You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by James McMahon <js...@gmail.com> on 2022/12/27 21:13:08 UTC
Failing to start - keystore properties invalid
Hello. I am trying to start a secure instance of nifi version 1.16.3. I am
getting this error on start attempt:
2022-12-27 20:44:21,765 INFO [main] o.a.n.r.v.FileBasedVariableRegistry
Loaded a total of 90 properties. Including precedence overrides effective
accessible registry key size is 90
2022-12-27 20:44:21,972 WARN [main]
o.a.nifi.security.util.SslContextFactory Some keystore properties are
populated (/opt/nifi/config_resources/keys/server.jks, ********, ********,
JKS) but not valid
2022-12-27 20:44:21,972 ERROR [main]
o.apache.nifi.controller.FlowController Unable to start the flow controller
because the TLS configuration was invalid: The keystore properties are not
valid
2022-12-27 20:44:22,009 ERROR [main] o.s.web.context.ContextLoader Context
initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name
'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
Initialization of bean failed; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
dependency expressed through method 'setJwtAuthenticationProvider'
parameter 0; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.nifi.web.security.configuration.JwtAuthenticationSecurityConfiguration':
Unsatisfied dependency expressed through constructor parameter 3; nested
exception is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'flowController': FactoryBean threw exception on
object creation; nested exception is java.lang.IllegalStateException: Flow
controller TLS configuration is invalid
This is what my nifi.properties file looks like in this section:
# security properties #
nifi.sensitive.props.key=A_KEY_HERE
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.sensitive.props.additional.keys=
nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=/opt/nifi/config_resources/keys/server.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=b0gu5passw0r2!
nifi.security.keyPasswd=b0gu5passw0r2!
nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=Diff3r3ntBoguspwd#
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=
nifi.security.user.jws.key.rotation.period=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
I have verified the password for my keystore at the command line (this
works):
sudo keytool -list -v -keystore server.jks
Enter keystore password: b0gu5passw0r2!
(....I see the result....)
These JKS files were converted by me from a cacert.pem (to truststore.jks)
and a server.pfx (for server.jks) using keytool. The cacert.pem and the
server.pfx were created by me at TinyCert.org.
I thought my keyPasswd should be the same as my keystorePasswd, but am I
wrong about that? Is it possible that the keyPasswd is the password or
passphrase I employed when I created the original server.pfx file?
What is this error telling me, and how can I fix it?
To summarize, this is how I got to where I am:
I created a cacert.pem, an admin.pfx, server.pfx, and client1.pfx using
TinyCert.
While in TinyCert.org I was in with a password and a passphrase.
I transferred those to my keys directory under my nifi install and used
keytool to create a truststore.jks, a server.jks, a client1.jks, and an
admin.jks keystore file.
Each jks has its own password.
I can look at the contents of my truststore,jks, my admin.jks, my
server.jks, and my client1.jks using keytool, with the password I provided
to keytool for admin at the time of conversion.
Jim
Re: Failing to start - keystore properties invalid
Posted by James McMahon <js...@gmail.com>.
This morning through further research I came across this by Bryan Bende: Apache
NiFi 1.14.0 - Secure by Default (bryanbende.com)
<https://bryanbende.com/development/2021/07/19/apache-nifi-1-14-0-secure-by-default>
It appears that beginning with Apache NiFi 1.14.0, it is possible to have
nifi establish the truststore and keystore if they are not present at
startup. So I tried this, bearing in mind that I am trying to start up
v1.16.3.
