Security Configuration

NiFi Registry provides several different configuration options for security purposes. The most important properties are those under the "security properties" heading in the nifi-registry.properties file. In order to run securely, the following properties must be set:


Property Name	Description
`nifi.registry.security.needClientAuth`	This specifies that connecting clients must authenticate with a client cert. Setting this to `false` will specify that connecting clients may optionally authenticate with a client cert, but may also login with a username and password against a configured identity provider. The default value is `true`.
`nifi.registry.security.keystore`	Filename of the Keystore that contains the server's private key.
`nifi.registry.security.keystoreType`	The type of Keystore. Must be either `PKCS12` or `JKS`. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.
`nifi.registry.security.keystorePasswd`	The password for the Keystore.
`nifi.registry.security.keyPasswd`	The password for the certificate in the Keystore. If not set, the value of `nifi.registry.security.keystorePasswd` will be used.
`nifi.registry.security.truststore`	Filename of the Truststore that will be used to authorize those connecting to NiFi Registry. A secured instance with no Truststore will refuse all incoming connections.
`nifi.registry.security.truststoreType`	The type of the Truststore. Must be either `PKCS12` or `JKS`. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.
`nifi.registry.security.truststorePasswd`	The password for the Truststore.

Once the above properties have been configured, we can enable the User Interface to be accessed over HTTPS instead of HTTP. This is accomplished by setting the nifi.registry.web.https.host and nifi.registry.web.https.port properties. The nifi.registry.web.https.host property indicates which hostname the server should run on. If it is desired that the HTTPS interface be accessible from all network interfaces, a value of 0.0.0.0 should be used for nifi.registry.web.https.host.

	Note
	It is important when enabling HTTPS that the nifi.registry.web.http.port property be unset.