifi-cert
>>
>> Creation date: date
>>
>> Entry type: trustedCertEntry
>>
>>
>>
>> Owner: CN=server.domain.net, OU=NIFI
>>
>> Issuer: CN=localhost, OU=NIFI
>>
>>
>>
>> The issue with the new setup is using external CA, also created via the
>> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
>> Registry connecting but can’t list buckets.
>>
>>
>>
>> Alias name: server_name-nifi-cert
>> Creation date: Mar 29, 2021
>> Entry type: trustedCertEntry
>>
>> Owner: CN= server_name.domain.net, OU=NIFI
>> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
>> ST=XX, C=US
>>
>>
>>
>> Thanks,
>> Roland
>>
>>
>>
>> *From:* David Handermann <ex...@gmail.com>
>> *Sent:* Monday, March 29, 2021 9:27 PM
>> *To:* users@nifi.apache.org
>> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>>
>>
>>
>> Hi Roland,
>>
>>
>>
>> Can you provide the commands you are using to create the server
>> keystores? Listing the keystore contents using "keytool -list -v -keystore
>> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
>> would be helpful to confirm that the keystore includes a PrivateKeyEntry
>> and not a TrustedCertEntry.
>>
>>
>>
>> Regards,
>>
>> David Handermann
>>
>>
>>
>> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
>> Roland.Rosso@adventhealth.com> wrote:
>>
>> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
>> Re-signed/Re-imported the certs.
>>
>> The new "server" cert is of the type:
>>
>> Alias name: server_name-nifi-cert
>> Creation date: Mar 29, 2021
>> Entry type: trustedCertEntry
>>
>> Owner: CN= server_name.domain.net, OU=NIFI
>> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
>> ST=XX, C=US
>>
>> [blah]
>>
>> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
>> the registry with all the grants. I don't see any errors in the logs but
>> still cannot properly link it to the existing buckets. Should I add the
>> "server user" in a different manner since the cert issuer is not 'Issuer:
>> CN=localhost, OU=NIFI'?
>> The other servers certs that are signed with 'Issuer: CN=localhost,
>> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
>> Is there a way to increase the logs as well?
>>
>> Many thanks,
>> Roland
>>
>> -----Original Message-----
>> From: Rosso, Roland <Ro...@AdventHealth.com>
>> Sent: Thursday, March 25, 2021 2:21 PM
>> To: users@nifi.apache.org
>> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>>
>> Thank you Bryan,
>> I've tried all combinations I could think off.
>> I'll resign all the certs with the same key for nifi and registry and try
>> this again.
>>
>> Thanks,
>> Roland
>>
>> -----Original Message-----
>> From: Bryan Bende <bb...@gmail.com>
>> Sent: Tuesday, March 23, 2021 3:48 PM
>> To: users@nifi.apache.org
>> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>>
>> I think the issue might be related to the "server user" in nifi registry.
>> I would double check that the way the identity was entered in registry
>> exactly matches the identity from nifi's certificate, case-sensitive and
>> white-space sensitive. Also make sure this user in registry is granted all
>> of the Proxy permissions, it is broken out into three different actions now
>> (read, write, delete).
>>
>> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
>> Roland.Rosso@adventhealth.com> wrote:
>> >
>> > Hi all,
>> >
>> > I am moving things around and moving from self-signed certs to
>> corporate certs.
>> >
>> > I’ve installed nifi 1.12 with a new truststore and keystore (use
>> toolkit with external certs) and that seems fine.
>> >
>> > I added the cert from the registry server (old self signed) into the
>> new nifi 1.12 truststore and the new server cert (signed with corporate CA)
>> into the nifi registry truststore (again, self signed).
>> >
>> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
>> registry and made the permission grants (proxy, buckets). I don’t get any
>> SSL errors in the logs but cannot add a PG via registry (no available
>> bucket).
>> >
>> > Is this setup possible and am I missing something, or do all NiFi nodes
>> and registry need to be signed with the same key? The idea was to setup a
>> new instance (on new server), pull all PGs via registry into the new and
>> retiring the old.
