Need help SSL LDAP Nifi Registry

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Need help SSL LDAP Nifi Registry

Etienne Jouvin
Hello all.

I am trying to setup LDAP authentication on NiFi Registry.

But each time, it requires that a certificate is installed on client side. I had this "problem" for NiFi but because I did not provided the nifi.security.user.login.identity.provider

But for the registry, I remember that and did it.

For summary, what I have in nifi-registry.properties
nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=password
nifi.registry.security.keyPasswd=password
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=password

(All of those informations were given by the tls-toolkit, when executed for NiFi)
Then I put this
#nifi.registry.security.identity.provider=
nifi.registry.security.identity.provider=ldap-identity-provider

In the file identity-providers.xml
I setup the LDAP provider
    <provider>
        <identifier>ldap-identity-provider</identifier>
        <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">uid=admin,ou=system</property>
        <property name="Manager Password">secret</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
       
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://localhost:10389</property>
        <property name="User Search Base">ou=users,dc=test,dc=ch</property>
        <property name="User Search Filter">uid={0}</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

And finally in authorizers.xml
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">uid=firstuser, ou=users,dc=test,dc=ch</property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity"> uid=firstuser, ou=users,dc=test,dc=ch </property>
        <property name="NiFi Group Name"></property>

        <!--<property name="NiFi Identity 1"></property>-->
    </accessPolicyProvider>


Starting Registry is OK.

But when I want to access throw Chrome, I have a certificate error : ERR_BAD_SSL_CLIENT_AUTH_CERT

How can I force the authentication to not request a client side certificate ?

Thanks for any input.

Etienne Jouvin

Reply | Threaded
Open this post in threaded view
|

Re: Need help SSL LDAP Nifi Registry

Josef.Zahner1

Hi Etienne

 

Did you tried the following in «nifi-registry.properties»:

nifi.registry.security.needClientAuth=false

 

Cheers Josef

 

 

From: Etienne Jouvin <[hidden email]>
Reply to: "[hidden email]" <[hidden email]>
Date: Tuesday, 30 June 2020 at 10:46
To: "[hidden email]" <[hidden email]>
Subject: Need help SSL LDAP Nifi Registry

 

Hello all.

 

I am trying to setup LDAP authentication on NiFi Registry.

 

But each time, it requires that a certificate is installed on client side. I had this "problem" for NiFi but because I did not provided the nifi.security.user.login.identity.provider

 

But for the registry, I remember that and did it.

 

For summary, what I have in nifi-registry.properties

nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=password
nifi.registry.security.keyPasswd=password
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=password

 

(All of those informations were given by the tls-toolkit, when executed for NiFi)

Then I put this

#nifi.registry.security.identity.provider=
nifi.registry.security.identity.provider=ldap-identity-provider

 

In the file identity-providers.xml

I setup the LDAP provider

    <provider>
        <identifier>ldap-identity-provider</identifier>
        <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">uid=admin,ou=system</property>
        <property name="Manager Password">secret</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
       
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://localhost:10389</property>
        <property name="User Search Base">ou=users,dc=test,dc=ch</property>
        <property name="User Search Filter">uid={0}</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

 

And finally in authorizers.xml

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">uid=firstuser, ou=users,dc=test,dc=ch</property>
    </userGroupProvider>

 

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity"> uid=firstuser, ou=users,dc=test,dc=ch </property>
        <property name="NiFi Group Name"></property>

        <!--<property name="NiFi Identity 1"></property>-->
    </accessPolicyProvider>

 

 

Starting Registry is OK.

 

But when I want to access throw Chrome, I have a certificate error : ERR_BAD_SSL_CLIENT_AUTH_CERT

 

How can I force the authentication to not request a client side certificate ?

 

Thanks for any input.

 

Etienne Jouvin

 


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need help SSL LDAP Nifi Registry

Etienne Jouvin
Hi Josef.

No I did not try that.
And well done, with that I can access the UI, and can connect with LDAP identity.

Thanks a lot.

