Configure Apache NiFi StandardRestrictedSSLContextService Controller Service

0
votes

In NiFi, how does one create the necessary keystore, truststore and certificates needed to configure the StandardRestrictedSSLContextService controller service?

I need to invoke an HTTPS REST service. (Using NiFi 1.9.2 in local development mode)

Steps taken:

  1. Used TLS toolkit to generate self-signed certs, truststore and keystore
  2. Saved the API endpoint certificate to a .cer file (exported from chrome)
  3. $keytool -import -alias mycert -keystore /opt/nifi/conf/truststore.jks -file api-cert.cer

After doing this, InvokeHTTP processor in NiFi indicates it cannot find the certification path: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2
sslhttpsapache-nifitls1.2

2 Answers

1
votes

You can either create those files manually (using tools like openssl and keytool), use the NiFi TLS Toolkit, or obtain those files from an enterprise security team. The keystore needs to contain the private key and public certificate of the NiFi certificate; the truststore should contain the public certificates of the external services you want to interact with. See the NiFi Walkthroughs for examples. RestrictedSSLContextService is only required for incoming connections; SSLContextService can be used for outgoing connections to legacy systems (Restricted disables TLS protocol versions older than TLS v1.2).

0
votes

Provide a full path in the keystore and truststore filename fields.
I'm using a nifi contianer and the default directory is /opt/nifi/nifi-current/.

I placed the files in a certs directory so my keystore filename field looks like this:
certs/keystore.pfx