Securing NiFi with Existing CA Certificates

This document explains how to secure NiFi with existing Certificate Authorities (CA) certificates (without NiFi LDAP Authentication).

In this configuration, commercial Certificate Authorities (CAs) play a pivotal role. Alternatively, an enterprise CA with an internal CA certificate trusted by corporate devices can be utilized. Several commercial vendors offer signed certificates, including TinyCert, chosen here for its cost-effectiveness. Another option, Let’s Encrypt, provides free certificates but requires hostname ownership verification, which involves additional steps not covered in this scenario.

All certificates and keys in this setup adhere to the Privacy-Enhanced Mail (PEM) format, widely recognized as a standard for certificates and keys. PEM utilizes Base64 encoding for file contents, ensuring seamless transmission across diverse mediums and storage systems. These files can be easily inspected using plain text editors, and tools such as openssl and keytool are proficient in parsing them.

Example PEM file:

% cat nifi.pem

-----BEGIN CERTIFICATE-----

MIIFDzCCA/egAwIBAgICURswDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVT

MQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMRcwFQYDVQQKDA5B

cGFjaGUgTmlGaSBDQTErMCkGA1UECwwiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNh

dGUgU2lnbmluZzEaMBgGA1UEAwwRQXBhY2hlIE5pRmkgQ0EgQ0EwHhcNMjAwNDA1

MjI0MTQ5WhcNMjEwNDA1MjI0MTQ5WjCBgjELMAkGA1UEBhMCVVMxCzAJBgNVBAgM

AkNBMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExFzAVBgNVBAoMDkFwYWNoZSBOaUZp

IENBMSAwHgYDVQQLDBdBcGFjaGUgTmlGaSBXYWxrdGhyb3VnaDEUMBIGA1UEAwwL

c2VjdXJlLm5pZmkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJySMX

H+Fco7WbXIKQ1u1RrMd/FE7zl/69X/7Da6x4c6jlI8fy3MbxZjqFnDsJpNuIkPVv

yHcGCm8Lkw70DbCTUkW60MlVM5r4CkWhVgOd1RD34QzhgkcKjg29uOuCYa+FM78q

E5Qp64wbLpDXHpxmm4/Qv97RHdTqynqRzYs6g+VyCn14nXuqJp0533F1T2khtK4z

BrIMZj6VpWyyCFmJjmrW37GbcRuxMbtbgj+4mzD0Eew6/96R9A7Wxlq0QMuRTz12

ie9xSi/GyzQV2r9gRzxuIo8qshMIq2d/1pipIgWNj2LzEXXoEbfHy7Jwm78e1G/+

PV/ULIx+QL4h9Ni/AgMBAAGjggF6MIIBdjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTy

gw/GBUrqMI80gYpdlh3NNfwrBzAfBgNVHSMEGDAWgBRkovbp8RqbD0BeDyPcrBYg

a1rzdDARBglghkgBhvhCAQEEBAMCBPAwCwYDVR0PBAQDAgP4MDsGA1UdJQQ0MDIG

CCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcD

CDBtBggrBgEFBQcBAQRhMF8wLAYIKwYBBQUHMAGGIGh0dHA6Ly9vY3NwLnRpbnlj

ZXJ0Lm9yZy9jYS0yNDA1MC8GCCsGAQUFBzAChiNodHRwOi8vYWlhLnRpbnljZXJ0

Lm9yZy9jYS0yNDA1LmNydDA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnRp

bnljZXJ0Lm9yZy9jYS0yNDA1LmNybDAnBgNVHREEIDAeggtzZWN1cmUubmlmaYcE

fwAAAYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQDAICxyfgm2eBa8J3+s

D2QpIQgOc8fgMYeqWwgk5rHbDk8IdkH9XloAuSzxi/weZt3PQQOdNHeeOCOXEWAf

n0X1SMGFUvLForHgArGolt9uFofvh2sE2q3/wSBI6J2940dYwZOPAlf5m7fNpcbz

WCJZGt7Pn/VWm3+uPZrMAj+GzsvR9NVMZwK/eAFM4OKNCeiLRPv1qLARYVqvLJFK

t9dlCrHKyDLIaUbG2Lcw6Yt7SBU7nAnobuYqImRRXm/bE0xwb9X9fD8UzJfmryOT

Fvz4hlntwk1fgvG1n4SrZgFNZpg1awN5tXbwiOdisTwslQ49C4QCH5iEWCM1HExL

A5GR

-----END CERTIFICATE-----

Example parsed contents:

