Tech News | Online Earning | SEO Tips | Mobile Packages

How to Setup Secure Apache NIFI with Certificate Based Authentication Method: Step By Step Complete Guide

12

Get real time updates directly on you device, subscribe now.

Lot of system administrators and developers are searching on Google that how they can secure Apache NIFI or move it from http to https. People are not much aware about what steps they need to perform to make NIFI secure. So today, we are going to share a complete guide including each step, to all users who want to make NIFI secure using SSL certificate or move it from http to https.

Apache NIFI is an open source tool for workflow automation and by default, it runs without any authentication process. Users can set authentication method and setup secure Apache NIFI using SSL certificate, Apache Knox or LDAP and OpenId Connect. Most of users like to choose SSL certificate based authentication as it is much easy and secure as well.

We will guide you, how you can setup secure Apache NIFI for windows and Linux. First we will talk about the prerequisites then we will guide you what to do step by step.

Prerequisite:

  • Apache Nifi binary files
  • Authority Certificate (.pem)
  • Server based certificate (.pfx)
  • Client based certificate (.pfx)
  • Truststore key (.jks)
  • Ubuntu bash for windows/ Linux Command Line

Steps 1: How to generate certificates

You just need to register on below web link and follow the steps explained in below images.

https://www.tinycert.org/ registration is free. After registration you will see this dashboard page.

Now,First you need to create “Authority Certificate (.pem)” as in below image.

Click on create button.

Tinycert Dashboard
Tinycert Dashboard

Provide information as an example information is given in below image.

Authority Cert Info
Authority Cert Info

Click on create and you will see Authority Certificate is created as shown in below image.

Now, you need to create 2 (Server and Client) side SSL certificates. so you need to click on create button highlighted on right side of below image.

Authority Cert Output
Authority Cert Output

Provide information for server and client side certificate details and click on create button as shown in below images.

Server Certificate
Server Certificate
Server Certificate Output
Server Certificate Output
Client Certificate
Client Certificate
Client Certificate Output
Client Certificate Output

Now download all of created certificates in below formats.

Authority Cert Download
Authority Cert Download
Certificate Download
Client and Server Certificates Download

Steps 2: How to generate Truststore Key (.jks)

All of certificates are ready and now we will create a Truststore key using command line tools.

Ubuntu
Ubuntu

To generate Truststore Key using Ubuntu Bash , Fist you need to open CMD (Commadn Line tool for windows). navigate to Directory where you saved all 3 certificates. type “bash” and press enter and execute below command.

keytool -import -file <ca_file>.pem -alias cacert -keystore truststore.jks -storepass <password>

For Linux, you just need to navigate to directory having all 3 certificates and then run the above command.

Windows Bash Commands to Generate Truststore
Windows Bash Commands to Generate Truststore

Ask you for agreement, Type “Yes” and press Enter.

Windows Bash Commands to Generate Truststore Success
Windows Bash Commands to Generate Truststore Success

You can see your Truststore has been generated and encrypted with a password as well.

Truststore Generated
Truststore Generated

Steps 3: How to configure NIFI properties File (nifi.properties)

You need to configure properties highlighted in below image. NIFI properties could be find in “conf” directory.

"<yoastmark

nifi Properties
Apache NIFI Properties

you can see, we have defined the path to certificates and password which we used will generating Truststore key. now save NIFI properties file.

Steps 4: How to configure Authorizers properties File (Authorizers.xml)

Now last and final step is to add certificate details to Authorizers.xml file and this file also could be found in NIFI “conf” directory.

Note: Red highlighted files are auto generated file after complete configuration and NIFI 1st successful run.

Config Directory
Config Directory

Now, we will edit “Authorizers.xml” file as shown in below image. you need to add below details on 2 places in “Authorizers.xml” file.

“CN=Client, OU=ABC, O=ABC Company, L=Your City, ST=Your State, C=US”

1.

Authorizers.xml Settings
Authorizers.xml Settings

2.

Authorizers.xml Settings-2
Authorizers.xml Settings-2

Congratulations, you have completed all backend configurations 🙂

Steps 5: How to configure web browser for accessing NIFI using secure Certificate

it is very simple you just need to import previously generated “Client” certificate at start.

Follow be steps defined in images.

Go to browser settings and search for “Manage Certificates”.

Import Client Certificate
Manage Certificates

Click on import button.

Import Client Certificate
Import Client Certificate
Import Wizard
Import Wizard
Certificate Import Wizard 2
Certificate Import Wizard 2
Browse Certificate
Browse Certificate
Certificate Password
Provide Certificate Password
Finishing Certificate Import
Finishing Certificate Import
Import Finished
Verify Import Finished
Certificate Import Success Message
Certificate Import Success Message

Now we will run NIFI from “bin” directory by double click on “run-nifi.bat” from windows and “./nifi.sh” from Linux command.

