You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Russell Bateman <ru...@windofkeltia.com> on 2022/07/20 22:29:52 UTC
Placement and specification of certificates for StandardRestrictedSSLContextService
I'm trying to set up TLS for a service using /InvokeHTTP/ against an
external-to-NiFi Tomcat-based service and I have configured
/StandardRestrictedSSLContextService/ thus:
https://www.javahotchocolate.com/notes/nifi-images/mdmi-standard-ssl-context-service.png
...which results in the errors shown here:
https://www.javahotchocolate.com/notes/nifi-images/s-sslcontextservice.png
Do the NiFi errors mean that "changeit" can't be used as a password?
At the risk of over-simplifying their placement, I dropped them into
/${NIFI_ROOT}/conf/.
~/dev/nifi/nifi-1.15.0/conf $ *ll mdmi**
-rw-rw-r-- 1 russ russ 899 Jul 20 15:40 mdmi-keystore.crt
-rw-rw-r-- 1 russ russ 2725 Jul 20 15:39 *mdmi-keystore.jks*
-rw-rw-r-- 1 russ russ 1255 Jul 20 15:53 *mdmi-truststore.jks*
/mdmi-keystore.crt/ is self-signed for now and (for now) I have used
"changeit":
~/dev/nifi/nifi-1.15.0/conf $ *keytool -genkey -keyalg RSA -alias
mdmi -keystore mdmi-keystore.jks -validity 365 -keysize 2048*
Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
...
~/dev/nifi/nifi-1.15.0/conf $ *keytool -export -alias mdmi -file
mdmi-**keystore.crt -keystore mdmi-keystore.jks -storepass changeit*
Certificate stored in file <mdmi-keystore.crt>
~/dev/nifi/nifi-1.15.0/conf $ *keytool -import -noprompt
-trustcacerts**-alias mdmi -file mdmi-keystore.crt -keystore
mdmi-truststore.jks**-storepass changeit*
Certificate was added to keystore
This all works fine via curl or Postman outside of NiFi for hitting the
service (I put the keytool artifacts into /${CATALINA_BASE}/conf/and
note this in /${CATALINA_BASE}/conf/server.xml/).
When it comes to TLS in NiFi, this is my first rodeo. I'm open to
suggestions on any other this. Thanks.
Re: Placement and specification of certificates for StandardRestrictedSSLContextService
Posted by David Handermann <ex...@apache.org>.
Hi Russell,
Thanks for the reply and additional details.
Reviewing the output of the keytool list command, it appears that the Key
Store Type is actually PKCS12, not JKS.
What version of Java are you using to create the Key Store?
Based on the output indicating PKCS12, I recommend changing the
StandardRestrictedSSLContextService to use PKCS12 instead of JKS for the
Key Store Type and Trust Store Type.
Regards,
David Handermann
On Thu, Jul 21, 2022 at 1:30 PM Russell Bateman <ru...@windofkeltia.com>
wrote:
> David,
>
> Sadly, this is my experience. "changeit" works for me. And I tried
> reconfiguring the three passwords in *StandardRestrictedSSLContextService*
> to no avail.
>
> ~/dev/nifi/nifi-1.15.0/conf $ *keytool -list -v -keystore
> mdmi-keystore.jks*
> Enter keystore password: *changeit*
> Keystore type: PKCS12
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: mdmi
> Creation date: Jul 20, 2022
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT,
> C=US
> Issuer: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo,
> ST=UT, C=US
> Serial number: 1e7288f7
> Valid from: Wed Jul 20 15:39:23 MDT 2022 until: Thu Jul 20 15:39:23 MDT
> 2023
> Certificate fingerprints:
> SHA1: B9:58:6E:C1:0D:DA:1D:CF:7D:02:16:54:F2:FA:1F:C4:19:01:F5:1B
> SHA256:
> FF:0B:3B:4A:59:69:9B:B8:B3:23:1F:4E:72:03:C7:24:11:A9:DF:11:C6:76:89:32:44:F7:12:A4:26:F5:9D:4B
> Signature algorithm name: SHA256withRSA
> Subject Public Key Algorithm: 2048-bit RSA key
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 69 63 BD 7E 67 A1 EC 0A 54 3C 61 2F 51 D7 64 46 ic..g...T<a/Q.dF
> 0010: FB F1 37 E2 ..7.