% openssl x509 -in nifi.pem -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 20763 (0x511b)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=US, ST=CA, L=Santa Monica, O=Apache NiFi CA, OU=Secure Digital Certificate Signing, CN=Apache NiFi CA CA

        Validity

            Not Before: Apr  5 22:41:49 2020 GMT

            Not After : Apr  5 22:41:49 2021 GMT

        Subject: C=US, ST=CA, L=Santa Monica, O=Apache NiFi CA, OU=Apache NiFi Walkthrough, CN=secure.nifi

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:c9:c9:23:17:1f:e1:5c:a3:b5:9b:5c:82:90:d6:

                    ed:51:ac:c7:7f:14:4e:f3:97:fe:bd:5f:fe:c3:6b:

                    ac:78:73:a8:e5:23:c7:f2:dc:c6:f1:66:3a:85:9c:

                    3b:09:a4:db:88:90:f5:6f:c8:77:06:0a:6f:0b:93:

                    0e:f4:0d:b0:93:52:45:ba:d0:c9:55:33:9a:f8:0a:

                    45:a1:56:03:9d:d5:10:f7:e1:0c:e1:82:47:0a:8e:

                    0d:bd:b8:eb:82:61:af:85:33:bf:2a:13:94:29:eb:

                    8c:1b:2e:90:d7:1e:9c:66:9b:8f:d0:bf:de:d1:1d:

                    d4:ea:ca:7a:91:cd:8b:3a:83:e5:72:0a:7d:78:9d:

                    7b:aa:26:9d:39:df:71:75:4f:69:21:b4:ae:33:06:

                    b2:0c:66:3e:95:a5:6c:b2:08:59:89:8e:6a:d6:df:

                    b1:9b:71:1b:b1:31:bb:5b:82:3f:b8:9b:30:f4:11:

                    ec:3a:ff:de:91:f4:0e:d6:c6:5a:b4:40:cb:91:4f:

                    3d:76:89:ef:71:4a:2f:c6:cb:34:15:da:bf:60:47:

                    3c:6e:22:8f:2a:b2:13:08:ab:67:7f:d6:98:a9:22:

                    05:8d:8f:62:f3:11:75:e8:11:b7:c7:cb:b2:70:9b:

                    bf:1e:d4:6f:fe:3d:5f:d4:2c:8c:7e:40:be:21:f4:

                    d8:bf

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Subject Key Identifier:

                F2:83:0F:C6:05:4A:EA:30:8F:34:81:8A:5D:96:1D:CD:35:FC:2B:07

            X509v3 Authority Key Identifier:

                keyid:64:A2:F6:E9:F1:1A:9B:0F:40:5E:0F:23:DC:AC:16:20:6B:5A:F3:74

​

            Netscape Cert Type:

                SSL Client, SSL Server, S/MIME, Object Signing

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement

            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping

            Authority Information Access:

                OCSP - URI:http://ocsp.tinycert.org/ca-2405

                CA Issuers - URI:http://aia.tinycert.org/ca-2405.crt

​

            X509v3 CRL Distribution Points:

​

                Full Name:

                  URI:http://crl.tinycert.org/ca-2405.crl

​

            X509v3 Subject Alternative Name:

                DNS:secure.nifi, IP Address:127.0.0.1, DNS:localhost

    Signature Algorithm: sha256WithRSAEncryption

         c0:20:2c:72:7e:09:b6:78:16:bc:27:7f:ac:0f:64:29:21:08:

         0e:73:c7:e0:31:87:aa:5b:08:24:e6:b1:db:0e:4f:08:76:41:

         fd:5e:5a:00:b9:2c:f1:8b:fc:1e:66:dd:cf:41:03:9d:34:77:

