Also available as:
loading table of contents...

Configuring Knox for NiFi

  1. Create a config.json file in a location accessible to Knox.

    For example, create the file on the Knox server at /home/knox.

  2. Populate the config.json file with the following information:

    Look up the NiFi CA port value before populating the config.json file which is in the Advanced nifi-ambari-ssl.config.

      "dn" : "CN=$KNOX_HOST_NAME, OU=KNOX",
      "keyStore" : "/home/knox/knox-nifi-keystore.jks",
      "keyStoreType" : "jks",
      "keyStorePassword" : "$KEY_STORE_PASSWORD",
      "keyPassword" : "$KEY_PASSWORD",
      "token" : "$NIFI_CA_TOKEN_VALUE",
      "caHostname" : "$NIFI_CA_HOSTNAME",
      "port" : $NIFI_CA_PORT,
      "trustStore" : "/home/knox/knox-nifi-truststore.jks",
      "trustStorePassword" : "$TRUSTSTORE_PASSWORD",
      "trustStoreType" : "jks"

    The keyStorePassword, keyPassword, and trustStorePassword can be set to the Knox Master Password to make it easier to import the keyStore and trustStore created by the NiFi Certificate Authority into Knox's keystore.

  3. Confirm that the variables in the json.config file from step 2 are set to the values from the Advanced nifi-ambari-ssl-config.

  4. To create the keystore and truststore used by Knox when proxying NiFI, start the NiFi TLS Toolkit. For the location of the TLS Toolkit, see Release Notes for OS-specific information.

    For example:

    /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit- client --subjectAlternativeNames "CN=$HOST_DN_NAME, OU=KNOX" -F -f /home/knox/config.json

    The toolkit requests a new certificate and creates two new files containing the keystore and truststore:

  5. Import the Knox certificate for NiFi into Knox's gateway.jks file:

    keytool -importkeystore -srckeystore /home/knox/knox-nifi-keystore.jks -destkeystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks -deststoretype JKS -srcstorepass $KEYSTORE_PASSWORD -deststorepass $KNOX_MASTER_PASSWORD

    The gateway.jks file should now contain a PrivateKeyEntry for NiFi.

  6. Import NiFi CA's truststore into Knox's gateway.jks file:

    keytool -importkeystore -srckeystore /home/knox/knox-nifi-truststore.jks -destkeystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks -deststoretype JKS -srcstorepass $KEYSTORE_PASSWORD -deststorepass $KNOX_MASTER_PASSWORD

    The gateway.jks file should now contain a trustedCertEntry for NiFi.

    Knox uses the gateway.jks to look up certificates in the truststore that it can trust.

  7. If you have not already done so, verify the proper keys are in the gateway.jks file:

    keytool -keystore /usr/hdp/current/knox server/data/security/keystores/gateway.jks -storepass $KEYSTORE_PASSWORD -list -v

  8. In the /usr/hdp/current/$KNOX_SERVER/data/services/nifi/1.4.0/service.xml file, make sure the dispatch element contains the following:

    <dispatch classname="org.apache.hadoop.gateway.dispatch.NiFiDispatch" use-two-way-ssl="true"/>

  9. In the Advanced topology section in Ambari, add the following service definition. Add it to the list of services.

        <param name="useTwoWaySsl” value="true" />


    • <url> Points to the host and port that NiFi is listening on from the nifi-properties configuration site.

  10. Save the configuration and restart Knox.