> ]
> ]
>
> *******************************************
> *******************************************
>
> ~/dev/nifi/nifi-1.15.0/conf $ *keytool -list -v -keystore
> mdmi-truststore.jks*
> Enter keystore password: *changeit*
> Keystore type: PKCS12
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: mdmi
> Creation date: Jul 21, 2022
> Entry type: trustedCertEntry
>
> Owner: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT,
> C=US
> Issuer: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo,
> ST=UT, C=US
> Serial number: 1e7288f7
> Valid from: Wed Jul 20 15:39:23 MDT 2022 until: Thu Jul 20 15:39:23 MDT
> 2023
> Certificate fingerprints:
> SHA1: B9:58:6E:C1:0D:DA:1D:CF:7D:02:16:54:F2:FA:1F:C4:19:01:F5:1B
> SHA256:
> FF:0B:3B:4A:59:69:9B:B8:B3:23:1F:4E:72:03:C7:24:11:A9:DF:11:C6:76:89:32:44:F7:12:A4:26:F5:9D:4B
> Signature algorithm name: SHA256withRSA
> Subject Public Key Algorithm: 2048-bit RSA key
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 69 63 BD 7E 67 A1 EC 0A 54 3C 61 2F 51 D7 64 46 ic..g...T<a/Q.dF
> 0010: FB F1 37 E2 ..7.
> ]
> ]
>
> *******************************************
> *******************************************
>
>
> On 7/21/22 08:01, David Handermann wrote:
>
> Hi Russell,
>
> Thanks for describing the steps used to generate the keystore and
> truststore files.
>
> The validation warnings on StandardRestrictedSSLContextService appear to
> indicate that the configured password properties do not match the keystore
> and truststore passwords.
>
> It would be helpful to enter the password properties again and confirm
> that there are no trailing spaces.
>
> The following keytool commands can also be used to verify the passwords:
>
> keytool -list -v -keystore mdmi-keystore.jks
> keytool -list -v -keystore mdmi-truststore.jks
>
> The configuration appears to be correct, so confirming the password on
> both files is a good next step.
>
>
>
Re: Placement and specification of certificates for StandardRestrictedSSLContextService
Posted by Russell Bateman <ru...@windofkeltia.com>.
David,
Sadly, this is my experience. "changeit" works for me. And I tried
reconfiguring the three passwords in
/StandardRestrictedSSLContextService/ to no avail.
~/dev/nifi/nifi-1.15.0/conf $ *keytool -list -v -keystore
mdmi-keystore.jks*
Enter keystore password: *changeit*
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: mdmi
Creation date: Jul 20, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo,
ST=UT, C=US
Issuer: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo,
ST=UT, C=US
Serial number: 1e7288f7
Valid from: Wed Jul 20 15:39:23 MDT 2022 until: Thu Jul 20 15:39:23
MDT 2023
Certificate fingerprints:
SHA1: B9:58:6E:C1:0D:DA:1D:CF:7D:02:16:54:F2:FA:1F:C4:19:01:F5:1B
SHA256:
FF:0B:3B:4A:59:69:9B:B8:B3:23:1F:4E:72:03:C7:24:11:A9:DF:11:C6:76:89:32:44:F7:12:A4:26:F5:9D:4B
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 69 63 BD 7E 67 A1 EC 0A 54 3C 61 2F 51 D7 64 46
ic..g...T<a/Q.dF
0010: FB F1 37 E2 ..7.
]
]
*******************************************
*******************************************
~/dev/nifi/nifi-1.15.0/conf $ *keytool -list -v -keystore
mdmi-truststore.jks*
Enter keystore password: *changeit*
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: mdmi
Creation date: Jul 21, 2022
Entry type: trustedCertEntry
Owner: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo,
ST=UT, C=US
Issuer: CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo,
ST=UT, C=US
Serial number: 1e7288f7
Valid from: Wed Jul 20 15:39:23 MDT 2022 until: Thu Jul 20 15:39:23
MDT 2023
Certificate fingerprints:
SHA1: B9:58:6E:C1:0D:DA:1D:CF:7D:02:16:54:F2:FA:1F:C4:19:01:F5:1B
SHA256:
FF:0B:3B:4A:59:69:9B:B8:B3:23:1F:4E:72:03:C7:24:11:A9:DF:11:C6:76:89:32:44:F7:12:A4:26:F5:9D:4B
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 69 63 BD 7E 67 A1 EC 0A 54 3C 61 2F 51 D7 64 46
ic..g...T<a/Q.dF
0010: FB F1 37 E2 ..7.
