You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "Andy LoPresto (Jira)" <ji...@apache.org> on 2020/03/25 22:32:00 UTC
[jira] [Commented] (MINIFI-525) Improve documentation for secure
MiNiFi
[ https://issues.apache.org/jira/browse/MINIFI-525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17067187#comment-17067187 ]
Andy LoPresto commented on MINIFI-525:
--------------------------------------
Here is the conversation which led to the resolution of the underlying issue and prompted the creation of this ticket for context:
{quote}
Timothy Fleming 09:33
@channel When setting up MiNiFi for secure site-to-site provenance reporting, the docs say that an SSL context is created automatically once the keystore properties are defined in bootstrap.conf. I've done that but getting the following error...
2020-03-24 23:00:19,371 WARN [Http Site-to-Site PeerSelector] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://hawkeye-msn:8443/nifi-api due to javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Is this due to the http client not accepting the ssl (self-signed) certificate the nifi instance is giving? Or is this the nifi instance wanting the client cert for authentication?
Bryan Bende 09:35
it should mean that the truststore used by minifi is not trusting the certificate presented by nifi
Timothy Fleming 09:39
I thought that might be the case so I added the nifi ssl cert to the minifi truststore. It didn't help.
09:40
All the keys/certs were created with tls-toolkit using the same CA.
Bryan Bende 09:45
so then minifi truststore should be same as nifi truststore, since truststore should have the CA public key
:+1:
1
Timothy Fleming 09:46
I'll verify that.
09:49
Hmmm, interesting. They are not the same. Cert name is the same but one is sha1, the other sha-256. I'll have to revisit my cert generation. Thanks
Timothy Fleming 10:57
Regenerated the certs. Verified the truststores are the same between nifi and minifi. scp the truststore to the minifi instance. On the nifi server keytool says the minifi truststore is an sha1 cert. On the minifi server keytool says its an sha-256 cert so I can't verify the fingerprints. The default for tls-toolkit is sha-256 so I'm going to assume that's what it is. The PKIX path error is still going on.
Bryan Bende 11:00
you regenerated the certs for just minifi or nifi too?
Timothy Fleming 11:00
both
11:01
both truststores are the same where I generated them.
Bryan Bende 11:01
ok so then you copied out the keystores/trustores from where you generated them to both minifi and nifi?
Timothy Fleming 11:02
yes. and updated the passwords in the respective conf files
11:02
restarted both
11:03
any idea why keytool is saying sha1 on one server and sha-256 on another? same truststore
Andy LoPresto 11:03
A certificate doesn’t contain those fingerprints.
11:04
It gets calculated by the tool (in this case keytool) over the certificate. (edited)
Timothy Fleming 11:04
ah
Andy LoPresto 11:04
So on machine A you can generate a SHA-1, on machine B you can generate SHA-256 if you want.
11:04
Now, I am not sure why the same tool would choose a different digest algorithm on each.
11:04
Do you have the same version of Java installed on both?
Timothy Fleming 11:05
let me check...
11:05
no, java 11 on minifi, java 8 on nifi
11:06
so that probably explains the diff
Andy LoPresto 11:06
You can also externally check the consistency of the truststores by just running openssl dgst -sha256 truststore.jks on both.
11:06
That won’t fingerprint the individual entries in the truststore, just verify that the file is identical.
Timothy Fleming 11:07
Ok, I used that and the files are identical.
Andy LoPresto 11:08
Ok now use keytool -list -v -keystore truststore.jks to see the trustedCertEntry for the NiFi server.
11:08
It should show the full certificate chain all the way up to the CA you used when generating it.
11:08
If it’s not present, that would explain the PKIX error you’re seeing.
11:09
I also am not confident that MiNiFi is “certified” (we don’t certify any software) for Java 11. (edited)
11:09
I know NiFi can run on it.
11:09
Not sure anyone did the effort for MiNiFi Java.
Aldrin 11:09
minifi is not beyond 8 at this juncture
11:10
would start there to level set and progress as needed
:+1:
1
Timothy Fleming 11:10
the nifi cert generated its own CA using tls-toolkit standalone.
