Cloudera Docs

Agent authentication

Learn about the properties that you need to set to configure TLS for MiNiFi agents.

When TLS is enabled to secure Edge Flow Manager (EFM), agents must be authenticated using client certificates. Client certificates are trusted if the Certificate Authority and any intermediate signing authorities (if applicable) are present in the EFM truststore configured as described in TLS configuration for EFM.

For more information on requirements for MiNiFi agent client certificates and instructions for generating new certificates, see TLS keys and certificates.

Cloudera recommends using a unique client certificate per agent. However, it is not a requirement.

MiNiFi Java

To configure the TLS context for MiNiFi Java, including client certificates and trust settings, edit the following properties in conf/bootstrap.conf:
# Security Properties #
# These properties take precedence over any equivalent properties specified in config.yml file #
nifi.minifi.security.keystore=/path/to/keystore.jks
nifi.minifi.security.keystoreType=JKS
nifi.minifi.security.keystorePasswd=password
nifi.minifi.security.keyPasswd=password
nifi.minifi.security.truststore=/path/to/truststore.jks
nifi.minifi.security.truststoreType=JKS
nifi.minifi.security.truststorePasswd=password
nifi.minifi.security.ssl.protocol=TLSv1.2

# Properties for encrypting keystore and truststore passwords
nifi.minifi.sensitive.props.key=passwordOfAtLeast12Characters
nifi.minifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.minifi.sensitive.props.provider=BC

# Properties needed only if the agent is communicating with EFM
nifi.c2.security.truststore.location=
nifi.c2.security.truststore.password=
nifi.c2.security.truststore.type=
nifi.c2.security.keystore.location=
nifi.c2.security.keystore.password=
nifi.c2.security.keystore.type=
nifi.c2.security.need.client.auth=

MiNiFi C++

To configure the TLS context for MiNiFi C++, including client certificates and trust settings, edit the following properties in conf/minifi.properties:
# Security Properties #

# enable tls #
nifi.remote.input.secure=true
# if you want to enable client certificate base authorization #
nifi.security.need.ClientAuth=true
# setup the client certificate and private key PEM files #
nifi.security.client.certificate=./conf/client.pem
nifi.security.client.private.key=./conf/client.pem
# setup the client private key passphrase file #
nifi.security.client.pass.phrase=./conf/password
# setup the client CA certificate file #
nifi.security.client.ca.certificate=./conf/nifi-cert.pem

On Windows, MiNiFi C++ can integrate with the Windows certificate store. For instructions on how to do this, see Integrating with the Windows certificate store.