Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 57F7E200C3C for ; Mon, 3 Apr 2017 19:21:37 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 56A28160B8F; Mon, 3 Apr 2017 17:21:37 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 4D9CE160B8D for ; Mon, 3 Apr 2017 19:21:36 +0200 (CEST) Received: (qmail 86461 invoked by uid 500); 3 Apr 2017 17:21:35 -0000 Mailing-List: contact dev-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list dev@nifi.apache.org Received: (qmail 86450 invoked by uid 99); 3 Apr 2017 17:21:34 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Apr 2017 17:21:34 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 80EF0C023E for ; Mon, 3 Apr 2017 17:21:34 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.296 X-Spam-Level: X-Spam-Status: No, score=-0.296 tagged_above=-999 required=6.31 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id Ea6K6BnXrQv2 for ; Mon, 3 Apr 2017 17:21:32 +0000 (UTC) Received: from mail-pg0-f47.google.com (mail-pg0-f47.google.com [74.125.83.47]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id F21B45F642 for ; Mon, 3 Apr 2017 17:21:31 +0000 (UTC) Received: by mail-pg0-f47.google.com with SMTP id g2so125062483pge.3 for ; Mon, 03 Apr 2017 10:21:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :message-id:references:to; bh=2uQhvEd/qf1MFQQcobxHgGqeoekgikKEWnXLSvvDm1A=; b=Gt1d5y24fS6UgFVpAqufroPtJ63VwT9+HqbP6ihX+b75b5epeAu9E82vePzMCMQXYv IQXfZ0kiViYkPijS+Y3i5OYhQ26uAAoF2BOB6OBBlPtMipQNcGhFDfdQoeoh96CVQACG s1Qq06UjYaDR3aHApQiF8WFPRWsoSIUhFBYqv5AqpwFKXSE3efLAHZ3BkQdDblMnmspp AOkPbMAxGQ1AaoVpC5cUFI8QNJ6CDLFO1f4/cYqkueKyDnfFi4Wz3rDa12j3guu306R1 FwGX6/WmO7YmRGTC6XU6x9miHWVJWhbol3qE5Z/lo1XlvjjX6PlqV6YN3NeSVdfiwhjp 33UA== X-Gm-Message-State: AFeK/H0u/VC+37CaT5x6/Fpz7UCb5n7DpBzAShnDzcHkk7VMV2JA2t23atnKaMi+ve3vGQ== X-Received: by 10.98.130.70 with SMTP id w67mr18331706pfd.173.1491240090859; Mon, 03 Apr 2017 10:21:30 -0700 (PDT) Received: from [10.137.0.10] (vpn-sfbay-198-11-218-35.hosts.getcloakvpn.com. [198.11.218.35]) by smtp.gmail.com with ESMTPSA id a8sm27104979pfa.30.2017.04.03.10.21.29 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 03 Apr 2017 10:21:30 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_55C54BB4-9CA4-4623-B3E3-19D959A18723"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Secured Nifi Cluster Setup X-Pgp-Agent: GPGMail From: Andy LoPresto In-Reply-To: <1491012062344-15334.post@n7.nabble.com> Date: Mon, 3 Apr 2017 10:21:28 -0700 Message-Id: <2224E7BD-45F6-4AFC-9DC1-39AA89818034@apache.org> References: <1491012062344-15334.post@n7.nabble.com> To: dev@nifi.apache.org X-Mailer: Apple Mail (2.3124) archived-at: Mon, 03 Apr 2017 17:21:37 -0000 --Apple-Mail=_55C54BB4-9CA4-4623-B3E3-19D959A18723 Content-Type: multipart/alternative; boundary="Apple-Mail=_6BA6A7F4-91C3-4056-8BA4-400FA5345105" --Apple-Mail=_6BA6A7F4-91C3-4056-8BA4-400FA5345105 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Anishkumar, I have answered this with some potential solutions here [1]. If you can = provide more information about the current configuration (your = nifi.properties file, keytool output of your keystores and truststores, = etc.) we can provide more assistance. [1] http://stackoverflow.com/a/43190068/70465 Andy LoPresto alopresto@apache.org alopresto.apache@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Mar 31, 2017, at 7:01 PM, Anishkumar Valsalam = wrote: >=20 > I am trying to