You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by Joseph Wheeler <JW...@innovasi.com> on 2019/07/25 15:45:32 UTC

Certificates in Truststore

Hello,

I apologize if this is a simple/stupid question, but reading through the administration guide and copious amounts of googling have returned very little regarding this.

I'm looking into utilizing only client certificates for authentication to our Apache NiFi server. I want to avoid having to add another software package (e.g. LDAP, Kerberos, etc.) to the server. After spending the last few days working on this and getting an understanding of how to get new users created, I'm running into an issue: a user's client certificate has to be added to the truststore on the server in order for it to be allowed to access the NiFi web server, and NiFi doesn't seem to recognize changes to the truststore while it's running. While I don't expect to need to add a ton of new users, I am imagining a scenario where my program managers need a new user added immediately while one of our lead developers is in the process of doing something in the web app that he can't lose due to a service restart. Is there a way to make NiFi recognize changes to the truststore without requiring the service to be restarted? If not, is there a way to have NiFi trust all certs from a certain CA? They still wouldn't actually be able to access anything without having a user account tied to their cert's DN...

Thanks!

r/

Joseph Wheeler

Re: Certificates in Truststore

Posted by Andy LoPresto <al...@apache.org>.

Joseph,

Joe provided a number of good links to help provide context around this. I will be working with a couple other committers next week to improve our documentation around this task. Hopefully when we have that complete, you can take a look and let us know if it would have helped you in this effort and any changes you suggest. 

The short answer to your request is to import the public certificate of the certificate authority (CA) which is used to sign the individual users’ client certificates into the truststore, which is then provided to NiFi. As the CA public cert does not change, you can use it (actually the corresponding private key) to sign as many user certificates as you want without requiring any changes to the deployed truststore (truststores if in a clustered environment). 

Please let me know if anything above is not clear. 


Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Jul 25, 2019, at 9:09 AM, Joe Witt <jo...@gmail.com> wrote:
> 
> Joseph
> 
> I'd make sure to read about the keystore/truststore model and high level bits of PKI.  A site like [1] can help with that but the first key is understanding the client cert, server cert, CA, and general trust model.
> 
> With that basis in mind setting up NiFi for mutual auth with certificates both on the client side and nifi server side and proper trust mechanism is much easier.  The docs in NiFi on this topic should then be really helpful [2,3,4].
> 
> [1] http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/ <http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/>
> [2] http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration <http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration>
> [3] http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication <http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication>
> [4] http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls_generation_toolkit <http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls_generation_toolkit>
> 
> Thanks
> Joe
> 
> On Thu, Jul 25, 2019 at 11:58 AM Joe Witt <joe.witt@gmail.com <ma...@gmail.com>> wrote:
> Joseph
> 
> You are absolutely right that it would be terrible to have to edit the truststore on the nifi server(s) each time you wanted to add a client cert.  You're also right that there is a way to never do this.  I'll poke around for some links to help send you in the right direction.
> 
> Thanks
> 
> On Thu, Jul 25, 2019 at 11:45 AM Joseph Wheeler <JWheeler@innovasi.com <ma...@innovasi.com>> wrote:
> Hello,
> 
>  
> 
> I apologize if this is a simple/stupid question, but reading through the administration guide and copious amounts of googling have returned very little regarding this.
> 
>  
> 
> I’m looking into utilizing only client certificates for authentication to our Apache NiFi server. I want to avoid having to add another software package (e.g. LDAP, Kerberos, etc.) to the server. After spending the last few days working on this and getting an understanding of how to get new users created, I’m running into an issue: a user’s client certificate has to be added to the truststore on the server in order for it to be allowed to access the NiFi web server, and NiFi doesn’t seem to recognize changes to the truststore while it’s running. While I don’t expect to need to add a ton of new users, I am imagining a scenario where my program managers need a new user added immediately while one of our lead developers is in the process of doing something in the web app that he can’t lose due to a service restart. Is there a way to make NiFi recognize changes to the truststore without requiring the service to be restarted? If not, is there a way to have NiFi trust all certs from a certain CA? They still wouldn’t actually be able to access anything without having a user account tied to their cert’s DN…
> 
>  
> 
> Thanks!
> 
>  
> 
> r/
> 
>  
> 
> Joseph Wheeler
>

Re: Certificates in Truststore

Posted by Joe Witt <jo...@gmail.com>.

