Help with TLS with Client Auth

[Eduardo Fontes <ed...@gmail.com>]

 Hi people! I'm using WindowsLogBeat (from Elastic Stack) to send Windows
events to NiFi (1.11.1) with processor ListenBeat (latest). My NiFi is a 3
node cluster under Linux with SSL. I'm trying to secure communication
between Beat and NiFi using SSL/TLS with Client Auth. I created a
RestrictedSSLContext with NiFi's Keystore and Truststore and created a pair
key/cert for the Windows machine, configured the Beat with CA certs, key
and cert of Windows machine. The CA of NiFi's certs is the same of Windows
certs.
Unfortunatly, It didn't work [image: :cara_triste:]. I got "null cert
chain". So I have some questions:

   1. How NiFi ListenBeat with Client Auth knows that a host is authorized
   to send data? Do I need to put the Windows machine cert (pub key) inside
   NiFi Truststore? (I've already did this with same result). Do I need create
   a "host user" on NiFi, like "CN=host, OU=NIFI" and grant some permissions?
   2. What I'm doing wrong? Without Client Auth and only SSL the
   communication works.

Re: Help with TLS with Client Auth

[Eduardo Fontes <ed...@gmail.com>]

Thanks Pierre but I found the problem. It was between the monitor and the
chair. :D
My CA cert was wrong.

On Wed, Feb 19, 2020 at 4:13 PM Pierre Villard <pi...@gmail.com>
wrote:

> Hi Eduardo,
>
> I would first check that the ListenBeat is correctly exposing what you want
> using something like:
> openssl s_client -connect nifi-node:<ListenBeatPort>
>
> Thanks,
> Pierre
>
> Le mer. 19 févr. 2020 à 02:56, Eduardo Fontes <ed...@gmail.com> a
> écrit :
>
> >  Hi people! I'm using WindowsLogBeat (from Elastic Stack) to send Windows
> > events to NiFi (1.11.1) with processor ListenBeat (latest). My NiFi is a
> 3
> > node cluster under Linux with SSL. I'm trying to secure communication
> > between Beat and NiFi using SSL/TLS with Client Auth. I created a
> > RestrictedSSLContext with NiFi's Keystore and Truststore and created a
> pair
> > key/cert for the Windows machine, configured the Beat with CA certs, key
> > and cert of Windows machine. The CA of NiFi's certs is the same of
> Windows
> > certs.
> > Unfortunatly, It didn't work [image: :cara_triste:]. I got "null cert
> > chain". So I have some questions:
> >
> >    1. How NiFi ListenBeat with Client Auth knows that a host is
> authorized
> >    to send data? Do I need to put the Windows machine cert (pub key)
> inside
> >    NiFi Truststore? (I've already did this with same result). Do I need
> > create
> >    a "host user" on NiFi, like "CN=host, OU=NIFI" and grant some
> > permissions?
> >    2. What I'm doing wrong? Without Client Auth and only SSL the
> >    communication works.
> >
>

Re: Help with TLS with Client Auth

[Pierre Villard <pi...@gmail.com>]

Hi Eduardo,

I would first check that the ListenBeat is correctly exposing what you want
using something like:
openssl s_client -connect nifi-node:<ListenBeatPort>

Thanks,
Pierre

Le mer. 19 févr. 2020 à 02:56, Eduardo Fontes <ed...@gmail.com> a
écrit :

>  Hi people! I'm using WindowsLogBeat (from Elastic Stack) to send Windows
> events to NiFi (1.11.1) with processor ListenBeat (latest). My NiFi is a 3
> node cluster under Linux with SSL. I'm trying to secure communication
> between Beat and NiFi using SSL/TLS with Client Auth. I created a
> RestrictedSSLContext with NiFi's Keystore and Truststore and created a pair
> key/cert for the Windows machine, configured the Beat with CA certs, key
> and cert of Windows machine. The CA of NiFi's certs is the same of Windows
> certs.
> Unfortunatly, It didn't work [image: :cara_triste:]. I got "null cert
> chain". So I have some questions:
>
>    1. How NiFi ListenBeat with Client Auth knows that a host is authorized
>    to send data? Do I need to put the Windows machine cert (pub key) inside
>    NiFi Truststore? (I've already did this with same result). Do I need
> create
>    a "host user" on NiFi, like "CN=host, OU=NIFI" and grant some
> permissions?
>    2. What I'm doing wrong? Without Client Auth and only SSL the
>    communication works.
>