Minifi cpp 0 4 0 secure connection

[TomBertie <to...@cyhesion.com>]

Has anyone got Minifi C++ v0 4 0 working over a secure connection to a Nifi
cluster. My certs seem to be fine as I can log into UI of the secured
cluster through the browser using a cert I created for a nifiadmin user.
I've got minifi (collecting Squid logs) working unsecured but every time I
try to get it connecting securely it won't authenticate to be able to
retreive s2s settings.  The RPG is set up for HTTP rather than RAW.  I've
posted output from the minifi logs and the security elements of
minifi.properties at https://pastebin.com/gg2H7HEP and haven't added any
SSLContextService into the config.yml so it should (if I understand
correctly) draw the settings from minifi.properties.  I'm using the Centos 7
build of minifi cpp on the Hortonworks repo.

I'd really appreciate any support you can give me because I'm sure I'm doing
something stupid.

Yours, Tom



--
Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/

Re: Minifi cpp 0 4 0 secure connection

[Marc <ph...@apache.org>]

Tom,

  There were a couple of issues with the C++ security configuration in
0.4.0 [1]. We will likely release 0.5.0 very soon to capture this and
other feature additions.

  Do you have the ability to pull master and re-attempt? The security
configuration is much clear there that you can use either
minifi.properties or the context service whereas 0.4.0 that was not
always the case.

 [1] https://issues.apache.org/jira/browse/MINIFICPP-396
 [2] https://github.com/apache/nifi-minifi-cpp#sitetosite-security-configuration

On Sun, Mar 11, 2018 at 7:46 AM, TomBertie <to...@cyhesion.com> wrote:
> Has anyone got Minifi C++ v0 4 0 working over a secure connection to a Nifi
> cluster. My certs seem to be fine as I can log into UI of the secured
> cluster through the browser using a cert I created for a nifiadmin user.
> I've got minifi (collecting Squid logs) working unsecured but every time I
> try to get it connecting securely it won't authenticate to be able to
> retreive s2s settings.  The RPG is set up for HTTP rather than RAW.  I've
> posted output from the minifi logs and the security elements of
> minifi.properties at https://pastebin.com/gg2H7HEP and haven't added any
> SSLContextService into the config.yml so it should (if I understand
> correctly) draw the settings from minifi.properties.  I'm using the Centos 7
> build of minifi cpp on the Hortonworks repo.
>
> I'd really appreciate any support you can give me because I'm sure I'm doing
> something stupid.
>
> Yours, Tom
>
>
>
> --
> Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/

RE: Minifi cpp 0 4 0 secure connection

[Tom Burton <to...@cyhesion.com>]

For completeness the resolution I got to, and that I posted on the Hortonworks Community forum, is as follows:
=============================
I have finally got a working solution on this, though it may not be ideal. It also seems to be rather simplistic. Curl, when compiled with NSS, doesn't seem to like encrypted pem files for client certificates/keys. I can make an SSL connection using openssl without any problems using the command (it asks for my password the password for cert.pem and establishes a connection correctly):

# openssl s_client -connect host:port -key cert.pem -cert cert.pem -CAfile ca.pem

But if I try to do the same with curl using the following command:

# curl -v --cacert ./nifi-cert.pem --cert ./cert.pem:password --key ./cert.pem:password host:port

It consistently fails with the error:

* unable to load client cert: -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
* NSS error -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
* Unknown PKCS #11 error.

I've tried forcing openssl to use des3 when converting the pkcs12 file generated by nifi-tools to pem. I've tried playing around with different password strengths. None of this works. If on the other hand, I force openssl to not encrypt the pem certificate, using -nodes it works fine.

Not ideal, because it is not exactly good practice storing keys in clear. On the other hand, the password being used by minifi will be stored in clear so not much more downside doing it this way. I'm sure I can do it another way by storing the certificate in the NSS db (though I did play around with this and there was no easy solution), but I'm keen to minimise the actions required to deploy it.

In the process I also installed nss-devel and nss-pkcs11-devel (both versions 3.28.4) but I don't know whether this had a positive of negative effect. Over the next few days I'll remove them and re-compile to see whether they are dependencies when building for Centos/RHEL 7.

Many thanks to @mparisi and @Timothy Spann for their support and patience on this issue. If anyone has a better way of solving this I'm all ears.

Tom

-----Original Message-----
From: TomBertie <to...@cyhesion.com> 
Sent: 11 March 2018 11:46
To: users@nifi.apache.org
Subject: Minifi cpp 0 4 0 secure connection

Has anyone got Minifi C++ v0 4 0 working over a secure connection to a Nifi cluster. My certs seem to be fine as I can log into UI of the secured cluster through the browser using a cert I created for a nifiadmin user.
I've got minifi (collecting Squid logs) working unsecured but every time I try to get it connecting securely it won't authenticate to be able to retreive s2s settings.  The RPG is set up for HTTP rather than RAW.  I've posted output from the minifi logs and the security elements of minifi.properties at https://pastebin.com/gg2H7HEP and haven't added any SSLContextService into the config.yml so it should (if I understand
correctly) draw the settings from minifi.properties.  I'm using the Centos 7 build of minifi cpp on the Hortonworks repo.

I'd really appreciate any support you can give me because I'm sure I'm doing something stupid.

Yours, Tom



--
Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/