How to trust another certificate from within nifi flows?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to trust another certificate from within nifi flows?

nifi-san
Hello Experts,

We have a Nifi cluster without certificates or SSL implementation.
We have a requirement to call another url/interface from the Nifi flows
using https url since the end point is configured with SSL.
The "https" end point uses a self signed certificate and in order to trust
the certificate,we need to configure or point the flows on Nifi with the
Trust certificate.

We tried the options mentioned in the links below but have not been
successful in getting the connection to work.

http://www.tomaszezula.com/2016/11/06/using-ssl-with-nifi/


Apart from Nifi ,other components such as Spark jobs running on cluster and
even the browser are able to trust the certificates.

Any pointers would be highly appreciated!

Thanks



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: How to trust another certificate from within nifi flows?

Andy LoPresto-2
Hi,

In order to do this, you will need to download/obtain the self-signed server certificate that is presented by the remote service (you can do this through a tool like OpenSSL’s s_client with the -showcerts flag) in PEM format, import it into a Java Keystore file acting as a truststore (see commands below), and then identify that truststore using a StandardSSLContextService, which you will reference in the InvokeHTTP processor. 

If you encounter a specific error or exception, feel free to reply so we can assist more directly. 

openssl x509 -outform der -in certificate.pem -out certificate.der
keytool -import -alias your-alias -keystore cacerts -file certificate.der


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Feb 15, 2018, at 7:39 PM, nifi-san <[hidden email]> wrote:

Hello Experts,

We have a Nifi cluster without certificates or SSL implementation.
We have a requirement to call another url/interface from the Nifi flows
using https url since the end point is configured with SSL.
The "https" end point uses a self signed certificate and in order to trust
the certificate,we need to configure or point the flows on Nifi with the
Trust certificate.

We tried the options mentioned in the links below but have not been
successful in getting the connection to work.

http://www.tomaszezula.com/2016/11/06/using-ssl-with-nifi/


Apart from Nifi ,other components such as Spark jobs running on cluster and
even the browser are able to trust the certificates.

Any pointers would be highly appreciated!

Thanks



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to trust another certificate from within nifi flows?

Jaiganesh
Hi Andy,

Thanks for your post.

I just followed your steps, we had the .pem file already imported I used
openssl and keytool to convert pem to store in keystore, following are the
command i used.
Nifi-Error.png
<http://apache-nifi-developer-list.39713.n7.nabble.com/file/t911/Nifi-Error.png>  
SSLControllerService.png
<http://apache-nifi-developer-list.39713.n7.nabble.com/file/t911/SSLControllerService.png>  
openssl x509 -inform der -in ca.pem -out ca.cdr
/opt/app/java/jdk1.8.0_112/bin/keytool -import -alias ca -keystore cacerts
-file ca.der

I created a StandardSSLContextService and pointed the created keystore file
location, when I tested in the nifi process I am getting
java.lang.Runtimeexception, there is no further traces available in the logs
also.

I have attached the screen shots of the error and the configuration also.

Please let me know what could be the reason.

Thanks & Regards,
Jai




--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: How to trust another certificate from within nifi flows?

Jaiganesh
Andy,

There is more update, I found the following bug in nifi 1.4 which is the
reason for the java.lang.runtimeexception, it is looking for a keystore
though there is no configuration specificed in the controller service, this
is raised as an bug which was addressed in 1.5 version. But they have also
provided a workaround to point the same truststore file to keystore as well,
now I am no longer getting the old error, but now i see a different error,
the same .jks file is working with other client applications, so any pointer
to move forward will greatly appreciated.

https://issues.apache.org/jira/browse/NIFI-4655


2018-02-20 01:09:03,933 INFO [NiFi Web Server-4997]
o.a.n.c.s.StandardProcessScheduler Starting
InvokeHTTP[id=51f5c341-4e72-3f82-4c7a-1a93767a23b4]
2018-02-20 01:09:03,936 INFO [StandardProcessScheduler Thread-4]
o.a.n.c.s.TimerDrivenSchedulingAgent Scheduled
InvokeHTTP[id=51f5c341-4e72-3f82-4c7a-1a93767a23b4] to run with 1 threads
2018-02-20 01:09:03,994 ERROR [Timer-Driven Process Thread-19]
o.a.nifi.processors.standard.InvokeHTTP
InvokeHTTP[id=51f5c341-4e72-3f82-4c7a-1a93767a23b4] Routing to Failure due
to exception: javax.net.ssl.SSLPeerUnverifiedException: Hostname <hostname>
not verified:
    certificate: sha256/RrHmPKgr/gT1tgmUVg4H1vnObnXME+/PSaHz1gKHIdU=
    DN: CN=<hostname>
    subjectAltNames: <hostname>: javax.net.ssl.SSLPeerUnverifiedException:
Hostname <hostname> not verified:
    certificate: sha256/RrHmPKgr/gT1tgmUVg4H1vnObnXME+/PSaHz1gKHIdU=
    DN: CN=atllvkafap301xd.hughestelematics.net
    subjectAltNames: <hostname>
javax.net.ssl.SSLPeerUnverifiedException: Hostname <hostname> not verified:
    certificate: sha256/RrHmPKgr/gT1tgmUVg4H1vnObnXME+/PSaHz1gKHIdU=
    DN: CN=<hostname>
    subjectAltNames: <hostname>
        at
okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:276)


Regards,
Jai



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: How to trust another certificate from within nifi flows?

Jaiganesh
The issue is resloved, the host name i gave in the URL is not fully qualified
name that we have kept in the certificate, once the fully qualifed name
given, it started working.



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/