Configuring NiFi Authentication and Proxying with Apache Knox
Also available as:
PDF

Preparing to Generate Knox Certificates using the TLS Toolkit

Proxies must communicate securely with NiFi using two-way SSL. To set up two-way SSL, you must generate certificates for Knox to use when communicating with NiFi. You can do this by using the TLS Toolkit. Use these steps to create a configuration for the TLS Toolkit to generate the certificates for Knox.

  1. As the Knox user, create a nifi-ca-config.json file on each Knox node, in a location accessible to Knox.

    For example, to create the file on a Knox node at /home/knox using the vi text editor, enter the following:

    sudo su - knox
    vi /home/knox/nifi-ca-config.json 
  2. Populate the nifi-ca-config.json file with the following information:
    {
      "dn" : "CN=$KNOX_HOSTNAME, OU=KNOX",
      "keyStore" : "/home/knox/knox-nifi-keystore.jks",
      "keyStoreType" : "jks",
      "keyStorePassword" : "$KEYSTORE_PASSWORD",
      "keyPassword" : "$KEY_PASSWORD",
      "token" : "$NIFI_CA_TOKEN_VALUE",
      "caHostname" : "$NIFI_CA_HOSTNAME",
      "port" : $NIFI_CA_PORT,
      "trustStore" : "/home/knox/knox-nifi-truststore.jks",
      "trustStorePassword" : "$TRUSTSTORE_PASSWORD",
      "trustStoreType" : "jks"
    }
    

    where:

    • $KNOX_HOSTNAME is the FQDN for the cluster node on which Knox is installed.
    • $KEYSTORE_PASSWORD is the password you want the TLS Toolkit to use for the KeyStore and TrustStore for Knox when communicating with NiFi.
    • $KEY_PASSWORD is required when SSL is enabled. If you are using the NiFi Certificate Authority (CA), this value is automatically generated if the field is left blank. You can find this value in the Key password field in the NiFi Advanced nifi-ambari-ssl-config configuration section.
    • $NIFI_CA_TOKEN_VALUE is the token that NiFi CA uses to verify a NiFi node identity before issuing certificates. You can find this value in the NiFi CA Token field in the NiFi Advanced nifi-ambari-ssl-config configuration section.
    • $NIFI_CA_HOSTNAME is the FQDN for the cluster node on which the NiFi CA is installed.
    • $NIFI_CA_PORT is the port used by the NiFi CA.

      You can find this value in the NiFi Certificate Authority port field in the NiFi Advanced nifi-ambari-ssl-config configuration section.

    • $TRUSTSTORE_PASSWORD is the truststore password.
    Note
    Note
    You can set keyStorePassword, keyPassword, and trustStorePassword to the Knox Master Secret to make it easier to import the keyStore and trustStore created by the NiFi Certificate Authority into the Knox keystore.

Example nifi-ca-config.json file

{
  "dn" : "CN=slo-hdf-test5.field.hortonworks.com, OU=KNOX",
  "domainAlternativeNames" : null,
  "keyStore" : "/home/knox/knox-nifi-keystore.jks",
  "keyStoreType" : "jks",
  "keyStorePassword" : "admin",
  "keyPassword" : "admin",
  "token" : "token",
  "caHostname" : "slo-hdf-test5.field.hortonworks.com",
  "port" : 10443,
  "dnPrefix" : "CN=",
  "dnSuffix" : ", OU=NIFI",
  "reorderDn" : true,
  "trustStore" : "/home/knox/knox-nifi-truststore.jks",
  "trustStorePassword" : "admin",
  "trustStoreType" : "jks"
}