Cheers

Etienne

 

Le mar. 30 juin 2020 à 11:15, <[hidden email]> a écrit :

Hi Etienne

 

Did you tried the following in «nifi-registry.properties»:

nifi.registry.security.needClientAuth=false

 

Cheers Josef

 

 

From: Etienne Jouvin <[hidden email]>
Reply to: "[hidden email]" <[hidden email]>
Date: Tuesday, 30 June 2020 at 10:46
To: "[hidden email]" <[hidden email]>
Subject: Need help SSL LDAP Nifi Registry

 

Hello all.

 

I am trying to setup LDAP authentication on NiFi Registry.

 

But each time, it requires that a certificate is installed on client side. I had this "problem" for NiFi but because I did not provided the nifi.security.user.login.identity.provider

 

But for the registry, I remember that and did it.

 

For summary, what I have in nifi-registry.properties

nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=password
nifi.registry.security.keyPasswd=password
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=password

 

(All of those informations were given by the tls-toolkit, when executed for NiFi)

Then I put this

#nifi.registry.security.identity.provider=
nifi.registry.security.identity.provider=ldap-identity-provider

 

In the file identity-providers.xml

I setup the LDAP provider

    <provider>
        <identifier>ldap-identity-provider</identifier>
        <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">uid=admin,ou=system</property>
        <property name="Manager Password">secret</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
       
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://localhost:10389</property>
        <property name="User Search Base">ou=users,dc=test,dc=ch</property>
        <property name="User Search Filter">uid={0}</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

 

And finally in authorizers.xml

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">uid=firstuser, ou=users,dc=test,dc=ch</property>
    </userGroupProvider>

 

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity"> uid=firstuser, ou=users,dc=test,dc=ch </property>
        <property name="NiFi Group Name"></property>

        <!--<property name="NiFi Identity 1"></property>-->
    </accessPolicyProvider>

 

 

Starting Registry is OK.

 

But when I want to access throw Chrome, I have a certificate error : ERR_BAD_SSL_CLIENT_AUTH_CERT

 

How can I force the authentication to not request a client side certificate ?

 

Thanks for any input.

 

Etienne Jouvin

 

Reply | Threaded
Open this post in threaded view
|

Re: Need help SSL LDAP Nifi Registry

Etienne Jouvin
But now, I have NiFi and Registry with secure access (LDAP + SSL)

I need to find out how to configure the Registry in NiFi, because for now I did not have to specify login.
And even if my first bucket is Public, it is not accessible from NiFi.


Le mar. 30 juin 2020 à 11:29, Etienne Jouvin <[hidden email]> a écrit :
Hi Josef.

No I did not try that.
And well done, with that I can access the UI, and can connect with LDAP identity.

Thanks a lot.

Cheers

Etienne

 

Le mar. 30 juin 2020 à 11:15, <[hidden email]> a écrit :

Hi Etienne

 

Did you tried the following in «nifi-registry.properties»:

nifi.registry.security.needClientAuth=false

 

Cheers Josef

 

 

From: Etienne Jouvin <[hidden email]>
Reply to: "[hidden email]" <[hidden email]>
Date: Tuesday, 30 June 2020 at 10:46
To: "[hidden email]" <[hidden email]>
Subject: Need help SSL LDAP Nifi Registry

 

Hello all.

 

I am trying to setup LDAP authentication on NiFi Registry.

 

But each time, it requires that a certificate is installed on client side. I had this "problem" for NiFi but because I did not provided the nifi.security.user.login.identity.provider

 

But for the registry, I remember that and did it.