11:10
I used the same CA when I generated the minifi keystore/truststore
Andy LoPresto 11:11
Ok so then the MiNiFi truststore NiFi keystore entry should contain 2 certificates. NiFi CA -> NiFi. (edited)
Timothy Fleming 11:13
Only one certificate. The CA
11:13
it appears
Andy LoPresto 11:13
I’m sorry, that’s fine. I meant the keystore.
11:13
So now let’s check the NiFi keystore to ensure it’s presenting both.
11:14
keytool -list -v -keystore <nifi-keystore.jks>.
Timothy Fleming 11:14
keystore has 2
Andy LoPresto 11:14
Can you paste the output here please?
Timothy Fleming 11:15
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Mar 25, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=hawkeye-epn, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 17112a0066100000000
Valid from: Wed Mar 25 16:56:49 UTC 2020 until: Tue Jun 28 16:56:49 UTC 2022
Certificate fingerprints:
SHA1: 1A:EE:F6:D8:CE:37:7B:3E:70:64:BC:C1:84:7C:F6:CA:57:CA:4D:35
SHA256: DE:74:69:2B:38:82:67:ab:D3:1E:82:CE:AC:EE:37:C5:47:DC:CA:73:77:F2:24:FE:77:8B:D0:48:6E:DD:0F:E6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A6 5D CE 65 B4 FB D6 BA 01 F5 A0 E2 50 96 3B 65 .].e........P.;e
0010: 2C 87 FF E5 ,...
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: hawkeye-epn
DNSName: ec2-34-235-236-126.compute-1.amazonaws.com
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3B 2D C8 55 8B 6F F8 3C D4 E1 58 5F 05 D4 C7 AC ;-.U.o.<..X_....
0010: 97 9A 4A AC ..J.
]
]
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 171129f8acd00000000
Valid from: Wed Mar 25 16:56:17 UTC 2020 until: Tue Jun 28 16:56:17 UTC 2022
Certificate fingerprints:
SHA1: 32:F2:8B:BC:C8:C5:D8:D7:EB:5A:AD:6B:A1:1F:7E:75:8C:B6:04:AA
SHA256: 0D:AD:DC:54:BC:D5:68:27:02:C3:E6:91:86:29:58:4C:14:30:3A:38:CA:63:FF:14:18:96:A3:CB:68:30:B3:F0
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A6 5D CE 65 B4 FB D6 BA 01 F5 A0 E2 50 96 3B 65 .].e........P.;e
0010: 2C 87 FF E5 ,...
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A6 5D CE 65 B4 FB D6 BA 01 F5 A0 E2 50 96 3B 65 .].e........P.;e
0010: 2C 87 FF E5 ,...
]
]
*******************************************
*******************************************
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".
Andy LoPresto 11:16
Ok the hostname for this cert is hawkeye-epn and in the original error it was trying to connect to hawkeye-msn?
Timothy Fleming 11:17
Yes, epn is the minifi instance, msn is the nifi instance.
Andy LoPresto 11:17
So what you just pasted is the keystore of the MiNiFi instance, rather than the NiFi instance?
Timothy Fleming 11:17
yes
11:18
you want nifi keystore?
Andy LoPresto 11:18
Please paste the output for the NiFi instance.
Timothy Fleming 11:18
keystore?
Andy LoPresto 11:18
Yes.
Timothy Fleming 11:18
ok
11:19
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Mar 25, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=hawkeye-msn, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 171129f8d4300000000
Valid from: Wed Mar 25 12:56:18 EDT 2020 until: Tue Jun 28 12:56:18 EDT 2022
Certificate fingerprints:
MD5: C2:38:F2:BB:8D:D4:0A:02:E9:49:D2:7D:11:61:EB:F4
SHA1: B3:B5:12:52:FA:0A:C4:88:03:2F:B8:9A:F9:7D:9A:28:91:F3:37:64
SHA256: F0:A2:6B:43:5E:D9:15:2C:DB:29:CC:64:4F:A3:A1:23:9B:DA:42:F1:77:C2:A1:05:F9:C5:16:53:A0:4D:56:74
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A6 5D CE 65 B4 FB D6 BA 01 F5 A0 E2 50 96 3B 65 .].e........P.;e
0010: 2C 87 FF E5 ,...