>> >
>> >
>> >
>> > Thanks,
>> >
>> > Roland
>> >
>> >
>> >
>> >
>> >
>> > This message (including any attachments) is intended only for the use
>> of the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>> This message (including any attachments) is intended only for the use of
>> the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>> This message (including any attachments) is intended only for the use of
>> the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>>
>> This message (including any attachments) is intended only for the use of
>> the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>>
>> This message (including any attachments) is intended only for the use of
>> the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential, and
>> exempt from disclosure under applicable law or may constitute as attorney
>> work product. If you are not the intended recipient, you are hereby
>> notified that any use, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you have received this
>> communication in error, notify us immediately by telephone and (i) destroy
>> this message if a facsimile or (ii) delete this message immediately if this
>> is an electronic communication. Thank you.
>>
>
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by Chris McKeever <cg...@gmail.com>.
Hey Roland .. I ran into a bunch of issues with using the toolkit. I just
couldnt get it to do what I needed, I wound up just running my own openssl
and keytool commands. I found it much more straightforward and then I could
know what all was going on. Im sure after i got these scars, and I
understood all the bits that toolkit would work and be simpler, but I did
find rolling my own, especially with the external CA was easier.
also - if you are on slack, there is an active nifi community there that
may be helpful as well ..
On Tue, Mar 30, 2021 at 6:17 AM Rosso, Roland <Ro...@adventhealth.com>
wrote:
> David,
>
> Thanks for the debug config.
>
> Here is an output when I try to connect to the registry from that new
> server, Import a PG.
>
> Since we have a few servers running, it is a very verbose log.
>
> I may have missed the useful part of the log. 😊
>
>
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ... no IV derived for this protocol
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 85
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: server
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136,
> 108, 120, 14, 10, 42, 184 }
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> change_cipher_spec[-1]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,222 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Change Cipher Spec, length = 1
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut upcoming handshake states: client
> finished[20]
>
> 2021-03-30 06:57:50,223 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Handshake, length = 96
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut check handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut update handshake state: finished[20]
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut *** Finished
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135,
> 208, 90, 115, 111, 50, 85, 164 }
>
> 2021-03-30 06:57:50,224 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut ***
>
> 2021-03-30 06:57:50,226 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 926
>
> 2021-03-30 06:57:50,228 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1100
>
> 2021-03-30 06:57:50,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1018
>
> 2021-03-30 06:57:50,231 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1049
>
> 2021-03-30 06:57:50,233 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1010
>
> 2021-03-30 06:57:50,234 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,236 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 924
>
> 2021-03-30 06:57:50,237 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,239 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,240 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1007
>
> 2021-03-30 06:57:50,241 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 999
>
> 2021-03-30 06:57:50,243 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 916
>
> 2021-03-30 06:57:50,245 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 996
>
> 2021-03-30 06:57:50,247 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1102
>
> 2021-03-30 06:57:50,248 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,250 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,251 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,253 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 938
>
> 2021-03-30 06:57:50,254 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 942
>
> 2021-03-30 06:57:50,255 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,256 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 944
>
> 2021-03-30 06:57:50,258 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 946
>
> 2021-03-30 06:57:50,259 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1006
>
> 2021-03-30 06:57:50,261 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 932
>
> 2021-03-30 06:57:50,263 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 912
>
> 2021-03-30 06:57:50,264 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 943
>
> 2021-03-30 06:57:50,266 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 1026
>
> 2021-03-30 06:57:50,267 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 975
>
> 2021-03-30 06:57:50,269 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 915
>
> 2021-03-30 06:57:50,270 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,271 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,272 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 929
>
> 2021-03-30 06:57:50,274 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 910
>
> 2021-03-30 06:57:50,275 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:50,276 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,277 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 918
>
> 2021-03-30 06:57:50,279 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 927
>
> 2021-03-30 06:57:50,280 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 913
>
> 2021-03-30 06:57:50,281 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 923
>
> 2021-03-30 06:57:50,282 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 928
>
> 2021-03-30 06:57:50,284 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 937
>
> 2021-03-30 06:57:50,285 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1042
>