My nifi.properties has these parms set in it:
nifi.web.https.host=ec2-52-4-149-72.compute-1.amazonaws.com
nifi.web.https.port=8443
nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=./conf/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./conf/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=single-user-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=single-user-provider
My authorizers.xml:
<authorizers>
<authorizer>
<identifier>single-user-authorizer</identifier>
<class>org.apache.nifi.authorization.single.user.SingleUserAuthorizer</class>
</authorizer>
</authorizers>
My login-identity-proividers.xml:
<provider>
<identifier>single-user-provider</identifier>
<class>org.apache.nifi.authentication.single.user.SingleUserLoginIdentityProvider</class>
<property name="Username"/>
<property name="Password"/>
</provider>
And even in this minimalist state, startup fails with this entry in the
nifi-app.log:
2022-12-28 13:59:21,744 INFO [main] o.a.n.r.v.FileBasedVariableRegistry
Loaded a total of 90 properties. Including precedence overrides effective
accessible registry key
size is 90
2022-12-28 13:59:22,117 WARN [main]
o.a.nifi.security.util.SslContextFactory Some truststore properties are
populated (./conf/truststore.p12, null, PKCS12) but not valid
2022-12-28 13:59:22,117 ERROR [main]
o.apache.nifi.controller.FlowController Unable to start the flow controller
because the TLS configuration was invalid: The truststore
properties are not valid
2022-12-28 13:59:22,154 ERROR [main] o.s.web.context.ContextLoader Context
initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name
'org.springframework.security.config.annotation.web.configuration.WebSecurityConfig
uration': Initialization of bean failed; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'org.apache.n
ifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed
through method 'setJwtAuthenticationProvider' parameter 0; nested exception
is org.springframew
ork.beans.factory.UnsatisfiedDependencyException: Error creating bean with
name
'org.apache.nifi.web.security.configuration.JwtAuthenticationSecurityConfiguration':
Unsat
isfied dependency expressed through constructor parameter 3; nested
exception is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'f
lowController': FactoryBean threw exception on object creation; nested
exception is java.lang.IllegalStateException: Flow controller TLS
configuration is invalid
Bryan, if you see this can you please comment?
On Tue, Dec 27, 2022 at 4:13 PM James McMahon <js...@gmail.com> wrote:
> Hello. I am trying to start a secure instance of nifi version 1.16.3. I am
> getting this error on start attempt:
>
> 2022-12-27 20:44:21,765 INFO [main] o.a.n.r.v.FileBasedVariableRegistry
> Loaded a total of 90 properties. Including precedence overrides effective
> accessible registry key size is 90
> 2022-12-27 20:44:21,972 WARN [main]
> o.a.nifi.security.util.SslContextFactory Some keystore properties are
> populated (/opt/nifi/config_resources/keys/server.jks, ********, ********,
> JKS) but not valid
> 2022-12-27 20:44:21,972 ERROR [main]
> o.apache.nifi.controller.FlowController Unable to start the flow controller
> because the TLS configuration was invalid: The keystore properties are not
> valid
> 2022-12-27 20:44:22,009 ERROR [main] o.s.web.context.ContextLoader Context
> initialization failed
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
> Initialization of bean failed; nested exception is
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name
> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
> dependency expressed through method 'setJwtAuthenticationProvider'
> parameter 0; nested exception is
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name
> 'org.apache.nifi.web.security.configuration.JwtAuthenticationSecurityConfiguration':
> Unsatisfied dependency expressed through constructor parameter 3; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'flowController': FactoryBean threw exception on
> object creation; nested exception is java.lang.IllegalStateException: Flow
> controller TLS configuration is invalid
>
>
>
> This is what my nifi.properties file looks like in this section:
>
> # security properties #
> nifi.sensitive.props.key=A_KEY_HERE
> nifi.sensitive.props.key.protected=
> nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
> nifi.sensitive.props.additional.keys=
>
> nifi.security.autoreload.enabled=false
> nifi.security.autoreload.interval=10 secs
> nifi.security.keystore=/opt/nifi/config_resources/keys/server.jks
> nifi.security.keystoreType=JKS
> nifi.security.keystorePasswd=b0gu5passw0r2!
> nifi.security.keyPasswd=b0gu5passw0r2!
> nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks
> nifi.security.truststoreType=JKS
> nifi.security.truststorePasswd=Diff3r3ntBoguspwd#
> nifi.security.user.authorizer=managed-authorizer
> nifi.security.allow.anonymous.authentication=false
> nifi.security.user.login.identity.provider=
> nifi.security.user.jws.key.rotation.period=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
>
> I have verified the password for my keystore at the command line (this
> works):
>
> sudo keytool -list -v -keystore server.jks
> Enter keystore password: b0gu5passw0r2!
> (....I see the result....)
>
> These JKS files were converted by me from a cacert.pem (to truststore.jks)
> and a server.pfx (for server.jks) using keytool. The cacert.pem and the
> server.pfx were created by me at TinyCert.org.
>
> I thought my keyPasswd should be the same as my keystorePasswd, but am I
> wrong about that? Is it possible that the keyPasswd is the password or
> passphrase I employed when I created the original server.pfx file?