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: hawkeye-msn
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 44 5C 05 B5 A7 71 72 E2 96 2B F1 F3 8A 0C 73 CC D\...qr..+....s.
0010: 8B 86 EA 57 ...W
]
]
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 171129f8acd00000000
Valid from: Wed Mar 25 12:56:17 EDT 2020 until: Tue Jun 28 12:56:17 EDT 2022
Certificate fingerprints:
MD5: 1C:7F:F0:4C:64:E2:FA:5E:CC:37:C9:CC:7D:91:91:87
SHA1: 32:F2:8B:BC:C8:C5:D8:D7:EB:5A:AD:6B:A1:1F:7E:75:8C:B6:04:AA
SHA256: 0D:AD:DC:54:BC:D5:68:27:02:C3:E6:91:86:29:58:4C:14:30:3A:38:CA:63:FF:14:18:96:A3:CB:68:30:B3:F0
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A6 5D CE 65 B4 FB D6 BA 01 F5 A0 E2 50 96 3B 65 .].e........P.;e
0010: 2C 87 FF E5 ,...
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A6 5D CE 65 B4 FB D6 BA 01 F5 A0 E2 50 96 3B 65 .].e........P.;e
0010: 2C 87 FF E5 ,...
]
]
*******************************************
*******************************************
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".
Andy LoPresto 11:19
Ok so the CA cert is the same in both.
11:20
Can you paste the output of the MiNiFi truststore please?
Timothy Fleming 11:20
ok
11:21
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-cert
Creation date: Mar 25, 2020
Entry type: trustedCertEntry
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 171129f8acd00000000
Valid from: Wed Mar 25 16:56:17 UTC 2020 until: Tue Jun 28 16:56:17 UTC 2022
Certificate fingerprints:
SHA1: 32:F2:8B:BC:C8:C5:D8:D7:EB:5A:AD:6B:A1:1F:7E:75:8C:B6:04:AA
SHA256: 0D:AD:DC:54:BC:D5:68:27:02:C3:E6:91:86:29:58:4C:14:30:3A:38:CA:63:FF:14:18:96:A3:CB:68:30:B3:F0
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A6 5D CE 65 B4 FB D6 BA 01 F5 A0 E2 50 96 3B 65 .].e........P.;e
0010: 2C 87 FF E5 ,...
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A6 5D CE 65 B4 FB D6 BA 01 F5 A0 E2 50 96 3B 65 .].e........P.;e
0010: 2C 87 FF E5 ,...
]
]
*******************************************
*******************************************
Andy LoPresto 11:22
From the MiNiFi instance, can you run openssl s_client -connect hawkeye-msn:8443 -debug -state -cert nifi-cert.pem -key nifi-key.key -CAfile nifi-cert.pem ?
Timothy Fleming 11:23
these are the client certs right?
Andy LoPresto 11:24
In this case I am just referencing the CA certificates because they are already in the proper format and will work.
11:24
But if you have converted your client certificates from PKCS12 to PEM-encoded cert and key, you can use that as well.
Timothy Fleming 11:24
ok, just a sec
11:27
I don't have the nifi-cert.pem and nifi-key.key files so I ran it without them. Here is the output...
Andy LoPresto 11:27
Those two files will be in the directory where you ran the TLS Toolkit.
11:28
You need them for this results of this command to be meaningful.
Timothy Fleming 11:28
ah, ok
Andy LoPresto 11:28
Otherwise the TLS handshake won’t occur.
Timothy Fleming 11:30
It got the cert...
