You can generate the certificates used by Knox when proxying NiFi using the TLS
Toolkit.
Ensure that Java is set correctly for your environment.
-
As the Knox user, start the TLS Toolkit. For the location of the TLS Toolkit, see
the HDF Release Notes for release-specific download information.
For example:
/var/lib/ambari-agent/tmp/nifi-toolkit-1.7.0.3.2.0.0-520/bin/tls-toolkit.sh
client --subjectAlternativeNames "CN=$KNOX_HOSTNAME, OU=KNOX"
-F
-f /home/knox/nifi-ca-config.json
The toolkit requests a new certificate and creates two new files containing the
keystore and truststore:
/home/knox/knox-nifi-keystore.jks
/home/knox/knox-nifi-truststore.jks
-
Import the Knox certificate for NiFi into the Knox gateway.jks
file:
keytool
-importkeystore
-srckeystore /home/knox/knox-nifi-keystore.jks
-destkeystore /usr/hdf/current/knox-server/data/security/keystores/gateway.jks
-deststoretype JKS
-srcstorepass $KEYSTORE_PASSWORD
-deststorepass $KNOX_MASTER_PASSWORD
The gateway.jks file now contains a PrivateKeyEntry for
NiFi.
- Import the NiFi CA truststore into the Knox gateway.jks file:
keytool
-importkeystore
-srckeystore /home/knox/knox-nifi-truststore.jks
-destkeystore /usr/hdf/current/knox-server/data/security/keystores/gateway.jks
-deststoretype JKS
-srcstorepass $TRUSTSTORE_PASSWORD
-deststorepass $KNOX_MASTER_PASSWORD
The gateway.jks file should now contain a trustedCertEntry
for NiFi.
- Verify that the proper keys are in the gateway.jks file:
keytool
-keystore /usr/hdf/current/knox-server/data/security/keystores/gateway.jks
-storepass $KEYSTORE_PASSWORD
-list
-v
You see nifi-key and nifi-cert in addition to the
gateway-identity key.
