You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by kumar r <ku...@gmail.com> on 2017/03/08 12:04:41 UTC

NiFi web ui not open after enabled auth

Hi,

Configured NiFi 1.1.1 version in windows.

I have enabled client certificate auth with the following properties

*nifi.properties*

    nifi.web.war.directory=./lib
    nifi.web.http.host=
    nifi.web.http.port=
    nifi.web.https.host=hostname
    nifi.web.https.port=8080
    nifi.web.jetty.working.directory=./work/jetty
    nifi.web.jetty.threads=200

    nifi.security.keystore=./conf/ssl/server.keystore
    nifi.security.keystoreType=JKS
    nifi.security.keystorePasswd=server_password
    nifi.security.keyPasswd=server_keypassword
    nifi.security.truststore=./conf/ssl/server.truststore
    nifi.security.truststoreType=JKS
    nifi.security.truststorePasswd=server_password
    nifi.security.needClientAuth=true
    nifi.security.user.authorizer=file-provider
    nifi.security.user.login.identity.provider=
    nifi.security.ocsp.responder.url=
    nifi.security.ocsp.responder.certificate=

*authorizers.xml*

        <authorizer>
            <identifier>file-provider</identifier>
            <class>org.apache.nifi.authorization.FileAuthorizer</class>
            <property name="Authorizations
File">./conf/authorizations.xml</property>
            <property name="Users File">./conf/users.xml</property>
            <property name="Initial Admin Identity"></property>
            <property name="Legacy Authorized Users
File">./conf/authorized-users.xml</property>

            <!-- Provide the identity (typically a DN) of each node when
clustered, see above description of Node Identity.
            <property name="Node Identity 1"></property>
            <property name="Node Identity 2"></property>
            -->
        </authorizer>

*authorized-users.xml*

    <users>
        <user dn="CN=Kumar">
            <role name="ROLE_ADMIN"/>
            <role name="ROLE_DFM"/>
        </user>
    </users>

Followed generating server and client ssl certificates from
http://unix.stackexchange.com/q/347116

Everything was good. NiFi server started and got logs as UI is available in
following URLs:

https://hostname:8080/nifi

But when i open UI in browser both in firefox and chrome, Nifi web url
cannot open and it shows

*Secure Connection Failed* in firefox and *This site can’t be reached* in
chrome

It didn't ask for client certificate.

What i did wrong? How can i achieve this?

http://stackoverflow.com/questions/42668838/nifi-web-ui-not-open-after-enabled-auth

Help would be appreciated. Thanks in advance.

Re: NiFi web ui not open after enabled auth

Posted by kumar r <ku...@gmail.com>.

Thanks for your help.

It works fine after importing client certificate to browser.

On Wed, Mar 8, 2017 at 7:59 PM, Bryan Rosander <br...@apache.org> wrote:

> Hi Kumar,
>
> I would suggest using NiFi's tls-toolkit in order to facilitate
> certificate generation.  It can generate a Certificate Authority (to import
> into the browser), keystore and truststore for NiFi as well as a client p12
> file in a single command.
>
> You can get it from the NiFi download page as part of the nifi-toolkit.
>
> If you run (replacing YOUR_HOSTNAME with your actual hostname):
> bin/tls-toolkit.sh standalone -n YOUR_HOSTNAME -C 'CN=Kumar'
>
> You should wind up with a YOUR_HOSTNAME directory containing a keystore,
> truststore, nifi.properties as well as a p12 and password file for your
> client certificate.  You'll want to import nifi-cert.pem into your browser
> as a trusted CA so that it knows it can trust the server.
>
> Thanks,
> Bryan
>
> On Wed, Mar 8, 2017 at 7:04 AM, kumar r <ku...@gmail.com> wrote:
>
>> Hi,
>>
>> Configured NiFi 1.1.1 version in windows.
>>
>> I have enabled client certificate auth with the following properties
>>
>> *nifi.properties*
>>
>>     nifi.web.war.directory=./lib
>>     nifi.web.http.host=
>>     nifi.web.http.port=
>>     nifi.web.https.host=hostname
>>     nifi.web.https.port=8080
>>     nifi.web.jetty.working.directory=./work/jetty
>>     nifi.web.jetty.threads=200
>>
>>     nifi.security.keystore=./conf/ssl/server.keystore
>>     nifi.security.keystoreType=JKS
>>     nifi.security.keystorePasswd=server_password
>>     nifi.security.keyPasswd=server_keypassword
>>     nifi.security.truststore=./conf/ssl/server.truststore
>>     nifi.security.truststoreType=JKS
>>     nifi.security.truststorePasswd=server_password
>>     nifi.security.needClientAuth=true
>>     nifi.security.user.authorizer=file-provider
>>     nifi.security.user.login.identity.provider=
>>     nifi.security.ocsp.responder.url=
>>     nifi.security.ocsp.responder.certificate=
>>
>> *authorizers.xml*
>>
>>         <authorizer>
>>             <identifier>file-provider</identifier>
>>             <class>org.apache.nifi.authorization.FileAuthorizer</class>
>>             <property name="Authorizations File">./conf/authorizations.xm
>> l</property>
>>             <property name="Users File">./conf/users.xml</property>
>>             <property name="Initial Admin Identity"></property>
>>             <property name="Legacy Authorized Users
>> File">./conf/authorized-users.xml</property>
>>
>>             <!-- Provide the identity (typically a DN) of each node when
>> clustered, see above description of Node Identity.
>>             <property name="Node Identity 1"></property>
>>             <property name="Node Identity 2"></property>
>>             -->
>>         </authorizer>
>>
>> *authorized-users.xml*
>>
>>     <users>
>>         <user dn="CN=Kumar">
>>             <role name="ROLE_ADMIN"/>
>>             <role name="ROLE_DFM"/>
>>         </user>
>>     </users>
>>
>> Followed generating server and client ssl certificates from
>> http://unix.stackexchange.com/q/347116
>>
>> Everything was good. NiFi server started and got logs as UI is available
>> in following URLs:
>>
>> https://hostname:8080/nifi
>>
>> But when i open UI in browser both in firefox and chrome, Nifi web url
>> cannot open and it shows
>>
>> *Secure Connection Failed* in firefox and *This site can’t be reached*
>> in chrome
>>
>> It didn't ask for client certificate.
>>
>> What i did wrong? How can i achieve this?
>>
>> http://stackoverflow.com/questions/42668838/nifi-web-ui-not-
>> open-after-enabled-auth
>>
>> Help would be appreciated. Thanks in advance.
>>
>>
>