11:30
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIKAXESn4rNAAAAADANBgkqhkiG9w0BAQsFADAjMQ0wCwYD
VQQLDAROSUZJMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwMzI1MTY1NjE3WhcN
MjIwNjI4MTY1NjE3WjAjMQ0wCwYDVQQLDAROSUZJMRIwEAYDVQQDDAlsb2NhbGhv
c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9LYL7StnaMo9AhPFD
S2CUPln2lfmsfwY8ssSwzMZHLBG86nZe+r410LRUy70oyzlkcFpLOlxvfYJ+mWVV
9npWSG7TqJp38HydZ5Z4+hyMBG4efDApYWm1zyd6wsmC1yVbzXHiamxQVx/SBtVa
KRmZhKKdDFGHAPjpBPMMpscRq6ZJ8jo4LfeDGXM/Uw2HRgIvMy8/05Vqse5BHHjx
XoEJuMDMkTJOYmlkA/YaoBcI7kAum2dc5K9Bde4l9OMVvqhcS54GBFhzGZXPlK/f
dW9ZvmbC8oPnsOREbKkHR2ZAGm3gCVyCCNg+COqZEdOQWC/6xkvOpMbIH1bD0Z0/
WEuDAgMBAAGjfzB9MA4GA1UdDwEB/wQEAwIB/jAMBgNVHRMEBTADAQH/MB0GA1Ud
DgQWBBSmXc5ltPvWugH1oOJQljtlLIf/5TAfBgNVHSMEGDAWgBSmXc5ltPvWugH1
oOJQljtlLIf/5TAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZI
hvcNAQELBQADggEBAIJ8V/3KSQrjsAIOIizLHZytVVDtM17s5QwYHQ/XDOjhQYG/
kwIdghzcGL3aL2l8pijq4smKS5vcZedWatutszsgCXfzCTNcGsHwjzRAcfpKM+qT
nsFo2dafI2HLRuddt1MUL1iWYu6OcI2b0oRLT+4QKBAJbTsXKKUguwPC7PrNWuKD
YTyV0Tqr9JDmDovYwO50Z+OjB2Em658//rFvl0DHBVS6CbqS4I97mSZgc4L0IFLC
OXq6VnN/TbZ61nhukR80J/TXU7TrGRUBlYxg3f4iteqjpONnugB5fOsSB8R8VjQx
mw81SA60mW5HwyuopoduC6NiX8wODKJCh18zRDk=
-----END CERTIFICATE-----
Andy LoPresto 11:30
There should be a lot more output than that.
Timothy Fleming 11:31
There was. Too long to paste.
Andy LoPresto 11:31
And that is only a single certificate. We would like NiFi to be presenting multiple certificates to form the full chain.
11:31
Please paste it as a gist then. gist.github.com.
Timothy Fleming 11:33
https://gist.github.com/magichome/b0914f8b3822588e7f5ecb8876560a16
Andy LoPresto 11:35
Ok so that command executed successfully.
Timothy Fleming 11:36
Is it possible that minifi isn't picking up the truststore.jks and instead using the java keystore?
Andy LoPresto 11:36
Can you show your config.yaml file for MiNiFi?
Timothy Fleming 11:37
The problem is provenance reporting which is in bootstrap.conf
Andy LoPresto 11:38
Can you please show your config.yaml file for MiNiFi? (edited)
Timothy Fleming 11:39
yes, just a sec
11:39
https://gist.github.com/magichome/9745f7400687227a4d47c5eff79afe83
Andy LoPresto 11:40
This shows nothing configured for keystore or truststore? https://gist.github.com/magichome/9745f7400687227a4d47c5eff79afe83#file-gistfile1-txt-L33
Timothy Fleming 11:40
yes, I see that.
11:40
My understanding is those are taken from the bootstrap.conf for provenance reporting.
Andy LoPresto 11:40
No.
11:41
https://nifi.apache.org/minifi/system-admin-guide.html Scroll down to “Example Config File”.
11:43
In order for MiNiFi to connect to a NiFi instance which requires mutual authentication TLS, it must have the valid keystore and truststore in the configuration.
Timothy Fleming 11:43
ok. I read that multiple times and somehow got in my mind that it created the ssl_context from the bootstrap.conf file.