Run Nifi
Run Nifi

following window will be shown after running.

Nifi Is Running
Nifi Is Running

you can also see log file “nifi-app.log” of NIFI, available in logs directory.

Logs
Logs

now we are good to go and will navigate to NIFI address on web browser with defined port as we configured “https://localhost:9443/nifi/”

Select Certificate
Select Certificate and Press OK
Nifi is Up
Secure Apache NIFI is Up

Sometimes NIFI gives an error of “No Header found for NIFI” that is one of the major issue reported in remote deployment of Apache NIFI so you no need to worry. Just add “nifi.web.proxy.host” as shown in below image.

WebProxy Header Problem
WebProxy Header Problem

Note: This IP “127.0.0.1” refers to localhost for remote access you need to specify public IP of the machine.

Cheers !

In case of any issue, please comment. i will try to respond you within 24 hours.

For more updates, please bookmark Paktechub

Get real time updates directly on you device, subscribe now.

12 Comments
  1. David says

    This post is amazing! @Atiftariq, what if I have a nifi cluster? How can I set the cert on each node? I was getting error “Untrusted proxy CN=NIFI_Server, OU=ABC, O=ABC, L=Las Vegas, ST=Nevada, C=US” after I configured the tiny cert on 2 nodes.

  2. atiftariq says

    David, Thank you. have you configured users.xml an authorizations.xml on all nodes ?

  3. David says

    Thank you, Atiftariq. My local nodes worked. But I have another question. Why do you need to manually import “Client” certificate into your browser? When we access any public websites, we never need to manually import a certification.

  4. Anonymous says

    actually, this certificate work as authentication for NIFI access. so like it works like a user name/password. The person who have this certificate in his browser can open this NIFI portal. this certificate works as a security measure.

  5. RJ says

    I am getting No applicable policies could be found. Contact the system administrator.

  6. Ludvik says

    getting error when starting nifi

    KeyStores with multiple certificates are not supported

    020-08-29 19:27:12,848 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server… shutting down.
    java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
    at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
    at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
    at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
    at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
    at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
    at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
    at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
    at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
    at org.eclipse.jetty.server.Server.doStart(Server.java:385)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
    at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1058)
    at org.apache.nifi.NiFi.(NiFi.java:158)
    at org.apache.nifi.NiFi.(NiFi.java:72)
    at org.apache.nifi.NiFi.main(NiFi.java:301)

  7. Rajan says

    I get below error while accessing the application.
    Unknown user with identity ‘CN=client, OU=wins, O=Wins Company, L=Delhi, ST=National Capital Territory of Delhi, C=IN’. Contact the system administrator.

    Also do I need further configurations for accessing NiFi rest api?

  8. Gary says

    @Atiftariq, this is a great post. Thank you so much! I am learning NiFi, but know nothing about security setting. Do you mind advising more, specifically,

    1. How would you configure it so that remove users would need log in to access NiFi?
    2. In the configuration file, there are several password fields and user/admin identity. Where are these values generated?

  9. Abhishek Munghate says

    I don’t see, any step where you create a password for a client, please provide us the step, that will save us so much trouble.

    BTW you have written a pretty good blog with screenshots and all, very appreciated.

  10. sandipan mukherjee says

    yes you are right….Ksolves is a team of Software Developers, Testers, and Architects with the expertise of implementing Big Data services based on company’s requirements. We are a leading Big Data Consulting Company with a broad and experienced team of Apache NiFi developers with years of industrial experience. Due to our knowledge, skills, and expertise, we have unlocked the potential scope of NiFi-as-a-service that can take your company to the next orbit of excellence

  11. Ganesh says

    I have followed all the steps created cacert.pem,Server.pfx,Client.pfx at this time no password has been asked by the site.
    Then on my linux machine created truststore.jks by executing keytool -import -file cacert.pem -alias cacert -keystore truststore.jks -storepass HCluster
    Then configured nifi.properties file
    nifi.security.keystore=/etc/ssl/nifi/Server.pfx
    nifi.security.keystoreType=PKCS12
    nifi.security.keystorePasswd=HCluster
    nifi.security.keyPasswd=HCluster
    nifi.security.truststore=/etc/ssl/nifi/truststore.jks
    nifi.security.truststoreType=JKS
    nifi.security.truststorePasswd=HCluster

    Now I am facing the below error .

    ERROR [main] o.apache.nifi.controller.FlowController Unable to start the flow controller because the TLS configuration was invalid: The keystore properties are not valid

Leave A Reply

Your email address will not be published.