Cloudera Docs

Configure MiNiFi agent TLS

You can configure MiNiFi Agent TLS by updating the configuration files.

If you are configuring a MiNiFi Java agent, the configuration file is conf/bootstrap.conf. If you are configuring a MiNiFi C++ agent, the configuration file is conf/minifi.properties.

  1. Open your MiNiFi Agent configuration file in a text editor.
  2. Edit the security properties for Java. For example: 
    # Security Properties #
# These properties take precedence over any equivalent properties specified in config.yml file #
nifi.minifi.security.keystore=
nifi.minifi.security.keystoreType=
nifi.minifi.security.keystorePasswd=
nifi.minifi.security.keyPasswd=
nifi.minifi.security.truststore=
nifi.minifi.security.truststoreType=
nifi.minifi.security.truststorePasswd=
nifi.minifi.security.ssl.protocol=

nifi.minifi.sensitive.props.key=
nifi.minifi.sensitive.props.algorithm=
nifi.minifi.sensitive.props.provider=
  3. Edit the security properties for C++. For example: 
    # Security Properties #

# enable tls #
nifi.remote.input.secure=true

# if you want to enable client certificate base authorization #
nifi.security.need.ClientAuth=true
# setup the client certificate and private key PEM files #
nifi.security.client.certificate=./conf/client.pem
nifi.security.client.private.key=./conf/client.pem
# setup the client private key passphrase file #
nifi.security.client.pass.phrase=./conf/password
# setup the client CA certificate file #
nifi.security.client.ca.certificate=./conf/nifi-cert.pem

# if you do not want to enable client certificate base authorization #
nifi.security.need.ClientAuth=false

    You have the option of specifying an SSL Context Service definition for the RPGs instead of the preceding properties. This links to a corresponding SSL Context Service defined in the flow.

    To do this, specify the SSL Context Service Property in your RPGs and link it to a defined controller service. For example:
    Remote Processing Groups:
- name: NiFi Flow
  id: 2438e3c8-015a-1000-79ca-83af40ec1998
  url: http://127.0.0.1:8080/nifi
  timeout: 30 secs
  yield period: 5 sec
  Input Ports:
      - id: 2438e3c8-015a-1000-79ca-83af40ec1999
        name: fromnifi
        max concurrent tasks: 1
        Properties:
            SSL Context Service: SSLServiceName
  Output Ports:
      - id: ac82e521-015c-1000-2b21-41279516e19a
        name: tominifi
        max concurrent tasks: 2
        Properties:
	SSL Context Service: SSLServiceName
Controller Services:
- name: SSLServiceName
  id: 2438e3c8-015a-1000-79ca-83af40ec1974
  class: SSLContextService
  Properties:
      Client Certificate: <client cert path>
      Private Key: < private key path > 
      Passphrase: <passphrase path or passphrase>
      CA Certificate: <CA cert path>
    If you do not take this approach, the preceding properties will be used for TCP and secure HTTPS communications.