Joseph

I'd make sure to read about the keystore/truststore model and high level
bits of PKI.  A site like [1] can help with that but the first key is
understanding the client cert, server cert, CA, and general trust model.

With that basis in mind setting up NiFi for mutual auth with certificates
both on the client side and nifi server side and proper trust mechanism is
much easier.  The docs in NiFi on this topic should then be really helpful
[2,3,4].

[1]
http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/
[2]
http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration
[3]
http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication
[4]
http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls_generation_toolkit

Thanks
Joe

On Thu, Jul 25, 2019 at 11:58 AM Joe Witt <jo...@gmail.com> wrote:

> Joseph
>
> You are absolutely right that it would be terrible to have to edit the
> truststore on the nifi server(s) each time you wanted to add a client
> cert.  You're also right that there is a way to never do this.  I'll poke
> around for some links to help send you in the right direction.
>
> Thanks
>
> On Thu, Jul 25, 2019 at 11:45 AM Joseph Wheeler <JW...@innovasi.com>
> wrote:
>
>> Hello,
>>
>>
>>
>> I apologize if this is a simple/stupid question, but reading through the
>> administration guide and copious amounts of googling have returned very
>> little regarding this.
>>
>>
>>
>> I’m looking into utilizing only client certificates for authentication to
>> our Apache NiFi server. I want to avoid having to add another software
>> package (e.g. LDAP, Kerberos, etc.) to the server. After spending the last
>> few days working on this and getting an understanding of how to get new
>> users created, I’m running into an issue: a user’s client certificate has
>> to be added to the truststore on the server in order for it to be allowed
>> to access the NiFi web server, and NiFi doesn’t seem to recognize changes
>> to the truststore while it’s running. While I don’t expect to need to add a
>> ton of new users, I am imagining a scenario where my program managers need
>> a new user added immediately while one of our lead developers is in the
>> process of doing something in the web app that he can’t lose due to a
>> service restart. Is there a way to make NiFi recognize changes to the
>> truststore without requiring the service to be restarted? If not, is there
>> a way to have NiFi trust all certs from a certain CA? They still wouldn’t
>> actually be able to access anything without having a user account tied to
>> their cert’s DN…
>>
>>
>>
>> Thanks!
>>
>>
>>
>> r/
>>
>>
>>
>> Joseph Wheeler
>>
>

Re: Certificates in Truststore

Posted by Joe Witt <jo...@gmail.com>.

Joseph

You are absolutely right that it would be terrible to have to edit the
truststore on the nifi server(s) each time you wanted to add a client
cert.  You're also right that there is a way to never do this.  I'll poke
around for some links to help send you in the right direction.

Thanks

On Thu, Jul 25, 2019 at 11:45 AM Joseph Wheeler <JW...@innovasi.com>
wrote:

> Hello,
>
>
>
> I apologize if this is a simple/stupid question, but reading through the
> administration guide and copious amounts of googling have returned very
> little regarding this.
>
>
>
> I’m looking into utilizing only client certificates for authentication to
> our Apache NiFi server. I want to avoid having to add another software
> package (e.g. LDAP, Kerberos, etc.) to the server. After spending the last
> few days working on this and getting an understanding of how to get new
> users created, I’m running into an issue: a user’s client certificate has
> to be added to the truststore on the server in order for it to be allowed
> to access the NiFi web server, and NiFi doesn’t seem to recognize changes
> to the truststore while it’s running. While I don’t expect to need to add a
> ton of new users, I am imagining a scenario where my program managers need
> a new user added immediately while one of our lead developers is in the
> process of doing something in the web app that he can’t lose due to a
> service restart. Is there a way to make NiFi recognize changes to the
> truststore without requiring the service to be restarted? If not, is there
> a way to have NiFi trust all certs from a certain CA? They still wouldn’t
> actually be able to access anything without having a user account tied to
> their cert’s DN…
>
>
>
> Thanks!
>
>
>
> r/
>
>
>
> Joseph Wheeler
>