configure the 3node secured Nifi cluster setup by = followinng > the below > Link > = > . >=20 > But between nodes the connection not happened after enabled SSL/LDAP = and i > am getting the below error. >=20 >=20 > 2017-04-01 09:05:47,494 WARN [Clustering Tasks Thread-2] > o.apache.nifi.controller.FlowController Failed to send heartbeat due = to: > org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling > 'HEARTBEAT' protocol message due to: = javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to = find > valid certification path to requested target > 2017-04-01 09:05:47,494 ERROR [Process Cluster Protocol Request-7] > o.a.nifi.security.util.CertificateUtils The incoming request did not = contain > client certificates and thus the DN cannot be extracted. Check that = the > other endpoint is providing a complete client certificate chain > 2017-04-01 09:05:47,494 WARN [Process Cluster Protocol Request-7] > o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol = message > from HKLPATHAS02.hk.standardchartered.com due to > org.apache.nifi.cluster.protocol.ProtocolException: > java.security.cert.CertificateException: > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > org.apache.nifi.cluster.protocol.ProtocolException: > java.security.cert.CertificateException: > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > at > = org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.getRequestorD= N(SocketProtocolListener.java:221) > ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] > at > = org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchReque= st(SocketProtocolListener.java:133) > ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] > at > = org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) > [nifi-socket-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] > at > = java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:= 1142) > [na:1.8.0_102] > at > = java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java= :617) > [na:1.8.0_102] > at java.lang.Thread.run(Thread.java:745) [na:1.8.0_102] > Caused by: java.security.cert.CertificateException: > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > at > = org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromClientSSLS= ocket(CertificateUtils.java:306) > ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] > at > = org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromSSLSocket(= CertificateUtils.java:261) > ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] > at > = org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.getRequestorD= N(SocketProtocolListener.java:219) > ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] > ... 5 common frames omitted > Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not = authenticated > at > = sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:43= 1) > ~[na:1.8.0_102] > at > = org.apache.nifi.security.util.CertificateUtils.extractPeerDNFromClientSSLS= ocket(CertificateUtils.java:291) > ~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] > ... 7 common frames omitted >=20 >=20 >=20 > -- > View this message in context: = http://apache-nifi-developer-list.39713.n7.nabble.com/Secured-Nifi-Cluster= -Setup-tp15334.html > Sent from the Apache NiFi Developer List mailing list archive at = Nabble.com. --Apple-Mail=_6BA6A7F4-91C3-4056-8BA4-400FA5345105 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Anishkumar,

