nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: MiNiFi & Certs/Keys
Date Fri, 20 Oct 2017 13:23:23 GMT
Hi Michael,

You would want to generate a different certificate for MiNiFi (using
the same CA) and put it in a different keystore like
minifi_server.key.pem.

You would then need to create a user in NiFi for the DN of the MiNiFi
certificate, to represent MiNiFi as a user and assign proper
permissions for site-to-site, etc.

So all of your systems would use the same truststore that trusts certs
from the CA, but each system should have their own cert to identify
them.

Thanks,

Bryan


On Thu, Oct 19, 2017 at 6:00 PM, Michael Nacey <mnacey@gmail.com> wrote:
> Hi,
>
> We have been working on security our nifi/minifi setup, and we have been
> marginally successful, but there are a few things I can't seem to figure
> out. For our setup we have:
>
> CA: created in openssl, intermediate issuer created as well; chain cert
> created
> NIFI Cert: issued by the intermediate
> User Cert: issued by the intermediate (CN=admin)
>
> NIFI
> =======
> Keystore: nifi_server.key.pem
> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem
>
> With this setup, secure cert based browser connection to NIFI works like a
> champ using the "admin" identity. I can create an S2S connection to my own
> NIFI, and I notice it uses the 'nifi_server' identity to authenticate.
>
> MINIFI
> ========
> Keystore: nifi_server.key.pem
> Truststore: ca-chain.cert.pem, admin.cert.pem, nifi_server.cert.pem
>
> With this setup, MINIFI will connect securely to NIFI, again using the
> 'nifi_server' identity. This is not really desirable, since I would want
> MINIFI to connect using the "admin" identity (or in real life, one specific
> to that instance of MINIFI).
>
> Any ideas how to accomplish this? Am I doing something wrong? I'm kind of
> new to the Java keystore stuff.
>
> Thanks
>
> --
> “Try to never run out of smokes, ammo, and luck all at the same time. But
> remember, if you have ammo, you can always get more smokes, and make your
> own luck." G.K. Shirpa

Mime
View raw message