Get Client Certificates for Authentication
After you install NiFi CA, you can use the NiFi Toolkit to generate a client certificate for users you wish to authenticate. You can do this with NiFi Toolkit binaries running locally or located on agent machines where CFM is installed.
Example of creating a client certificate using the NiFi Toolkit in CFM parcel:
#ensure java home is set before execution
<parcel_home_dir>/CFM/TOOLKIT/bin/tls-toolkit.sh client -c <nifi-ca-host-fdqn>l -t
<nifi-ca-token> -p <nifi-ca-port -D <user-dn> -T PKCS12
Once pkcs12
keystore is created, use the password information from
the config.json
to import the keystore.pkcs12
file into
browser.
When you are logging into a secured NiFi or NiFi Registry instance, services search first for any client certificate imported in the browser for authentication. If the client certificate exists and the certificate DN/Identity represents a user that is authorized to access the UI or Flow (as an initial admin or manually configured in NiFi/NiFi Registry), they are successfully log in. Otherwise, if a login-identity provider is configured for Kerberos/LDAP, a login screen displays.