I have answered this with some potential solutions here [1]. = If you can provide more information about the current configuration = (your nifi.properties file, keytool output of your keystores and = truststores, etc.) we can provide more assistance. 

[1] http://stackoverflow.com/a/43190068/70465

Andy = LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC = B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Mar 31, 2017, at 7:01 PM, Anishkumar Valsalam <anishkumar.valsalam@gmail.com> wrote:

I am = trying to configure the 3node secured Nifi cluster setup by = followinng
the below
Link
<https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-= cluster-setup/>
.

But = between nodes the connection not happened after enabled SSL/LDAP and = i
am getting the below error.


2017-04-01 09:05:47,494 WARN [Clustering Tasks = Thread-2]
o.apache.nifi.controller.FlowController Failed = to send heartbeat due to:
org.apache.nifi.cluster.protocol.ProtocolException: Failed = marshalling
'HEARTBEAT' protocol message due to: = javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building = failed:
sun.security.provider.certpath.SunCertPathBuilderException: = unable to find
valid certification path to requested = target
2017-04-01 09:05:47,494 ERROR [Process Cluster = Protocol Request-7]
o.a.nifi.security.util.CertificateUtils = The incoming request did not contain
client certificates = and thus the DN cannot be extracted. Check that the
other = endpoint is providing a complete client certificate chain
2017-04-01 09:05:47,494 WARN [Process Cluster Protocol = Request-7]
o.a.n.c.p.impl.SocketProtocolListener Failed = processing protocol message
from HKLPATHAS02.hk.standardchartered.com due to
org.apache.nifi.cluster.protocol.ProtocolException:
java.security.cert.CertificateException:
javax.net.ssl.SSLPeerUnverifiedException: peer not = authenticated
org.apache.nifi.cluster.protocol.ProtocolException:
java.security.cert.CertificateException:
javax.net.ssl.SSLPeerUnverifiedException: peer not = authenticated
=        at
org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.ge= tRequestorDN(SocketProtocolListener.java:221)
~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1= .1.0-2]
       at
org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.di= spatchRequest(SocketProtocolListener.java:133)
~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1= .1.0-2]
       at
org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener= .java:136)
[nifi-socket-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
       at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExe= cutor.java:1142)
[na:1.8.0_102]
=        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolEx= ecutor.java:617)
[na:1.8.0_102]
=        at = java.lang.Thread.run(Thread.java:745) [na:1.8.0_102]
Caused = by: java.security.cert.CertificateException:
javax.net.ssl.SSLPeerUnverifiedException: peer not = authenticated
=        at
org.apache.nifi.security.util.CertificateUtils.extractPeerDNFro= mClientSSLSocket(CertificateUtils.java:306)
~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
       at
org.apache.nifi.security.util.CertificateUtils.extractPeerDNFro= mSSLSocket(CertificateUtils.java:261)
~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
       at
org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.ge= tRequestorDN(SocketProtocolListener.java:219)
~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1= .1.0-2]
       ... 5 = common frames omitted
Caused by: = javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
       at
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionI= mpl.java:431)
~[na:1.8.0_102]
=        at
org.apache.nifi.security.util.CertificateUtils.extractPeerDNFro= mClientSSLSocket(CertificateUtils.java:291)
~[nifi-security-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2]
       ... 7 common = frames omitted



--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/Secured-N= ifi-Cluster-Setup-tp15334.html
Sent from the Apache = NiFi Developer List mailing list archive at Nabble.com.

= --Apple-Mail=_6BA6A7F4-91C3-4056-8BA4-400FA5345105-- --Apple-Mail=_55C54BB4-9CA4-4623-B3E3-19D959A18723 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJY4oSZAAoJEDxu9lsvfe9p/28P/3DaxX3BVxElrcc7HLqhP6+8 ps+Z5bAsFBSKDvAPoK30gvBNi2uZa5sCWdyigMqpN3EJALn+6ZWWtq2YaV0GUGdb 97RsBNqY1tzCLNYIt07D91+LNYrZa8plcD4okp5Iv68MXxgQl1vsqUnZYqTIZu58 ZFROSwWnKcyrmXGSF2EdHhndFqJI2VlMPS8PEjLvE0vAuQY2VA/NsmmFnQKqd149 qKLhvQmr8O428ozAYncxiRXuScfed12VXwDw8TKgam7C8kh0IdP38u50LuZVf0zh 2ZupIYdhbVWrF4jysEaUHmcydmR+J4O3f5sfOOhHhv7tR+6zd317uS6ontpe55q1 BeAP8k7XzCTBbuZM1lmTYGAb8odco7+6FVAppD+wrE9ukDRa0CRNVXb5nLg1OeJb 8DkmpiV+fBREj5dMuHRXQD1o4wbKtmU7VvY0nk/UUZS+f70Km8P5fDkyDFqco/uo pUVYN3zpoFturhOIUK0q0oCZuG8gfEX0ABqPBpHbIDThA5XJoJ01L9mTzSs0URdN 9rbctPbnCzCpAhcz5mqzTjkuZCMkF0EsBkA0iQN/rbsdqGDXJgHqq+H2Jo4LrasM P1jesEJlMEIdzxnitm0TyozIxYXEJT68CZumPDeN7nrbxH9Tkp5vX2H5FI5FU73I WWp1uO5RyqISNmUHCKeT =bai3 -----END PGP SIGNATURE----- --Apple-Mail=_55C54BB4-9CA4-4623-B3E3-19D959A18723--