         9e:38:23:97:11:60:1f:9f:45:f5:48:c1:85:52:f2:c5:a2:b1:

         e0:02:b1:a8:96:df:6e:16:87:ef:87:6b:04:da:ad:ff:c1:20:

         48:e8:9d:bd:e3:47:58:c1:93:8f:02:57:f9:9b:b7:cd:a5:c6:

         f3:58:22:59:1a:de:cf:9f:f5:56:9b:7f:ae:3d:9a:cc:02:3f:

         86:ce:cb:d1:f4:d5:4c:67:02:bf:78:01:4c:e0:e2:8d:09:e8:

         8b:44:fb:f5:a8:b0:11:61:5a:af:2c:91:4a:b7:d7:65:0a:b1:

         ca:c8:32:c8:69:46:c6:d8:b7:30:e9:8b:7b:48:15:3b:9c:09:

         e8:6e:e6:2a:22:64:51:5e:6f:db:13:4c:70:6f:d5:fd:7c:3f:

         14:cc:97:e6:af:23:93:16:fc:f8:86:59:ed:c2:4d:5f:82:f1:

         b5:9f:84:ab:66:01:4d:66:98:35:6b:03:79:b5:76:f0:88:e7:

         62:b1:3c:2c:95:0e:3d:0b:84:02:1f:98:84:58:23:35:1c:4c:

         4b:03:91:91

The prerequisites for this scenario (issued by the IT department):

• A signed NiFi server certificate for the designated host (e.g., secure.nifi) in PEM format (nifi.pem)
• The corresponding private key in PEM format (nifi.key)
• A signed client certificate for the designated user (e.g., CN=my_username, …​) in PEM format (client.pem)
• The corresponding private key in PEM format (client.key)
• The CA certificate in PEM format (cacert.pem)

The final result will include a self-signed external CA (the root), a keystore and truststore with the required certificates for the NiFi instance to function, and a client certificate for a user to access NiFi.

Certificate Requirements

Ensure compliance with the following certificate requirements, maintaining the sequence but shuffling the order:

• The certificate's signature algorithm must utilize sha256WithRSAEncryption (SHA-256).

• Subject Alternate Names (SANs) are obligatory and must minimally encompass the Fully Qualified Domain Name (FQDN) of the host.

• Include the FQDN utilized for the Common Name (CN) as a DNS SAN entry.

• Supplemental names for the certificate/host can be appended as SANs.

• Avoid the usage of wildcard certificates. Each cluster node should possess its own certificate. In cases where NiFi or NiFi Registry operates behind Knox, refrain from deploying wildcard certificates for Knox.

• If contemplating the utilization of a load balancer for the NiFi service, incorporate the FQDN for the load balancer as a DNS SAN entry.

• The X509v3 KeyUsage segment of the certificate should incorporate the subsequent attributes:

  • DigitalSignature
  • Key_Encipherment

• The X509v3 ExtendedKeyUsages segment of the certificate necessitates the inclusion of the ensuing attributes:

  • clientAuth: Intended for TLS web client authentication.
  • serverAuth: Intended for TLS web server authentication.

• The KeyStore should exclusively hold a single PrivateKeyEntry. The utilization of multiple private keys within one KeyStore is not endorsed.

• The KeyStore password and the key/certificate password must either match or remain unset.

• Consistency in KeyStore password and key/certificate password is important across all distinct KeyStores utilized on each NiFi cluster node. Individual passwords for NiFi hosts are not supported by Ambari.

Generate keystore.jks and truststore.jks for NiFi Hosts

To generate keystore.jks and truststore.jks for NiFi hosts, perform the following:

1. Determine if the server certificate (nifi.pem) contains the complete certificate chain or just the server certificate. If the sequence -----BEGIN CERTIFICATE-----occurs only once, this is just the server certificate. If it occurs multiple times, the certificate chain is present. If the certificate chain is present, continue from Step 3 else continue to Step 2.

cat nifi.pem

The above code prints the Base64-encoded contents.

