Enabling SSL with a NiFi Certificate Authority
When you enable SSL with the NiFi Certificate Authority (CA) installed, the NiFi CA generates new client certificates for you through Ambari. If you want to enable SSL with a NiFi CA installed, and are planning to use Ranger to manage authorization:
- Select the Enable SSL? box.
- Specify the NiFi CA token.
- Check the Enable SSL? box.
- Specify the NiFi CA Token.
- Verify that the authorizations.xml file on each node does not contain policies. The
authorizations.xml is
located in {nifi_internal_dir}/conf. By default, this location is /var/lib/nifi/conf/, and the value
of {nifi_internal_dir} is
specified in the NiFi internal
dir field under Advanced
nifi-ambari-config.
NoteIf authorizations.xml does contain policies, you must delete it from each node. If you do not, your Initial Admin Identity and Node Identities changes do not take effect.
- Specify the Initial Admin Identity. The Initial Admin Identity is the
identity of an initial administrator and is granted access to the UI and has the
ability to create additional users, groups, and policies. This is a required value when you are not using the
Ranger plugin for NiFi for authorization.
The Initial Admin Identity format is CN=admin, OU=NIFI.
After you have added the Initial Admin Identity, you must immediately generate certificate for this user.
- Specify the Node
Identities. This indicates the identity of each node in a NiFi cluster
and allows clustered nodes to communicate. This is a required value when you are not using the
Ranger plugin for NiFi for
authorization.
<property name="Node Identity 1">CN=node1.fqdn, OU=NIFI</property> <property name="Node Identity 2">CN=node2.fqdn, OU=NIFI</property> <property name="Node Identity 3">CN=node3.fqdn, OU=NIFI</property>
Replace node1.fqdn, node2.fqdn, and node3.fqdn with their respective fully qualified domain names.