]
]
*******************************************
*******************************************
On 7/21/22 08:01, David Handermann wrote:
> Hi Russell,
>
> Thanks for describing the steps used to generate the keystore and
> truststore files.
>
> The validation warnings on StandardRestrictedSSLContextService appear
> to indicate that the configured password properties do not match the
> keystore and truststore passwords.
>
> It would be helpful to enter the password properties again and confirm
> that there are no trailing spaces.
>
> The following keytool commands can also be used to verify the passwords:
>
> keytool -list -v -keystore mdmi-keystore.jks
> keytool -list -v -keystore mdmi-truststore.jks
>
> The configuration appears to be correct, so confirming the password on
> both files is a good next step.
Re: Placement and specification of certificates for StandardRestrictedSSLContextService
Posted by David Handermann <ex...@apache.org>.
Hi Russell,
Thanks for describing the steps used to generate the keystore and
truststore files.
The validation warnings on StandardRestrictedSSLContextService appear to
indicate that the configured password properties do not match the keystore
and truststore passwords.
It would be helpful to enter the password properties again and confirm that
there are no trailing spaces.
The following keytool commands can also be used to verify the passwords:
keytool -list -v -keystore mdmi-keystore.jks
keytool -list -v -keystore mdmi-truststore.jks
The configuration appears to be correct, so confirming the password on both
files is a good next step.
Regards,
David Handermann
On Wed, Jul 20, 2022 at 5:30 PM Russell Bateman <ru...@windofkeltia.com>
wrote:
> I'm trying to set up TLS for a service using *InvokeHTTP* against an
> external-to-NiFi Tomcat-based service and I have configured
> *StandardRestrictedSSLContextService* thus:
>
>
> https://www.javahotchocolate.com/notes/nifi-images/mdmi-standard-ssl-context-service.png
>
> ...which results in the errors shown here:
>
>
> https://www.javahotchocolate.com/notes/nifi-images/s-sslcontextservice.png
>
> Do the NiFi errors mean that "changeit" can't be used as a password?
>
> At the risk of over-simplifying their placement, I dropped them into
> *${NIFI_ROOT}/conf*.
>
> ~/dev/nifi/nifi-1.15.0/conf $ *ll mdmi**
> -rw-rw-r-- 1 russ russ 899 Jul 20 15:40 mdmi-keystore.crt
> -rw-rw-r-- 1 russ russ 2725 Jul 20 15:39 *mdmi-keystore.jks*
> -rw-rw-r-- 1 russ russ 1255 Jul 20 15:53 *mdmi-truststore.jks*
>
> *mdmi-keystore.crt* is self-signed for now and (for now) I have used
> "changeit":
>
> ~/dev/nifi/nifi-1.15.0/conf $ *keytool -genkey -keyalg RSA -alias mdmi
> -keystore mdmi-keystore.jks -validity 365 -keysize 2048*
> Enter keystore password: changeit
> Re-enter new password: changeit
> What is your first and last name?
> ...
>
> ~/dev/nifi/nifi-1.15.0/conf $ *keytool -export -alias mdmi -file mdmi-**keystore.crt
> -keystore mdmi-keystore.jks -storepass changeit*
> Certificate stored in file <mdmi-keystore.crt>
> ~/dev/nifi/nifi-1.15.0/conf $ *keytool -import -noprompt -trustcacerts**
> -alias mdmi -file mdmi-keystore.crt -keystore mdmi-truststore.jks**
> -storepass changeit*
> Certificate was added to keystore
>
> This all works fine via curl or Postman outside of NiFi for hitting the
> service (I put the keytool artifacts into *${CATALINA_BASE}/conf* and
> note this in *${CATALINA_BASE}/conf/server.xml*).
>
> When it comes to TLS in NiFi, this is my first rodeo. I'm open to
> suggestions on any other this. Thanks.
>