You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Axton Grams (JIRA)" <ji...@apache.org> on 2019/01/18 21:19:00 UTC
[jira] [Created] (AMBARI-25113) Nifi Registry Service Check - TLS Error

Axton Grams created AMBARI-25113:
------------------------------------

             Summary: Nifi Registry Service Check - TLS Error
                 Key: AMBARI-25113
                 URL: https://issues.apache.org/jira/browse/AMBARI-25113
             Project: Ambari
          Issue Type: Bug
          Components: stacks
    Affects Versions: 2.6.1
         Environment: Oracle JDK 1.8.0_192

RHEL 7.4

Ambari 2.6.1.0

HDF 3.1.1.0

TLS Enabled Nifi and Nifi Registry

Certificate Authority is an external CA; we are not using the Nifi CA.

The Keystore maintained for our certificate does not include a key password.
            Reporter: Axton Grams


When Nifi Registry is configured with TLS, health checks fail:

 
{code:java}
2019-01-18 15:55:07,125 - File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh'] {'mode': 0755}
2019-01-18 15:55:07,126 - File['/var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/encrypt-config.sh'] {'mode': 0755}
2019-01-18 15:55:08,832 - Executing: ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8 /var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35/bin/tls-toolkit.sh status -u https://server.example.com:12345 -ks /etc/pki/tls/private/abcd.jks -kst JKS -ksp *** -kp -ts /etc/pki/java/cacerts -tst JKS -tsp changeit
2019-01-18 15:55:09,158 - Will retry 28 time(s), caught exception: Call to tls-toolkit encountered error: No keystore or truststore was provided
usage: org.apache.nifi.toolkit.tls.TlsToolkitMain [-h] [-kp <arg>] [-ks <arg>] [-ksp <arg>] [-kst <arg>] [-p <arg>] [-ts <arg>] [-tsp <arg>] [-tst <arg>] [-u
<arg>]
Checks the status of an HTTPS endpoint by making a GET request using a supplied keystore and truststore.
-h,--help Print help and exit.
-kp,--keyPassword <arg> The key password of the key store being used
-ks,--keyStore <arg> The key store to use
-ksp,--keyStorePassword <arg> The password of the key store being used
-kst,--keyStoreType <arg> The type of key store being used (PKCS12 or JKS) (default: JKS)
-p,--protocol <arg> The protocol to use (default: TLS)
-ts,--trustStore <arg> The trust store being used
-tsp,--trustStorePassword <arg> The password of the trust store being used
-tst,--trustStoreType <arg> The type of trust store being used (PKCS12 or JKS) (default: JKS)
-u,--url <arg> The full url to connect to, for example: https://localhost:8443/v1/api
Java home: /usr/jdk64/jdk1.8
NiFi Toolkit home: /var/lib/ambari-agent/cache/common-services/NIFI_REGISTRY/0.1.0/package/files/nifi-toolkit-1.5.0.3.1.1.0-35
2019/01/18 15:55:09 ERROR [main] org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine: No keystore or truststore was provided
org.apache.nifi.toolkit.tls.commandLine.CommandLineParseException: No keystore or truststore was provided
at org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.printUsageAndThrow(BaseCommandLine.java:72)
at org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.postParse(TlsToolkitGetStatusCommandLine.java:142)
at org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.doParse(BaseCommandLine.java:91)
at org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine.parse(BaseCommandLine.java:109)
at org.apache.nifi.toolkit.tls.status.TlsToolkitGetStatusCommandLine.main(TlsToolkitGetStatusCommandLine.java:72)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.nifi.toolkit.tls.TlsToolkitMain.doMain(TlsToolkitMain.java:109)
at org.apache.nifi.toolkit.tls.TlsToolkitMain.main(TlsToolkitMain.java:55)
{code}
 
When checking the health of a tls enabled Nifi Registry, only the trust store parameters are required.  The following Keystore related parameters are not required:
 * -kp,--keyPassword <arg> The key password of the key store being used
 * -ks,--keyStore <arg> The key store to use
 * -ksp,--keyStorePassword <arg> The password of the key store being used
 * -kst,--keyStoreType <arg> The type of key store being used (PKCS12 or JKS) (default: JKS)

The following patch allows the health check to operated as expected:

 
{code:java}
--- /var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py.original 2019-01-18 15:46:41.867390249 -0500
+++ /var/lib/ambari-server/resources/common-services/NIFI_REGISTRY/0.1.0/package/scripts/service_check.py 2019-01-18 16:03:43.750582415 -0500
@@ -105,7 +105,7 @@
 truststoreType = nifi_registry_props['nifi.registry.security.truststoreType']
 truststorePasswd = nifi_registry_props['nifi.registry.security.truststorePasswd']
- command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+ tls_toolkit_script + ' status -u ' + url + ' -ks ' + keystore + ' -kst ' + keystoreType + ' -ksp ' + keystorePasswd + ' -kp ' + keyPasswd + ' -ts ' + truststore + ' -tst ' + truststoreType + ' -tsp ' + truststorePasswd
+ command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' '+ tls_toolkit_script + ' status -u ' + url + ' -ts ' + truststore + ' -tst ' + truststoreType + ' -tsp ' + truststorePasswd
# Only uncomment for debugging, otherwise the passwords will get logged
 #Logger.info("Executing: " + command)
{code}
 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)