Re: NiFi web ui not open after enabled auth

Posted by Bryan Rosander <br...@apache.org>.

Hi Kumar,

I would suggest using NiFi's tls-toolkit in order to facilitate certificate
generation.  It can generate a Certificate Authority (to import into the
browser), keystore and truststore for NiFi as well as a client p12 file in
a single command.

You can get it from the NiFi download page as part of the nifi-toolkit.

If you run (replacing YOUR_HOSTNAME with your actual hostname):
bin/tls-toolkit.sh standalone -n YOUR_HOSTNAME -C 'CN=Kumar'

You should wind up with a YOUR_HOSTNAME directory containing a keystore,
truststore, nifi.properties as well as a p12 and password file for your
client certificate.  You'll want to import nifi-cert.pem into your browser
as a trusted CA so that it knows it can trust the server.

Thanks,
Bryan

On Wed, Mar 8, 2017 at 7:04 AM, kumar r <ku...@gmail.com> wrote:

> Hi,
>
> Configured NiFi 1.1.1 version in windows.
>
> I have enabled client certificate auth with the following properties
>
> *nifi.properties*
>
>     nifi.web.war.directory=./lib
>     nifi.web.http.host=
>     nifi.web.http.port=
>     nifi.web.https.host=hostname
>     nifi.web.https.port=8080
>     nifi.web.jetty.working.directory=./work/jetty
>     nifi.web.jetty.threads=200
>
>     nifi.security.keystore=./conf/ssl/server.keystore
>     nifi.security.keystoreType=JKS
>     nifi.security.keystorePasswd=server_password
>     nifi.security.keyPasswd=server_keypassword
>     nifi.security.truststore=./conf/ssl/server.truststore
>     nifi.security.truststoreType=JKS
>     nifi.security.truststorePasswd=server_password
>     nifi.security.needClientAuth=true
>     nifi.security.user.authorizer=file-provider
>     nifi.security.user.login.identity.provider=
>     nifi.security.ocsp.responder.url=
>     nifi.security.ocsp.responder.certificate=
>
> *authorizers.xml*
>
>         <authorizer>
>             <identifier>file-provider</identifier>
>             <class>org.apache.nifi.authorization.FileAuthorizer</class>
>             <property name="Authorizations File">./conf/authorizations.
> xml</property>
>             <property name="Users File">./conf/users.xml</property>
>             <property name="Initial Admin Identity"></property>
>             <property name="Legacy Authorized Users
> File">./conf/authorized-users.xml</property>
>
>             <!-- Provide the identity (typically a DN) of each node when
> clustered, see above description of Node Identity.
>             <property name="Node Identity 1"></property>
>             <property name="Node Identity 2"></property>
>             -->
>         </authorizer>
>
> *authorized-users.xml*
>
>     <users>
>         <user dn="CN=Kumar">
>             <role name="ROLE_ADMIN"/>
>             <role name="ROLE_DFM"/>
>         </user>
>     </users>
>
> Followed generating server and client ssl certificates from
> http://unix.stackexchange.com/q/347116
>
> Everything was good. NiFi server started and got logs as UI is available
> in following URLs:
>
> https://hostname:8080/nifi
>
> But when i open UI in browser both in firefox and chrome, Nifi web url
> cannot open and it shows
>
> *Secure Connection Failed* in firefox and *This site can’t be reached* in
> chrome
>
> It didn't ask for client certificate.
>
> What i did wrong? How can i achieve this?
>
> http://stackoverflow.com/questions/42668838/nifi-web-
> ui-not-open-after-enabled-auth
>
> Help would be appreciated. Thanks in advance.
>
>