Enabling SSL with a NiFi Certificate Authority
When you enable SSL with the NiFi Certificate Authority (CA) installed, the NiFi CA generates new client certificates for you through Ambari. If you want to enable SSL with a NiFi CA installed, and are planning to use Ranger to manage authorization:
Select the Enable SSL? box.
Specify the NiFi CA token.
If you want to enable SSL with a NiFi CA installed, and are not yet using Ranger to manage authorization:
Check the Enable SSL? box.
Specify the NiFi CA Token.
Verify that the
authorizations.xml
file on each node does not contain policies. Theauthorizations.xml
is located in{nifi_internal_dir}/conf
. By default, this location is/var/lib/nifi/conf/
, and the value of{nifi_internal_dir}
is specified in the NiFi internal dir field under Advanced nifi-ambari-config.Note If
authorizations.xml
does contain policies, you must delete it from each node. If you do not, your Initial Admin Identity and Node Identities changes do not take effect.Specify the Initial Admin Identity. The Initial Admin Identity is the identity of an initial administrator and is granted access to the UI and has the ability to create additional users, groups, and policies. This is a required value when you are not using the Ranger plugin for NiFi for authorization.
The Initial Admin Identity format is CN=admin, OU=NIFI.
After you have added the Initial Admin Identity, you must immediately generate certificate for this user.
Specify the Node Identities. This indicates the identity of each node in a NiFi cluster and allows clustered nodes to communicate. This is a required value when you are not using the Ranger plugin for NiFi for authorization.
<property name="Node Identity 1">CN=node1.fqdn, OU=NIFI</property> <property name="Node Identity 2">CN=node2.fqdn, OU=NIFI</property> <property name="Node Identity 3">CN=node3.fqdn, OU=NIFI</property>
Replace node1.fqdn, node2.fqdn, and node3.fqdn with their respective fully qualified domain names.