Enable TLS for NiFi

  1. Ensure that the NiFi Toolkit CA Service radio button is selected.
  2. In the Enable TLS/SSL for NiFi Node field, check the NiFi Node Default Group box.
  3. In the Initial Admin Identity field, specify the information you will use to identify the initial admin user. For example, client certificate domain, Kerberos user, or LDAP user.
  4. In the NiFi CA Force Regenerate field, check the NiFi Node Default Group box.
  5. Review and update the location of the keystores and truststores, as needed.
  6. Confirm that NiFi is allowed to auto-generate node identities. Set the prefix and suffix to values used in NiFi CA. (NOTE, ensure suffix that starts with comma has a space. Known issue exist for NiFi CA where space isn’t allowed after comma). Also ensure that it is aligned with a defined user group provider (by default this is the default file-user-group-provider)
    • You must ensure that any suffix starting with a comma includes a trailing space.

    • Verify that the suffix is aligned with a defined user group provider. By default, file-user-group-provideris specified.

  • If you are using Client Certificates for authentication and user authorization, restart the service and log in with the Initial Admin Certificate.
  • If you are integrating with Kerberos or LDAP, continue with further configuration defined below.