Apache NiFi Admin GuidePDF version

Security Properties

These properties pertain to various security features in NiFi. Many of these properties are covered in more detail in the Security Configuration section of this Administrator's Guide.




This is the password used to encrypt any sensitive property values that are configured in processors. By default, it is blank, but the system administrator should provide a value for it. It can be a string of any length, although the recommended minimum length is 10 characters. Be aware that once this password is set and one or more sensitive processor properties have been configured, this password should not be changed.


The algorithm used to encrypt sensitive properties. The default value is NIFI_PBKDF2_AES_GCM_256.


The comma separated list of properties in nifi.properties to encrypt in addition to the default sensitive properties (see Encrypted Passwords in Configuration Files).


Specifies whether the SSL context factory should be automatically reloaded if updates to the keystore and truststore are detected. By default, it is set to false.


Specifies the interval at which the keystore and truststore are checked for updates. Only applies if nifi.security.autoreload.enabled is set to true. The default value is 10 secs.


The full path and name of the keystore. It is blank by default.


The keystore type. It is blank by default.


The keystore password. It is blank by default.


The key password. It is blank by default.


The full path and name of the truststore. It is blank by default.


The truststore type. It is blank by default.


The truststore password. It is blank by default.


Specifies which of the configured Authorizers in the authorizers.xml file to use. By default, it is set to file-provider.


Whether anonymous authentication is allowed when running over HTTPS. If set to true, client certificates are not required to connect via TLS.


This indicates what type of login identity provider to use. The default value is blank, can be set to the identifier from a provider in the file specified in nifi.login.identity.provider.configuration.file. Setting this property will trigger NiFi to support username/password authentication.


This is the URL for the Online Certificate Status Protocol (OCSP) responder if one is being used. It is blank by default.


This is the location of the OCSP responder certificate if one is being used. It is blank by default.