Andy LoPresto 11:44
Please let us know what part indicated that so we can correct/improve it.
Timothy Fleming 11:44
are the security properties in bootstrap.conf used anywhere?
Andy LoPresto 11:44
MiNiFi transforms the config.yml file into nifi.properties and bootstrap.conf.
11:44
So as a MiNiFi admin, you should only care about config.yml.
11:45
Can you share your generated bootstrap.conf?
Timothy Fleming 11:45
# Java command to use when running MiNiFi
java=java
# Username to use when running MiNiFi. This value will be ignored on Windows.
run.as=hawkeye
# Configure where MiNiFi's lib and conf directories live
# When running as a Windows service set full paths instead of relative paths
lib.dir=./lib
conf.dir=./conf
# How long to wait after telling MiNiFi to shutdown before explicitly killing the Process
graceful.shutdown.seconds=20
# The location for the configuration file
# When running as a Windows service use the full path to the file
nifi.minifi.config=./conf/config.yml
# Security Properties #
# These properties take precedence over any equivalent properties specified in config.yml #
nifi.minifi.security.keystore=./conf/keystore.jks
nifi.minifi.security.keystoreType=jks
nifi.minifi.security.truststore=./conf/truststore.jks
nifi.minifi.security.truststoreType=jks
nifi.minifi.security.ssl.protocol=TLS
nifi.minifi.security.keystorePasswd=mDMJVEWX5k3ZCqNHZ33ppSYnBKkX9a2oRGRUu7r04fo
nifi.minifi.security.keyPasswd=mDMJVEWX5k3ZCqNHZ33ppSYnBKkX9a2oRGRUu7r04fo
nifi.minifi.security.truststorePasswd=T8/U2R5k8x9WzQV9cxLcD817v2kBQv4Y62anIeOm1+U
nifi.minifi.sensitive.props.key=
nifi.minifi.sensitive.props.algorithm=
nifi.minifi.sensitive.props.provider=
# Provenance Reporting Properties #
# These properties take precedence over any equivalent properties specified in the config.yml #
nifi.minifi.provenance.reporting.comment=
nifi.minifi.provenance.reporting.scheduling.strategy=TIMER_DRIVEN
nifi.minifi.provenance.reporting.scheduling.period=5 mins
nifi.minifi.provenance.reporting.destination.url=http://hawkeye-rn1:8443
nifi.minifi.provenance.reporting.input.port.name=provenanceInputPort
nifi.minifi.provenance.reporting.instance.url=http://${hostname(true)}
nifi.minifi.provenance.reporting.batch.size=
nifi.minifi.provenance.reporting.communications.timeout=
# Notifiers to use for the associated agent, comma separated list of class names
nifi.minifi.notifier.ingestors=org.apache.nifi.minifi.bootstrap.configuration.ingestors.FileChangeIngestor
#nifi.minifi.notifier.ingestors=org.apache.nifi.minifi.bootstrap.configuration.ingestors.RestChangeIngestor
#nifi.minifi.notifier.ingestors=org.apache.nifi.minifi.bootstrap.configuration.ingestors.PullHttpChangeIngestor
# File change notifier configuration
# Path of the file to monitor for changes. When these occur, the FileChangeNotifier, if configured, will begin the configuration reloading process
