How to Setup Secure Apache NIFI with Certificate Based Authentication Method: Step By Step Complete Guide
Get real time updates directly on you device, subscribe now.
Lot of system administrators and developers are searching on Google that how they can secure Apache NIFI or move it from http to https. People are not much aware about what steps they need to perform to make NIFI secure. So today, we are going to share a complete guide including each step, to all users who want to make NIFI secure using SSL certificate or move it from http to https.
Apache NIFI is an open source tool for workflow automation and by default, it runs without any authentication process. Users can set authentication method and setup secure Apache NIFI using SSL certificate, Apache Knox or LDAP and OpenId Connect. Most of users like to choose SSL certificate based authentication as it is much easy and secure as well.
We will guide you, how you can setup secure Apache NIFI for windows and Linux. First we will talk about the prerequisites then we will guide you what to do step by step.
Prerequisite:
- Apache Nifi binary files
- Authority Certificate (.pem)
- Server based certificate (.pfx)
- Client based certificate (.pfx)
- Truststore key (.jks)
- Ubuntu bash for windows/ Linux Command Line
Steps 1: How to generate certificates
You just need to register on below web link and follow the steps explained in below images.
https://www.tinycert.org/ registration is free. After registration you will see this dashboard page.
Now,First you need to create “Authority Certificate (.pem)” as in below image.
Click on create button.
Provide information as an example information is given in below image.
Click on create and you will see Authority Certificate is created as shown in below image.
Now, you need to create 2 (Server and Client) side SSL certificates. so you need to click on create button highlighted on right side of below image.
Provide information for server and client side certificate details and click on create button as shown in below images.
Now download all of created certificates in below formats.
Steps 2: How to generate Truststore Key (.jks)
All of certificates are ready and now we will create a Truststore key using command line tools.
To generate Truststore Key using Ubuntu Bash , Fist you need to open CMD (Commadn Line tool for windows). navigate to Directory where you saved all 3 certificates. type “bash” and press enter and execute below command.
keytool -import -file <ca_file>.pem -alias cacert -keystore truststore.jks -storepass <password>
For Linux, you just need to navigate to directory having all 3 certificates and then run the above command.
Ask you for agreement, Type “Yes” and press Enter.
You can see your Truststore has been generated and encrypted with a password as well.
Steps 3: How to configure NIFI properties File (nifi.properties)
You need to configure properties highlighted in below image. NIFI properties could be find in “conf” directory.
you can see, we have defined the path to certificates and password which we used will generating Truststore key. now save NIFI properties file.
Steps 4: How to configure Authorizers properties File (Authorizers.xml)
Now last and final step is to add certificate details to Authorizers.xml file and this file also could be found in NIFI “conf” directory.
Note: Red highlighted files are auto generated file after complete configuration and NIFI 1st successful run.
Now, we will edit “Authorizers.xml” file as shown in below image. you need to add below details on 2 places in “Authorizers.xml” file.
“CN=Client, OU=ABC, O=ABC Company, L=Your City, ST=Your State, C=US”
1.
2.
Congratulations, you have completed all backend configurations 🙂
Steps 5: How to configure web browser for accessing NIFI using secure Certificate
it is very simple you just need to import previously generated “Client” certificate at start.
Follow be steps defined in images.
Go to browser settings and search for “Manage Certificates”.
Click on import button.
Now we will run NIFI from “bin” directory by double click on “run-nifi.bat” from windows and “./nifi.sh” from Linux command.
following window will be shown after running.
you can also see log file “nifi-app.log” of NIFI, available in logs directory.
now we are good to go and will navigate to NIFI address on web browser with defined port as we configured “https://localhost:9443/nifi/”
Sometimes NIFI gives an error of “No Header found for NIFI” that is one of the major issue reported in remote deployment of Apache NIFI so you no need to worry. Just add “nifi.web.proxy.host” as shown in below image.
Note: This IP “127.0.0.1” refers to localhost for remote access you need to specify public IP of the machine.
Cheers !
In case of any issue, please comment. i will try to respond you within 24 hours.
For more updates, please bookmark Paktechub
This post is amazing! @Atiftariq, what if I have a nifi cluster? How can I set the cert on each node? I was getting error “Untrusted proxy CN=NIFI_Server, OU=ABC, O=ABC, L=Las Vegas, ST=Nevada, C=US” after I configured the tiny cert on 2 nodes.
David, Thank you. have you configured users.xml an authorizations.xml on all nodes ?
Thank you, Atiftariq. My local nodes worked. But I have another question. Why do you need to manually import “Client” certificate into your browser? When we access any public websites, we never need to manually import a certification.
actually, this certificate work as authentication for NIFI access. so like it works like a user name/password. The person who have this certificate in his browser can open this NIFI portal. this certificate works as a security measure.
I am getting No applicable policies could be found. Contact the system administrator.
getting error when starting nifi
KeyStores with multiple certificates are not supported
020-08-29 19:27:12,848 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server… shutting down.
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.server.Server.doStart(Server.java:385)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1058)
at org.apache.nifi.NiFi.(NiFi.java:158)
at org.apache.nifi.NiFi.(NiFi.java:72)
at org.apache.nifi.NiFi.main(NiFi.java:301)
ok, seems to be an issue of NiFi 1.12.0
http://apache-nifi-users-list.2361937.n4.nabble.com/NiFi-1-12-0-KeyStores-with-multiple-certificates-are-not-supported-td10051.html
I get below error while accessing the application.
Unknown user with identity ‘CN=client, OU=wins, O=Wins Company, L=Delhi, ST=National Capital Territory of Delhi, C=IN’. Contact the system administrator.
Also do I need further configurations for accessing NiFi rest api?
@Atiftariq, this is a great post. Thank you so much! I am learning NiFi, but know nothing about security setting. Do you mind advising more, specifically,
1. How would you configure it so that remove users would need log in to access NiFi?
2. In the configuration file, there are several password fields and user/admin identity. Where are these values generated?
I don’t see, any step where you create a password for a client, please provide us the step, that will save us so much trouble.
BTW you have written a pretty good blog with screenshots and all, very appreciated.
yes you are right….Ksolves is a team of Software Developers, Testers, and Architects with the expertise of implementing Big Data services based on company’s requirements. We are a leading Big Data Consulting Company with a broad and experienced team of Apache NiFi developers with years of industrial experience. Due to our knowledge, skills, and expertise, we have unlocked the potential scope of NiFi-as-a-service that can take your company to the next orbit of excellence
I have followed all the steps created cacert.pem,Server.pfx,Client.pfx at this time no password has been asked by the site.
Then on my linux machine created truststore.jks by executing keytool -import -file cacert.pem -alias cacert -keystore truststore.jks -storepass HCluster
Then configured nifi.properties file
nifi.security.keystore=/etc/ssl/nifi/Server.pfx
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=HCluster
nifi.security.keyPasswd=HCluster
nifi.security.truststore=/etc/ssl/nifi/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=HCluster
Now I am facing the below error .
ERROR [main] o.apache.nifi.controller.FlowController Unable to start the flow controller because the TLS configuration was invalid: The keystore properties are not valid