> 2021-03-30 06:57:50,286 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,287 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 939
>
> 2021-03-30 06:57:50,289 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,290 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 919
>
> 2021-03-30 06:57:50,291 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,292 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 933
>
> 2021-03-30 06:57:50,293 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 930
>
> 2021-03-30 06:57:50,295 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 931
>
> 2021-03-30 06:57:50,296 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 922
>
> 2021-03-30 06:57:50,297 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 947
>
> 2021-03-30 06:57:50,298 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 905
>
> 2021-03-30 06:57:50,300 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 1166
>
> 2021-03-30 06:57:50,301 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 914
>
> 2021-03-30 06:57:50,302 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 898
>
> 2021-03-30 06:57:50,303 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 908
>
> 2021-03-30 06:57:50,304 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 989
>
> 2021-03-30 06:57:50,306 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Application Data, length = 911
>
> 2021-03-30 06:57:50,307 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2
> Application Data, length = 920
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeInboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called
> closeOutbound()
>
> 2021-03-30 06:57:53,718 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-40,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2
> ALERT: warning, close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeInboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2
> ALERT: warning, description = close_notify
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2
> Alert, length = 80
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called
> closeOutbound()
>
> 2021-03-30 06:58:00,229 INFO [NiFi logging handler]
> org.apache.nifi.registry.StdOut NiFi Registry Web Server-35,
> closeOutboundInternal()
>
>
>
> *Roland Rosso*
> AdventHealth
> Big Data Administrator | Corporate Analytics
> O: 407-805-8532
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 11:56 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Thanks for the reply. If you are not seeing any warnings or errors in the
> NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
> bootstrap.conf. Adding the following line to bootstrap.conf should enable
> SSL debug output to the nifi-registry-bootstrap.log:
>
>
>
> java.arg.20=-Djavax.net.debug=ssl
>
>
>
> This setting produces a lot of output, but if you watch the log after the
> initial application startup, you should be able to observe the TLS
> handshake when NiFi attempts to list buckets from NiFi Registry. The log
> output should at least confirm that the certificate exchange is occurring
> as expected.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure
> clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the
> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
> Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 9:27 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server
> keystores? Listing the keystore contents using "keytool -list -v -keystore
> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
> would be helpful to confirm that the keystore includes a PrivateKeyEntry
> and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
David,
Thanks for the debug config.
Here is an output when I try to connect to the registry from that new server, Import a PG.
Since we have a few servers running, it is a very verbose log.
I may have missed the useful part of the log. 😊
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... no IV derived for this protocol
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 85
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: server finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 20, 87, 186, 148, 90, 136, 108, 120, 14, 10, 42, 184 }
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client change_cipher_spec[-1]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,222 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Change Cipher Spec, length = 1
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: change_cipher_spec
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut upcoming handshake states: client finished[20]
2021-03-30 06:57:50,223 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Handshake, length = 96
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut check handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut update handshake state: finished[20]
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut *** Finished
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut verify_data: { 155, 211, 15, 169, 135, 208, 90, 115, 111, 50, 85, 164 }
2021-03-30 06:57:50,224 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ***
2021-03-30 06:57:50,226 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 926
2021-03-30 06:57:50,228 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1100
2021-03-30 06:57:50,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1018
2021-03-30 06:57:50,231 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1049
2021-03-30 06:57:50,233 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1010
2021-03-30 06:57:50,234 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,236 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 924
2021-03-30 06:57:50,237 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,239 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,240 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1007
2021-03-30 06:57:50,241 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 999
2021-03-30 06:57:50,243 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 916
2021-03-30 06:57:50,245 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 996
2021-03-30 06:57:50,247 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1102
2021-03-30 06:57:50,248 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,250 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,251 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,253 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 938
2021-03-30 06:57:50,254 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 942
2021-03-30 06:57:50,255 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,256 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 944