 

For summary, what I have in nifi-registry.properties

nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=password
nifi.registry.security.keyPasswd=password
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=password

 

(All of those informations were given by the tls-toolkit, when executed for NiFi)

Then I put this

#nifi.registry.security.identity.provider=
nifi.registry.security.identity.provider=ldap-identity-provider

 

In the file identity-providers.xml

I setup the LDAP provider

    <provider>
        <identifier>ldap-identity-provider</identifier>
        <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">uid=admin,ou=system</property>
        <property name="Manager Password">secret</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
       
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://localhost:10389</property>
        <property name="User Search Base">ou=users,dc=test,dc=ch</property>
        <property name="User Search Filter">uid={0}</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

 

And finally in authorizers.xml

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">uid=firstuser, ou=users,dc=test,dc=ch</property>
    </userGroupProvider>

 

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity"> uid=firstuser, ou=users,dc=test,dc=ch </property>
        <property name="NiFi Group Name"></property>

        <!--<property name="NiFi Identity 1"></property>-->
    </accessPolicyProvider>

 

 

Starting Registry is OK.

 

But when I want to access throw Chrome, I have a certificate error : ERR_BAD_SSL_CLIENT_AUTH_CERT

 

How can I force the authentication to not request a client side certificate ?

 

Thanks for any input.

 

Etienne Jouvin

 

Reply | Threaded
Open this post in threaded view
|

Re: Need help SSL LDAP Nifi Registry

Etienne Jouvin
Got it thanks to  https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-NiFi-to-Integrate-with-a-Secure-NiFi/ta-p/247765

Next steps would be to have NiFi and Registry on different hosts and see how connections are made.



Le mar. 30 juin 2020 à 11:43, Etienne Jouvin <[hidden email]> a écrit :
But now, I have NiFi and Registry with secure access (LDAP + SSL)

I need to find out how to configure the Registry in NiFi, because for now I did not have to specify login.
And even if my first bucket is Public, it is not accessible from NiFi.


Le mar. 30 juin 2020 à 11:29, Etienne Jouvin <[hidden email]> a écrit :
Hi Josef.

No I did not try that.
And well done, with that I can access the UI, and can connect with LDAP identity.

Thanks a lot.

Cheers

Etienne

 

Le mar. 30 juin 2020 à 11:15, <[hidden email]> a écrit :

Hi Etienne

 

Did you tried the following in «nifi-registry.properties»:

nifi.registry.security.needClientAuth=false

 

Cheers Josef

 

 

From: Etienne Jouvin <[hidden email]>
Reply to: "[hidden email]" <[hidden email]>
Date: Tuesday, 30 June 2020 at 10:46
To: "[hidden email]" <[hidden email]>
Subject: Need help SSL LDAP Nifi Registry

 

Hello all.

 

I am trying to setup LDAP authentication on NiFi Registry.

 

But each time, it requires that a certificate is installed on client side. I had this "problem" for NiFi but because I did not provided the nifi.security.user.login.identity.provider

 

But for the registry, I remember that and did it.

 

For summary, what I have in nifi-registry.properties

nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=password
nifi.registry.security.keyPasswd=password
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=password

 

(All of those informations were given by the tls-toolkit, when executed for NiFi)

Then I put this

#nifi.registry.security.identity.provider=
nifi.registry.security.identity.provider=ldap-identity-provider

 

In the file identity-providers.xml

I setup the LDAP provider

    <provider>
        <identifier>ldap-identity-provider</identifier>
        <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
        <property name="Authentication Strategy">SIMPLE</property>

        <property name="Manager DN">uid=admin,ou=system</property>
        <property name="Manager Password">secret</property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>
       
        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url">ldap://localhost:10389</property>
        <property name="User Search Base">ou=users,dc=test,dc=ch</property>
        <property name="User Search Filter">uid={0}</property>

        <property name="Identity Strategy">USE_DN</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>

 

And finally in authorizers.xml

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">uid=firstuser, ou=users,dc=test,dc=ch</property>
    </userGroupProvider>

 

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity"> uid=firstuser, ou=users,dc=test,dc=ch </property>
        <property name="NiFi Group Name"></property>

        <!--<property name="NiFi Identity 1"></property>-->
    </accessPolicyProvider>

 

 

Starting Registry is OK.

 

But when I want to access throw Chrome, I have a certificate error : ERR_BAD_SSL_CLIENT_AUTH_CERT

 

How can I force the authentication to not request a client side certificate ?

 

Thanks for any input.

 

Etienne Jouvin