2. Concatenate the server certificate and CA certificate to form the certificate chain.

cat cacert.pem >> nifi.pem

The above code concatenates the CA certificate to the NiFi server certificate in the proper order.

3. Form the PKCS12 keystore from the certificate chain and private key.

• The following code generates a PKCS12 keystore that includes the private key and certificate chain under the alias nifi-key. This command will prompt you to enter an export password. Choose a secure password and confirm it by entering it twice (for this example, an insecure password 'passwordpassword' is used).

openssl pkcs12 -export -out nifi.p12 -inkey nifi.key -in nifi.pem -name nifi-key

• Verifiy the contents of the PKCS12 keystore (optional). The following command will prompt for the same password entered in the previous step.

keytool -list -v -keystore nifi.p12

4. Convert the PKCS12 keystore for the NiFi instance into the Java KeyStore file (keystore.jks). PKCS12 keystores are usable by NiFi, but JKS format is handled more robustly and causes fewer edge cases. JKS keystores cannot be formed directly from PEM files, so the PKCS12 keystore serves as an intermediate form.

keytool -importkeystore -srckeystore nifi.p12 -srcstoretype pkcs12 -srcalias nifi-key -destkeystore keystore.jks -deststoretype jks -destalias nifi-key

This command converts the PKCS12 keystore to a JKS keystore. It will prompt you to enter a new keystore password twice and then prompt you to enter the password set on the PKCS12 keystore in the previous step.

5. Convert the CA certificate into the NiFi truststore (truststore.jks) to allow trusted incoming connections.

keytool -importcert -alias nifi-cert -file cacert.pem -keystore truststore.jks

This command imports the CA certificate into the truststore and prompts for a new truststore password twice.

6. (Optional) Move the keystore.jks and truststore.jks files into the conf/ directory. This step is not required, but helps with organization.
7. Generate client certificates, and add it to machine browsers to access NiFi UI. Generate the client certificate keystore from the client certificate and key.

openssl pkcs12 -export -out CN=my_username.p12 -inkey client.key -in client.pem

This command creates the PKCS12 keystore containing the client certificate and private key. This command prompts for an export password twice.

From here on, the instructions are the same as those for the TLS Toolkit, starting with loading the client certificate in the browser.

Enable SSL with Existing Certificates (Using Ranger for Authorization)

To enable SSL with existing certificates, perform the following:

1. Select the "Enable SSL?" checkbox. Navigate to Ambari UI > NiFi > Configs > Advanced > Advanced nifi-ambari-ssl-config > Enable SSL? checkbox.

2. Enter the values for the Keystore path, Keystore password, and Keystore type.

   • Keystore path: /etc/nifi/conf/keystore.jks

3. Enter the values for the Truststore path, Truststore password, and Truststore type.

   • Truststore path: /etc/nifi/conf/truststore.jks

Advanced nifi-ambari-ssl-config

Setting Up Identity Mapping

About This Task

You can use identity mapping properties to normalize user identities. Once set up, NiFi treats identities authenticated by different identity providers (certificates, LDAP, Kerberos) the same. This prevents the creation of duplicate users and ensures user-specific configurations, such as authorizations, need to be set up only once per user.

Perform the following steps:

1. From the NiFi service Configs tab, click Advanced nifi-properties.
2. Use the Filter box to search for nifi.security.identity.mapping.pattern.
3. Enter the following values:

4. Click Save.
5. Restart NiFi using the Restart all Required option from the Action menu.

Advanced nifi-properties

Logging into NiFi After Enabling SSL

Once SSL is enabled in NiFi, perform the following steps to securely log in:

1. Open NiFi from the Ambari Quick Links menu.
2. When prompted by the browser, select the certificate you recently imported. Use incognito mode if the certificate prompt does not appear.

Additional Steps

Ranger Test Connection Failure Due to SSL

Issue:

"Connection Failed. Unable to retrieve any resources using given parameters. java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)"

Solution:

Perform the following steps to review the configurations:

1. Login into Ranger UI > Edit Nifi Service Repo > Review “NiFi URL”
2. Review “Config Properties” added/updated correctly.