2021-03-30 06:57:50,258 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 946
2021-03-30 06:57:50,259 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1006
2021-03-30 06:57:50,261 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 932
2021-03-30 06:57:50,263 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 912
2021-03-30 06:57:50,264 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 943
2021-03-30 06:57:50,266 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 1026
2021-03-30 06:57:50,267 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 975
2021-03-30 06:57:50,269 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 915
2021-03-30 06:57:50,270 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,271 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,272 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 929
2021-03-30 06:57:50,274 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 910
2021-03-30 06:57:50,275 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:50,276 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,277 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 918
2021-03-30 06:57:50,279 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 927
2021-03-30 06:57:50,280 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 913
2021-03-30 06:57:50,281 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 923
2021-03-30 06:57:50,282 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 928
2021-03-30 06:57:50,284 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 937
2021-03-30 06:57:50,285 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1042
2021-03-30 06:57:50,286 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,287 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 939
2021-03-30 06:57:50,289 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,290 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 919
2021-03-30 06:57:50,291 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,292 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 933
2021-03-30 06:57:50,293 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 930
2021-03-30 06:57:50,295 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 931
2021-03-30 06:57:50,296 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 922
2021-03-30 06:57:50,297 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 947
2021-03-30 06:57:50,298 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 905
2021-03-30 06:57:50,300 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 1166
2021-03-30 06:57:50,301 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 914
2021-03-30 06:57:50,302 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 898
2021-03-30 06:57:50,303 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 908
2021-03-30 06:57:50,304 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 989
2021-03-30 06:57:50,306 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Application Data, length = 911
2021-03-30 06:57:50,307 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-53, WRITE: TLSv1.2 Application Data, length = 920
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeInboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, called closeOutbound()
2021-03-30 06:57:53,718 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-40, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, READ: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, RECV TLSv1.2 ALERT: warning, close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeInboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, SEND TLSv1.2 ALERT: warning, description = close_notify
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, WRITE: TLSv1.2 Alert, length = 80
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, called closeOutbound()
2021-03-30 06:58:00,229 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut NiFi Registry Web Server-35, closeOutboundInternal()
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
From: David Handermann <ex...@gmail.com>
Sent: Monday, March 29, 2021 11:56 PM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the NiFi Registry logs, you could enable SSL debugging in the NiFi Registry bootstrap.conf. Adding the following line to bootstrap.conf should enable SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the initial application startup, you should be able to observe the TLS handshake when NiFi attempts to list buckets from NiFi Registry. The log output should at least confirm that the certificate exchange is occurring as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net<http://server.domain.net>, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by David Handermann <ex...@gmail.com>.
Hi Roland,
Thanks for the reply. If you are not seeing any warnings or errors in the
NiFi Registry logs, you could enable SSL debugging in the NiFi Registry
bootstrap.conf. Adding the following line to bootstrap.conf should enable
SSL debug output to the nifi-registry-bootstrap.log:
java.arg.20=-Djavax.net.debug=ssl
This setting produces a lot of output, but if you watch the log after the
initial application startup, you should be able to observe the TLS
handshake when NiFi attempts to list buckets from NiFi Registry. The log
output should at least confirm that the certificate exchange is occurring
as expected.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 10:34 PM Rosso, Roland <
Roland.Rosso@adventhealth.com> wrote:
> Hi David,
>
>
>
> I use the nifi-toolkit to create the keystore and truststore to make sure
> clientAuth and serverAuth is set properly.
>
>
>
> This is a ‘working’ config.
>
> Keystore:
>
> Alias name: nifi-key
>
> Creation date: date
>
> Entry type: PrivateKeyEntry
>
>
>
> Truststore:
>
> Alias name: server_name-nifi-cert
>
> Creation date: date
>
> Entry type: trustedCertEntry
>
>
>
> Owner: CN=server.domain.net, OU=NIFI
>
> Issuer: CN=localhost, OU=NIFI
>
>
>
> The issue with the new setup is using external CA, also created via the
> nifi-toolkit, new NiFi install working fine (from a SSL perspective),
> Registry connecting but can’t list buckets.
>
>
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
>
>
> Thanks,
> Roland
>
>
>
> *From:* David Handermann <ex...@gmail.com>
> *Sent:* Monday, March 29, 2021 9:27 PM
> *To:* users@nifi.apache.org
> *Subject:* Re: [EXTERNAL] Re: NiFi Registry SSL question
>
>
>
> Hi Roland,
>
>
>
> Can you provide the commands you are using to create the server
> keystores? Listing the keystore contents using "keytool -list -v -keystore
> <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
> would be helpful to confirm that the keystore includes a PrivateKeyEntry
> and not a TrustedCertEntry.
