Enabling TLS in NiFi

2
votes

  1. I enabled TLS in NiFi by running the below command,

    nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/bin/tls-toolkit.sh standalone -n "{my-ip},localhost" -C 'CN={my-ip}' -C 'CN=localhost' -o ./certs

  2. This created the files required for TLS under the directory certs.

  3. I moved the files under the directory certs into the conf folder of the deployment in my machine.

  4. Installed the certificate to my machine's Keychain Access.

  5. Now started the server using bin/nifi.sh start. My server starts, I am able to hit the server, But my request is not authorized.

I am getting the below error,

Not authorized for the requested resource. Contact the system administrator.

enter image description here

1
sslapache-nifi

1 Answers

5
votes

Once TLS is enabled in Apache NiFi, anonymous access is no longer enabled by default. You will need to authenticate as a user in order to access the UI/API. There are three authentication mechanisms available -- client certificates, LDAP, or Kerberos. Once you configure an Initial Admin Identity in $NIFI_HOME/conf/authorizers.xml (this would be the exact CN of the client certificate you issued in the TLS Toolkit command), that user can authenticate and use the user management tools in NiFi to add additional users.

You can find more information in the NiFi Admin Guide. Bryan Bende has also written a detailed walkthrough of the process.

One note about the command you posted above -- I am not sure what your desired output is, but the command is issuing a server certificate for my-ip and another for hostname, but then two client certificates with those DNs as well. In general, you want a server certificate for hostname (possibly with a SAN entry for my-ip), and a client certificate with a DN like CN=alopresto, OU=Apache NiFi.

For example:

./bin/tls-toolkit.sh standalone 
  -n 'nifi.nifi.apache.org' 
  --subjectAlternativeNames '123.234.234.123' 
  -C 'CN=alopresto, OU=Apache NiFi' 
  -P password 
  -S password 
  -B password 
  -f ...conf/nifi.properties 
  -o ...conf/