Ranger Test Connection Failure Due to permission 403 forbidden

Issue:

NiFi authentication fails due to insufficient permissions, resulting in an access denied error in the nifi-user.log.

Log sample:

2024-05-09 19:04:27,916 INFO [NiFi Web Server-115] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.90.9.67 [CN=ambari007-ha.adsre.com, O=ACCELDATA, L=PA, ST=LA, C=US] GET https://ambari007-ha.adsre.com:9091/nifi-api/resources

2024-05-09 19:04:27,916 INFO [NiFi Web Server-115] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [CN=ambari007-ha.adsre.com, O=ACCELDATA, L=PA, ST=LA, C=US] 10.90.9.67 GET https://ambari007-ha.adsre.com:9091/nifi-api/resources

2024-05-09 19:04:27,924 INFO [NiFi Web Server-115] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=ambari007-ha.adsre.com, O=ACCELDATA, L=PA, ST=LA, C=US], groups[none] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

Solution:

1. Review the NiFi Log:

tail -f /var/log/nifi/nifi-user.log

Rerun the Ranger NiFi Test connection and observe the log for authentication events.

2. Add User in Ranger UI:

   1. Log in to the Ranger UI.

   2. Navigate to Settings > Users.

   3. Click on Add New User.

   4. Enter the following details:

      • User Name: Full Certificate DN (e.g., CN=ambari007-ha.adsre.com, O=ACCELDATA, L=PA, ST=LA, C=US)
      • Password: Set a dummy password that meets the password requirements.

   5. Click Save.

3. Assign NiFi Policy:

   1. Go to Ranger NiFi Policy.

   2. Add the new user to an existing policy or create a new one.

      • Example New Policy:
        • NiFi Resource Identifier: /*
        • Select User: The newly added user.

   3. Save the policy.

These steps will ensure that the specified user has the required permissions to access the requested resources in NiFi.

Insufficient Permissions | No Applicable Policy Could Be Found

Issue:

"Insufficient Permissions | No applicable policies could be found. Contact the system administrator."

Solution:

Review the Ranger Audit Configs by performing the following:

1. Add User in Ranger: User: CN=nifi_user, O=ACCELDATA, L=PA, ST=LA, C=US

   • Log in to the Ranger UI.

   • Navigate to Settings > Users.

   • Click on Add New User.

   • Enter the following details:

     • User Name: CN=nifi_user, O=ACCELDATA, L=PA, ST=LA, C=US
     • Password: Set a dummy password that meets the password requirements.

   • Click Save.

2. Assign NiFi Policy:

   • Navigate to Ranger NiFi Policy.
   • Add the new user to an existing policy or create a new one.
     • Example New Policy:
       • NiFi Resource Identifier: /flow

Audit Access Log Detail

Enabling SSL with Existing Certificates (Without Using Ranger for Authorization)

1. Enable SSL:

   • Tick the "Enable SSL?" checkbox.

2. Configure Keystore:

   • Specify the following values:
     • Keystore path: /etc/nifi/conf/keystore.jks
     • Keystore password
     • Keystore type

3. Configure Truststore:

   • Set the following values:
     • Truststore path: /etc/nifi/conf/truststore.jks
     • Truststore password
     • Truststore type

4. Provide Initial Admin Identity:

   • The Initial Admin Identity is required for the initial administrator to access the UI and create additional users, groups, and policies. This step is necessary unless using the Ranger plugin for NiFi authorization.
   • Format: CN=admin, OU=NIFI
   • After setting the Initial Admin Identity, generate a certificate for this user.

5. Define Node Identities:

   • This step specifies the identity of each node in a NiFi cluster, enabling communication between clustered nodes. It is mandatory unless using the Ranger plugin for NiFi authorization.

   • Example properties:

     • <property name="Node Identity 1">CN=node1.fqdn, OU=NIFI</property>
     • <property name="Node Identity 2">CN=node2.fqdn, OU=NIFI</property>
     • <property name="Node Identity 3">CN=node3.fqdn, OU=NIFI</property>

   • Replace node1.fqdn, node2.fqdn, and node3.fqdn with their respective fully qualified domain names (FQDN).