>
>
>
> Regards,
>
> David Handermann
>
>
>
> On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
>
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
Hi David,
I use the nifi-toolkit to create the keystore and truststore to make sure clientAuth and serverAuth is set properly.
This is a ‘working’ config.
Keystore:
Alias name: nifi-key
Creation date: date
Entry type: PrivateKeyEntry
Truststore:
Alias name: server_name-nifi-cert
Creation date: date
Entry type: trustedCertEntry
Owner: CN=server.domain.net, OU=NIFI
Issuer: CN=localhost, OU=NIFI
The issue with the new setup is using external CA, also created via the nifi-toolkit, new NiFi install working fine (from a SSL perspective), Registry connecting but can’t list buckets.
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
Thanks,
Roland
From: David Handermann <ex...@gmail.com>
Sent: Monday, March 29, 2021 9:27 PM
To: users@nifi.apache.org
Subject: Re: [EXTERNAL] Re: NiFi Registry SSL question
Hi Roland,
Can you provide the commands you are using to create the server keystores? Listing the keystore contents using "keytool -list -v -keystore <keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it would be helpful to confirm that the keystore includes a PrivateKeyEntry and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>> wrote:
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI
Issuer: CN=nifi_ca.domain.net<http://nifi_ca.domain.net>, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net<http://server_name.domain.net>, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com>> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: [EXTERNAL] Re: NiFi Registry SSL question
Posted by David Handermann <ex...@gmail.com>.
Hi Roland,
Can you provide the commands you are using to create the server keystores?
Listing the keystore contents using "keytool -list -v -keystore
<keystoreFile>" should include an Entry Type of "PrivateKeyEntry", so it
would be helpful to confirm that the keystore includes a PrivateKeyEntry
and not a TrustedCertEntry.
Regards,
David Handermann
On Mon, Mar 29, 2021 at 5:49 PM Rosso, Roland <Ro...@adventhealth.com>
wrote:
> I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0).
> Re-signed/Re-imported the certs.
>
> The new "server" cert is of the type:
>
> Alias name: server_name-nifi-cert
> Creation date: Mar 29, 2021
> Entry type: trustedCertEntry
>
> Owner: CN= server_name.domain.net, OU=NIFI
> Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION,
> ST=XX, C=US
>
> [blah]
>
> I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to
> the registry with all the grants. I don't see any errors in the logs but
> still cannot properly link it to the existing buckets. Should I add the
> "server user" in a different manner since the cert issuer is not 'Issuer:
> CN=localhost, OU=NIFI'?
> The other servers certs that are signed with 'Issuer: CN=localhost,
> OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
> Is there a way to increase the logs as well?
>
> Many thanks,
> Roland
>
> -----Original Message-----
> From: Rosso, Roland <Ro...@AdventHealth.com>
> Sent: Thursday, March 25, 2021 2:21 PM
> To: users@nifi.apache.org
> Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
>
> Thank you Bryan,
> I've tried all combinations I could think off.
> I'll resign all the certs with the same key for nifi and registry and try
> this again.
>
> Thanks,
> Roland
>
> -----Original Message-----
> From: Bryan Bende <bb...@gmail.com>
> Sent: Tuesday, March 23, 2021 3:48 PM
> To: users@nifi.apache.org
> Subject: [EXTERNAL] Re: NiFi Registry SSL question
>
> I think the issue might be related to the "server user" in nifi registry.
> I would double check that the way the identity was entered in registry
> exactly matches the identity from nifi's certificate, case-sensitive and
> white-space sensitive. Also make sure this user in registry is granted all
> of the Proxy permissions, it is broken out into three different actions now
> (read, write, delete).
>
> On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <
> Roland.Rosso@adventhealth.com> wrote:
> >
> > Hi all,
> >
> > I am moving things around and moving from self-signed certs to corporate
> certs.
> >
> > I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit
> with external certs) and that seems fine.
> >
> > I added the cert from the registry server (old self signed) into the new
> nifi 1.12 truststore and the new server cert (signed with corporate CA)
> into the nifi registry truststore (again, self signed).