nifi.minifi.notifier.ingestors.file.config.path=/var/local/hawkeye/conf
# How frequently the file specified by 'nifi.minifi.notifier.file.config.path' should be evaluated for changes.
nifi.minifi.notifier.ingestors.file.polling.period.seconds=60
# Rest change notifier configuration
# Port on which the Jetty server will bind to, keep commented for a random open port
#nifi.minifi.notifier.ingestors.receive.http.port=8338
#Pull HTTP change notifier configuration
# Hostname on which to pull configurations from
#nifi.minifi.notifier.ingestors.pull.http.hostname=hawkeye-msn
# Port on which to pull configurations from
#nifi.minifi.notifier.ingestors.pull.http.port=10080
# Path to pull configurations from
#nifi.minifi.notifier.ingestors.pull.http.path=/c2/config
# Query string to pull configurations with
#nifi.minifi.notifier.ingestors.pull.http.query=class=Endpoint
# Period on which to pull configurations from, defaults to 5 minutes if commented out
#nifi.minifi.notifier.ingestors.pull.http.period.ms=300000
# Periodic Status Reporters to use for the associated agent, comma separated list of class names
#nifi.minifi.status.reporter.components=org.apache.nifi.minifi.bootstrap.status.reporters.StatusLogger
# Periodic Status Logger configuration
# The FlowStatus query to submit to the MiNiFi instance
#nifi.minifi.status.reporter.log.query=instance:health,bulletins
# The log level at which the status will be logged
#nifi.minifi.status.reporter.log.level=INFO
# The period (in milliseconds) at which to log the status
#nifi.minifi.status.reporter.log.period=60000
# Disable JSR 199 so that we can use JSP's without running a JDK
java.arg.1=-Dorg.apache.jasper.compiler.disablejsr199=true
# JVM memory settings
java.arg.2=-Xms256m
java.arg.3=-Xmx256m
# Enable Remote Debugging
#java.arg.debug=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000
java.arg.4=-Djava.net.preferIPv4Stack=true
# allowRestrictedHeaders is required for Cluster/Node communications to work properly
java.arg.5=-Dsun.net.http.allowRestrictedHeaders=true
java.arg.6=-Djava.protocol.handler.pkgs=sun.net.www.protocol
# Sets the provider of SecureRandom to /dev/urandom to prevent blocking on VMs
java.arg.7=-Djava.security.egd=file:/dev/urandom
# The G1GC is still considered experimental but has proven to be very advantageous in providing great
# performance without significant "stop-the-world" delays.
#java.arg.13=-XX:+UseG1GC
#Set headless mode by default
java.arg.14=-Djava.awt.headless=true
11:46
I knew nifi.properties was generated but didn't know bootstrap.conf was too.
11:46
The secrets are in bootstrap so it doesn't seem to be generated.
11:46
this is minifi 0.5.0
Andy LoPresto 11:52
I’m investigating the bootstrap.conf properties. In the meantime, can you rename that file to bootstrap.conf.bak and then add the keystore & truststore configs to your config.yml file please?
Timothy Fleming 11:52
yes, I'll do that
11:56
Exception in thread "main" java.io.FileNotFoundException: /home/hawkeye/minifi-0.5.0/conf/bootstrap.conf (No such file or directory)
Andy LoPresto 11:57
Ok. The configuration handling apparently changed in a recent release.
Timothy Fleming 11:58
Adding security to config.yml fixed the problem.
Andy LoPresto 11:58
Put the bootstrap.conf back but keep the keystore configs in config.yml.
11:58
Ok.
Timothy Fleming 11:58
yes
11:58
sorry for the misunderstanding on my part.
Andy LoPresto 11:58
Please open a MINIFI Java Jira containing this conversation requesting improved documentation.
11:58
I can either do it or get someone on my team to.
Timothy Fleming 11:59
I'll do a jira ticket. I discovered that nifi.properties was generated but never read that in the docs.
11:59
Thanks for your help!
Andy LoPresto 12:00
You’re welcome.
{quote}
> Improve documentation for secure MiNiFi
> ---------------------------------------
>
> Key: MINIFI-525
> URL: https://issues.apache.org/jira/browse/MINIFI-525
> Project: Apache NiFi MiNiFi
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: 0.5.0
> Reporter: Timothy Fleming
> Priority: Minor
>
> It is not clear that keystore/truststore must be configured in the config.yml file. For example, the Admin doc states:
> *Note:* In order to send via HTTPS, the "Security Properties" must be fully configured. A StandardSSLContextService will be made automatically with the ID "SSL-Context-Service" and used by the Provenance Reporting.
> There are security properties in bootstrap.conf, nifi.properties, and config.yml. Further, I did not see any documentation that states bootstrap.conf and nifi.properties are generated from config.yml. It would help if that was stated early.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)