Re[4]: Minifi and ssl config on NiFi

[David Early <da...@grokstream.com>]

Lars,

Thank you, this sent me in the direction I think I needed to go.

One other issue we have is that as this is internal, we are using self 
signed certs both for remotes and the cloud central.  This has worked in 
the past for small setup, but with possibly 10x the number of remotes, 
we were concerned.

Your response led me to this:

https://arminreiter.com/2022/01/create-your-own-certificate-authority-ca-using-openssl/

and other like it.

That addresses having to manage multiple certs at the core.  Now I just 
have to do one CA cert.

But I am still assuming that I have to have a USER for each remote 
MiNiFi defined in my core NiFi to allow for the correct assignment to 
policies for the inbound ports from the remotes.  All I can find is that 
a user MUST be configured based on the cert being used so that the 
remote node can access the services.

One item I am wondering about (since I am doing self signed anyway) is 
using a SAN cert for the remotes with a single owner and issuer and 
therefore in theory a single USER that could be configured in the core 
NiFi.  The SAN cert has some appeal because I could create some 
subgroups and do policies on each of these subgroups but not have to 
have one user per remote.

Am I missing something on the user issue?

Thanks all for the help.  As may be obvious, this is a bit of cross of 
NiFi and SSL knowledge and I am weak on SSL.

Dave




------ Original Message ------
From: "Lars Winderling" <la...@posteo.de>
To: users@nifi.apache.org
Sent: 4/18/2022 9:49:42 AM
Subject: Re: Re[2]: Minifi and ssl config on NiFi

>Hi Dave, you could use a (custom) CA for your client certs, so only the 
>CA-cert would need to be trusted. And for policies, you could use an 
>LDAP group and base policies on that.
>Downside is that NiFi currently doesn't offer certificate revocation 
>afaik, so it might not be applicable to you.
>
>Best, Lars
>
>On 18 April 2022 17:31:14 CEST, David Early 
><da...@grokstream.com> wrote:
>>Matt,
>>
>>The problem is access policies on the input port on the main NiFi:
>>
>>We are using LDAP on the main NiFi, and when I create Site to Site 
>>comms between NiFi instances I have to create a user in NiFi based on 
>>the owner name in the cert from the remote.  Once I have that user, I 
>>have to ADD that user to an access policy on the input port to allow 
>>that port to receive data from the remote.  In addition, I have to do 
>>a similar thing for a policy to allow the RPG to be able to get the 
>>list of remote ports.
>>
>>The issue I am having with this is it is a very manual process right 
>>now: for each remote, I would need to get the cert, get the owner 
>>name, create a user in the main NiFi and associate the user with the 
>>policy for the input ports.
>>
>>My question was probably less about MiNiFi and more about how to 
>>optimize the SSL relationships and if there was a shortcut I could use 
>>to avoid having to do the user creation and custom policy mod for each 
>>remote.
>>
>>Dave
>>
>>------ Original Message ------
>>From: "Matt Burgess" <ma...@gmail.com>
>>To: users@nifi.apache.org
>>Sent: 4/17/2022 9:48:29 AM
>>Subject: Re: Minifi and ssl config on NiFi
>>
>>>MiNiFi is actually alive and well, we just moved it into the NiFi codebase. We’re actively developing a Command-and-Control (C2) capability to remotely update the flow on the agent for example.
>>>
>>>You can configure MiNiFi agents for SSL over Site-to-Site in order to talk to secure NiFi instances. Not sure about the need for a user but you would need to present a certificate the same as you would for connecting to the NiFi UI. Some security features still need to be implemented (like encrypted properties maybe) but you should definitely be able to do what you’re trying to do with MiNiFi, happy to help with any issues you may run into.
>>>
>>>Regards,
>>>Matt
>>>
>>>
>>>>  On Apr 17, 2022, at 11:40 AM, Jorge Machado <jo...@me.com> wrote:
>>>>
>>>>  I did this on the pass and I end up switching to Nifi. I think you should do the same. Minifi is kind of “Dead” not being developed anymore. I found better to just switch to single instance of nifi
>>>>
>>>>  Regards
>>>>  Jorge
>>>>
>>>>>  On 17. Apr 2022, at 03:30, David Early <da...@grokstream.com> wrote:
>>>>>
>>>>>  We are considering using several dozen minifi instances to gather data at remote locations and send it to a cloud based central NiFi.
>>>>>
>>>>>  The problem I am THINKING we will have is setting up ssl. The only way I know of to set up ssl for site to site requires a user be configured for the incoming data on the destination NiFi and permissions given to that user to be able to send data.
>>>>>
>>>>>  Am I missing something? Will we have to manually set up a user in the cloud NiFi for each minifi instances so we can use ssl transport?
>>>>>
>>>>>  Dave
>>>>