You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by Madhan Vishwas <ma...@gmail.com> on 2020/09/10 07:32:25 UTC

WebSocket Service - Using Trusted Certificates

Hi All,
I am using WebSocket for communication between two independently running
instances of NiFi.
SSLContextService is being used for Secure Communication(WSS).
Everything works fine and is tested with Self signed certificates.
However, I would like to make sure that the communication works only with
trusted Certificates. Is there some way this can be ensured ?
Please advise.
Thanks in advance.
Madhan.

Re: WebSocket Service - Using Trusted Certificates

Posted by Andy LoPresto <al...@apache.org>.

I think the word “trusted” is doing a lot of work here. As it stands, only certificates that are either explicitly present or signed by a certificate present in the corresponding truststore will be accepted. If the certificate is self-signed, all that means is that an external entity (a certificate authority or CA) did not evaluate the identity & ownership of the certificate and sign it. So any certificate (self-signed or not) is still required to be “trusted” by the truststore for the connection to work. 

If you mean you want it to accept “any certificate signed by a generally accepted CA, you can rely on a generic truststore. Your OS, browser(s), and even Java come with these truststores pre-populated with the public certificates of the commercial and government CAs (what allows your computer to connect to and verify a generic internet site out of the box). The Java Virtual Machine (JVM) from the JRE or JDK will contain a JKS truststore called “cacerts” with the default password “changeit”. The location will vary slightly depending on the version of Java you’re using, but look inside your Java home directory for "jre/lib/security/cacerts”. 

Also, is there a reason you’re using web sockets between two NiFi instances? The NiFi Site-to-site protocol [1] offers a number of advantages. 

[1] https://medium.com/@abdelkrim.hadjidj/hub-and-spoke-architectures-with-nifi-site-to-site-communications-at-any-level-a-nifi-1-10-a8702f77c66e

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Sep 10, 2020, at 12:32 AM, Madhan Vishwas <ma...@gmail.com> wrote:
> 
> Hi All,
> I am using WebSocket for communication between two independently running instances of NiFi. 
> SSLContextService is being used for Secure Communication(WSS). 
> Everything works fine and is tested with Self signed certificates.
> However, I would like to make sure that the communication works only with trusted Certificates. Is there some way this can be ensured ?
> Please advise.
> Thanks in advance.
> Madhan.