> >
> > I also added the server ‘user’ CN=server.domain, OU=NIFI into the
> registry and made the permission grants (proxy, buckets). I don’t get any
> SSL errors in the logs but cannot add a PG via registry (no available
> bucket).
> >
> > Is this setup possible and am I missing something, or do all NiFi nodes
> and registry need to be signed with the same key? The idea was to setup a
> new instance (on new server), pull all PGs via registry into the new and
> retiring the old.
> >
> >
> >
> > Thanks,
> >
> > Roland
> >
> >
> >
> >
> >
> > This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
>
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
I've tried this one more time (Nifi 1.12.1 to Registry 0.6.0). Re-signed/Re-imported the certs.
The new "server" cert is of the type:
Alias name: server_name-nifi-cert
Creation date: Mar 29, 2021
Entry type: trustedCertEntry
Owner: CN= server_name.domain.net, OU=NIFI
Issuer: CN=nifi_ca.domain.net, OU=ORG_NAME, O=ORG_FULL_NAME, L=LOCATION, ST=XX, C=US
[blah]
I am adding the "server user" 'CN= server_name.domain.net, OU=NIFI' to the registry with all the grants. I don't see any errors in the logs but still cannot properly link it to the existing buckets. Should I add the "server user" in a different manner since the cert issuer is not 'Issuer: CN=localhost, OU=NIFI'?
The other servers certs that are signed with 'Issuer: CN=localhost, OU=NIFI' work just fine (Nifi 1.9.2 to Registry 0.6.0).
Is there a way to increase the logs as well?
Many thanks,
Roland
-----Original Message-----
From: Rosso, Roland <Ro...@AdventHealth.com>
Sent: Thursday, March 25, 2021 2:21 PM
To: users@nifi.apache.org
Subject: RE: [EXTERNAL] Re: NiFi Registry SSL question
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [EXTERNAL] Re: NiFi Registry SSL question
Posted by "Rosso, Roland" <Ro...@AdventHealth.com>.
Thank you Bryan,
I've tried all combinations I could think off.
I'll resign all the certs with the same key for nifi and registry and try this again.
Thanks,
Roland Rosso
AdventHealth
Big Data Administrator | Corporate Analytics
O: 407-805-8532
-----Original Message-----
From: Bryan Bende <bb...@gmail.com>
Sent: Tuesday, March 23, 2021 3:48 PM
To: users@nifi.apache.org
Subject: [EXTERNAL] Re: NiFi Registry SSL question
I think the issue might be related to the "server user" in nifi registry. I would double check that the way the identity was entered in registry exactly matches the identity from nifi's certificate, case-sensitive and white-space sensitive. Also make sure this user in registry is granted all of the Proxy permissions, it is broken out into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland <Ro...@adventhealth.com> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Re: NiFi Registry SSL question
Posted by Bryan Bende <bb...@gmail.com>.
I think the issue might be related to the "server user" in nifi
registry. I would double check that the way the identity was entered
in registry exactly matches the identity from nifi's certificate,
case-sensitive and white-space sensitive. Also make sure this user in
registry is granted all of the Proxy permissions, it is broken out
into three different actions now (read, write, delete).
On Tue, Mar 23, 2021 at 9:28 AM Rosso, Roland
<Ro...@adventhealth.com> wrote:
>
> Hi all,
>
> I am moving things around and moving from self-signed certs to corporate certs.
>
> I’ve installed nifi 1.12 with a new truststore and keystore (use toolkit with external certs) and that seems fine.
>
> I added the cert from the registry server (old self signed) into the new nifi 1.12 truststore and the new server cert (signed with corporate CA) into the nifi registry truststore (again, self signed).
>
> I also added the server ‘user’ CN=server.domain, OU=NIFI into the registry and made the permission grants (proxy, buckets). I don’t get any SSL errors in the logs but cannot add a PG via registry (no available bucket).
>
> Is this setup possible and am I missing something, or do all NiFi nodes and registry need to be signed with the same key? The idea was to setup a new instance (on new server), pull all PGs via registry into the new and retiring the old.
>
>
>
> Thanks,
>
> Roland
>
>
>
>
>
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.