You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Veda Kadam (Jira)" <ji...@apache.org> on 2020/07/24 22:27:00 UTC

[jira] [Created] (NIFI-7673) Toolkit in diagnostic mode should verify independent node

Veda Kadam created NIFI-7673:
--------------------------------

             Summary: Toolkit in diagnostic mode should verify independent node
                 Key: NIFI-7673
                 URL: https://issues.apache.org/jira/browse/NIFI-7673
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Configuration Management, Tools and Build
    Affects Versions: 1.11.4
            Reporter: Veda Kadam
            Assignee: Veda Kadam


* Incomplete chain 
 * All nodes have wildcard certificates. Cannot identify one node from the other
 * Use any certs as long as prerequisites are aligned with NiFi.
 * Build monitoring for expiration of TLS certificates
 * Ambari using NiFi CA, overrides/corrupts if using external certs
 * Populate authorization.xml file if using external certs
 * Have internal method to avoid removal of authorization.xml and users.xml
 * Explicit document with prerequisites for certs
 * --additionalCACertificate <arg> for Client-Server model
 * Validate certs if not using CA toolkit
 * Firewall/DNS issues resolving multiple nodes in cluster
 * Independent node configuration verification
 # Priority 0
 # Addresses B, C, D, J
 # Description: Verifies each node has the correct configuration files and passwords available, and that the key/certificate contents of the keystore and truststore are correct for that node
 # Steps
 # Run on each node
 # Read the nifi.properties file
 # Verify the keystore and truststore are located at the correct file path
 # Verify the keystore password, key password, and truststore password are correct
 # Verify that the keystore contains a single private key entry and a public certificate which identifies this host
 # CN
 # SAN
 # Not wildcard (or at least unique SAN present)
 # EKU
 # Certificate validity dates
 # Key size
 # Other OIDs


 # Verify that the truststore contains at least one public certificate
 # Verify that the truststore contains a public certificate which verifies the private key in the keystore for this node (i.e. this node would trust itself/the signer of itself)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)