You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/04/17 13:12:21 UTC

[GitHub] [nifi] jfrazee commented on a change in pull request #4216: NIFI-7356 Enable TLS for embedded Zookeeper when NiFi has TLS enabled

jfrazee commented on a change in pull request #4216: NIFI-7356 Enable TLS for embedded Zookeeper when NiFi has TLS enabled
URL: https://github.com/apache/nifi/pull/4216#discussion_r410212219
 
 

 ##########
 File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
 ##########
 @@ -2129,6 +2128,36 @@ java.arg.16=-Dsun.security.krb5.debug=true
 This will cause the debug output to be written to the NiFi Bootstrap log file. By default, this is located at _$NIFI_HOME/logs/nifi-bootstrap.log_.
 This output can be rather verbose but provides extremely valuable information for troubleshooting Kerberos failures.
 
+[[zk_tls]]
+=== Securing ZooKeeper with HTTPS
+By default, when configured for HTTPS communication (that is, valid values for `nifi.web.https.port` and related properties), NiFi will configure
+the embedded ZooKeeper server for secure communication. This automatic configuration copies the following properties:
+
+|====
+|*Source NiFi Property*|*Target ZooKeeper Property*|*Description*
+|`nifi.security.keystore`         |`ssl.keyStore.location`   | Key Store Path
+|`nifi.security.keystorePasswd`   |`ssl.keyStore.password`   | Key Store Password
+|`nifi.security.truststore`       |`ssl.trustStore.location` | Trust Store Path
+|`nifi.security.truststorePasswd` |`ssl.trustStore.password` | Trust Store Password
+|====
+
+NOTE: During the automatic configuration, NiFi will raise an exception and refuse to start if the ZooKeeper configuration contains some of these
+properties but not all.  Specify either all TLS properties or none.
+
+As an alternative to the automatic configuration, TLS communications can be enabled via system properties or in the configuration file specified by the
 
 Review comment:
   Since we'd like to discourage this route, I think it'd be good to mention this in the context of earlier NiFi releases. Yes, we know it might still work in whatever version this merges into, but it's more helpful for those earlier releases.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services