>
> What is this error telling me, and how can I fix it?
>
> To summarize, this is how I got to where I am:
> I created a cacert.pem, an admin.pfx, server.pfx, and client1.pfx using
> TinyCert.
> While in TinyCert.org I was in with a password and a passphrase.
> I transferred those to my keys directory under my nifi install and used
> keytool to create a truststore.jks, a server.jks, a client1.jks, and an
> admin.jks keystore file.
> Each jks has its own password.
> I can look at the contents of my truststore,jks, my admin.jks, my
> server.jks, and my client1.jks using keytool, with the password I provided
> to keytool for admin at the time of conversion.
>
> Jim
>
>
>
>
Re: Failing to start - keystore properties invalid
Posted by Jorge Machado <jo...@me.com>.
Hi James,
Can it be that you are trying to start nifi with ssl without authentication ? Looks like that..
> On 27. Dec 2022, at 22:13, James McMahon <js...@gmail.com> wrote:
>
> Hello. I am trying to start a secure instance of nifi version 1.16.3. I am getting this error on start attempt:
>
> 2022-12-27 20:44:21,765 INFO [main] o.a.n.r.v.FileBasedVariableRegistry Loaded a total of 90 properties. Including precedence overrides effective accessible registry key size is 90
> 2022-12-27 20:44:21,972 WARN [main] o.a.nifi.security.util.SslContextFactory Some keystore properties are populated (/opt/nifi/config_resources/keys/server.jks, ********, ********, JKS) but not valid
> 2022-12-27 20:44:21,972 ERROR [main] o.apache.nifi.controller.FlowController Unable to start the flow controller because the TLS configuration was invalid: The keystore properties are not valid
> 2022-12-27 20:44:22,009 ERROR [main] o.s.web.context.ContextLoader Context initialization failed
> org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Initialization of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied dependency expressed through method 'setJwtAuthenticationProvider' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.JwtAuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 3; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is java.lang.IllegalStateException: Flow controller TLS configuration is invalid
>
>
>
> This is what my nifi.properties file looks like in this section:
>
> # security properties #
> nifi.sensitive.props.key=A_KEY_HERE
> nifi.sensitive.props.key.protected=
> nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
> nifi.sensitive.props.additional.keys=
>
> nifi.security.autoreload.enabled=false
> nifi.security.autoreload.interval=10 secs
> nifi.security.keystore=/opt/nifi/config_resources/keys/server.jks
> nifi.security.keystoreType=JKS
> nifi.security.keystorePasswd=b0gu5passw0r2!
> nifi.security.keyPasswd=b0gu5passw0r2!
> nifi.security.truststore=/opt/nifi/config_resources/keys/truststore.jks
> nifi.security.truststoreType=JKS
> nifi.security.truststorePasswd=Diff3r3ntBoguspwd#
> nifi.security.user.authorizer=managed-authorizer
> nifi.security.allow.anonymous.authentication=false
> nifi.security.user.login.identity.provider=
> nifi.security.user.jws.key.rotation.period=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
>
> I have verified the password for my keystore at the command line (this works):
>
> sudo keytool -list -v -keystore server.jks
> Enter keystore password: b0gu5passw0r2!
> (....I see the result....)
>
> These JKS files were converted by me from a cacert.pem (to truststore.jks) and a server.pfx (for server.jks) using keytool. The cacert.pem and the server.pfx were created by me at TinyCert.org.
>
> I thought my keyPasswd should be the same as my keystorePasswd, but am I wrong about that? Is it possible that the keyPasswd is the password or passphrase I employed when I created the original server.pfx file?
>
> What is this error telling me, and how can I fix it?
>
> To summarize, this is how I got to where I am:
> I created a cacert.pem, an admin.pfx, server.pfx, and client1.pfx using TinyCert.
> While in TinyCert.org I was in with a password and a passphrase.
> I transferred those to my keys directory under my nifi install and used keytool to create a truststore.jks, a server.jks, a client1.jks, and an admin.jks keystore file.
> Each jks has its own password.
> I can look at the contents of my truststore,jks, my admin.jks, my server.jks, and my client1.jks using keytool, with the password I provided to keytool for admin at the time of conversion.
>
> Jim
>
>
>