UI not opening in the nifi 1.0.0 secure cluster

3
votes

Tried to form a secure cluster in nifi 1.0.0 by following the instructions from the below link

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

I have generated keystore and truststore file in the target folder, from nifi-cert.pem and nifi-key.key I have generated the p12 file and loaded it in browser

After starting the nif instances, nodes has been connected and exchanging the heartbeat signals between them and the port specified are listening to their numbers but when we launch the UI, It's not viewing in the browser enter image description here

Update: enter image description here

Update: enter image description here enter image description here

Update: enter image description here

Update: due to org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling protocol message in response to message type: CONNECTION_REQUEST due to java.net.SocketException: Software caused connection abort: socket write error org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling protocol message in response to message type: CONNECTION_REQUEST due to java.net.SocketException: Software caused connection abort: socket write error at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:176) ~[nifi-framework-cluster-protocol-1.0.0.jar:1.0.0] at org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) [nifi-socket-utils-1.0.0.jar:1.0.0] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]

1
hortonworks-data-platformapache-nifi
Do you see any errors in nifi-app.log on any of the nodes? and what are you seeing in the browser window? - Bryan Bende
No errors in the nifi-app.log file,everything going fine over log file @BryanBende - Manoj
Ok seems that its most likely a browser config issue, is that IE or maybe Edge? and have you tried what it said about turning on TLS in the advanced settings? If it is possible it might be a good test to try with another browser like Firefox or Chrome just to see if that works, using the same client cert of course. - Bryan Bende
I dont think so .. I have already made the necessary changes in it (IE)..In all other browser also i.e Firefox or chrome UI is not loading ... What will be the reason? p12 file is not generated from the tls-toolkit .. I have generated it manually ..May be thats be the reason ? In fact I generated the key without using tls-toolkit package ..In that case also I'm facing same problem - Manoj
I see, usually when its working in Firefox or Chrome they will prompt you with the available certs that can be used for the given site, so if its not doing that then something isn't lining up between the client p12 and the keystore/trustore that NiFi is using. There is no requirement to use the TLS toolkit, it just makes it easier. Did you manually create a CA and then use that to create the keystore/trustrore for NiFi and a separate client cert? - Bryan Bende

1 Answers

2
votes

There are a couple steps you can take to continue debugging:

  • Run NiFi with Java TLS (SSL) debugging enabled. In conf/bootstrap.conf add the line java.arg.15=-Djavax.net.debug=ssl,handshake (ensuring that 15 is a number that does not conflict with your existing list of arguments). This will add a substantial amount of log output, but will explicitly document any TLS handshake negotiation attempts.
  • Use the OpenSSL s_client tool to debug the connection. Running the command below will attempt a handshake negotiation with additional log output: $ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>
    • Substitute your server for <host:port>
    • Substitute your public key certificate for <path_to_your_cert.pem>
    • Substitute your private key for <path_to_your_key.pem>
    • Substitute your server's public key certificate or the CA public key certificate for <path_to_your_CA_cert.pem> You can extract the public key certificate and private key from your PKCS12 keystore by using the following commands
      • Extract the private key: $ openssl pkcs12 -in CN\=Andy_LoPresto_OU\=Apache_NiFi.p12 -nocerts -out client.key
      • Extract the public key: $ openssl pkcs12 -in CN\=Andy_LoPresto_OU\=Apache_NiFi.p12 -clcerts -nokeys -out client.pem

As @bryan-bende pointed out above, the error message in the browser screenshot you shared does seem to indicate that the TLS cipher suites cannot be negotiated due to a protocol version incompatibility. The commands above will output all available cipher suites for the connection. You can also use a tool like CipherScan to enumerate these explicitly.

One possible issue is that Java 7 defaults to TLS 1.0 and Java 8 to TLS 1.2. What OS and JRE are you using to host NiFi?

In some rare cases, a user deploys NiFi with a keystore that does not actually contain an RSA key, and TLS handshake negotiation fails because "no cipher suites are available", when the issue is really that all of the available cipher suites require an RSA key (if not to encrypt the actual channel data, at least to sign the ephemeral keys). Can you verify that the keystore you provided NiFi has a valid (check dates as well) private key available?

Hopefully these steps help you diagnose the issue. If you can provide more information, we're happy to work with you to investigate further.