UI is not opening after forming nifi 1.0.0 secure cluster in windows

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

UI is not opening after forming nifi 1.0.0 secure cluster in windows

Manojkumar Ravichandran
Hi,

Tried to form a secure cluster in nifi 1.0.0 in windows by following the instructions from the below link

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

It seems like in log file cluster has been formed and heart beats are transferring successfully, everything has been settled fine and it shows in log file that URL has been launched in the specified port number, but UI is not opening in the browser of cluster machines.

To overcome this,I have turned off the firewall settings and but still UI is not opening in the borwser

What will be reason for it ?


Regards,

Manojkumar R

Reply | Threaded
Open this post in threaded view
|

Re: UI is not opening after forming nifi 1.0.0 secure cluster in windows

Andy LoPresto
What is the error you receive in your browser when you try to navigate to the UI? Are you connecting to the correct port?

Can you run an OpenSSL s_client command to try to connect via the command line? You will need the CA cert, the client certificate, and the client private key to attempt the connection below. 

$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>

Are there any errors in $NIFI_HOME/logs/nifi-app.log or $NIFI_HOME/logs/nifi-bootstrap.log? Are there any entries in $NIFI_HOME/logs/nifi-user.log?

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Nov 10, 2016, at 8:41 PM, Manojkumar Ravichandran <[hidden email]> wrote:

Hi,

Tried to form a secure cluster in nifi 1.0.0 in windows by following the instructions from the below link

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

It seems like in log file cluster has been formed and heart beats are transferring successfully, everything has been settled fine and it shows in log file that URL has been launched in the specified port number, but UI is not opening in the browser of cluster machines.

To overcome this,I have turned off the firewall settings and but still UI is not opening in the borwser

What will be reason for it ?


Regards,

Manojkumar R



signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: UI is not opening after forming nifi 1.0.0 secure cluster in windows

Manojkumar Ravichandran
Hi,

Thanks for your response,error I received in browser has been attached

I have generated the key store and truststore file using the java keytool,
Is it necessary to generate the key file in open ssl ?

In nifi-app.log everything seems right,except this warning message

org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling protocol message in response to message type: CONNECTION_REQUEST due to java.net.SocketException: Software caused connection abort: socket write error
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:176) ~[nifi-framework-cluster-protocol-1.0.0.jar:1.0.0]
at org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) [nifi-socket-utils-1.0.0.jar:1.0.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]

Regards,
Manojkumar R

On Fri, Nov 11, 2016 at 11:14 AM, Andy LoPresto <[hidden email]> wrote:
What is the error you receive in your browser when you try to navigate to the UI? Are you connecting to the correct port?

Can you run an OpenSSL s_client command to try to connect via the command line? You will need the CA cert, the client certificate, and the client private key to attempt the connection below. 

$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>

Are there any errors in $NIFI_HOME/logs/nifi-app.log or $NIFI_HOME/logs/nifi-bootstrap.log? Are there any entries in $NIFI_HOME/logs/nifi-user.log?

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Nov 10, 2016, at 8:41 PM, Manojkumar Ravichandran <[hidden email]> wrote:

Hi,

Tried to form a secure cluster in nifi 1.0.0 in windows by following the instructions from the below link

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

It seems like in log file cluster has been formed and heart beats are transferring successfully, everything has been settled fine and it shows in log file that URL has been launched in the specified port number, but UI is not opening in the browser of cluster machines.

To overcome this,I have turned off the firewall settings and but still UI is not opening in the borwser

What will be reason for it ?


Regards,

Manojkumar R




SecureClusterUI-Error.png (36K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: UI is not opening after forming nifi 1.0.0 secure cluster in windows

Andy LoPresto
Manojkumar, 

Is this the same issue as [1]? Running the OpenSSL command I provided will give a lot of feedback about why the socket connection is actually failing (or if it’s only failing in the browser rather than via command-line). 

To extract the CA cert, client cert, and client private key from the keystore and truststore, depending on how you generated them, you can use the following commands:

Did you use the provided TLS Toolkit [2] to generate the CA cert, server cert, and client cert?

If you used the TLS Toolkit, as described in the Admin Guide and in the article you referenced, you should have a CA certificate (nifi-cert.pem) and private key (nifi-key.key) as well as a client certificate and private key (CN=<something_you_typed>_OU=Apache NiFi.p12), and individual keystore and truststore for each NiFi node in respectively named directories. In this case, you just need to export the client certificate and key from the PKCS12 keystore and use them as follows:

Extract client certificate from keystore:

$ openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -out client.der -nodes
$ openssl x509 -inform der -in client.der -out client.pem

Extract client private key from keystore:

$ openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -nodes -nocerts -out client.key

Run the original command:

$ openssl s_client -connect <host:port> -debug -state -cert client.pem -key client.key -CAfile nifi-cert.pem


Did you do this manually?

If you did this manually, it is likely you did not create a client certificate, in which case if you have no other authentication platform configured (Kerberos, LDAP), NiFi will demand a client certificate on every connection in order to authenticate the user. If no client cert is provided, the connection will fail. You can temporarily use the server certificate as a client certificate to verify this is the case, but this is not a permanent solution and is very unsafe

Extract server cert from keystore (necessary to identify “client” on connection):

$ keytool -export -alias <your_alias> -file nifi.der -keystore <keystore.jks>
$ openssl x509 -inform der in nifi.der -out nifi.pem

Extract server private key from keystore (necessary to authenticate “client” on connection):

$ keytool -importkeystore -srckeystore <keystore.jks> -destkeystore keystore.p12 -deststoretype PKCS12
$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out nifi.key

Extract CA cert (likely the same as the server cert if you self-signed) from truststore (necessary to validate server certificate on connection):

$ keytool -export -alias <your_alias> -file ca.der -keystore <truststore.jks>
$ openssl x509 -inform der -in ca.der -out ca.pem

Then run the original command I provided:

$ openssl s_client -connect <host:port> -debug -state -cert nifi.pem -key nifi.key -CAfile ca.pem



Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Nov 10, 2016, at 10:54 PM, Manojkumar Ravichandran <[hidden email]> wrote:

Hi,

Thanks for your response,error I received in browser has been attached

I have generated the key store and truststore file using the java keytool,
Is it necessary to generate the key file in open ssl ?

In nifi-app.log everything seems right,except this warning message

org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling protocol message in response to message type: CONNECTION_REQUEST due to java.net.SocketException: Software caused connection abort: socket write error
at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:176) ~[nifi-framework-cluster-protocol-1.0.0.jar:1.0.0]
at org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) [nifi-socket-utils-1.0.0.jar:1.0.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]

Regards,
Manojkumar R

On Fri, Nov 11, 2016 at 11:14 AM, Andy LoPresto <[hidden email]> wrote:
What is the error you receive in your browser when you try to navigate to the UI? Are you connecting to the correct port?

Can you run an OpenSSL s_client command to try to connect via the command line? You will need the CA cert, the client certificate, and the client private key to attempt the connection below. 

$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>

Are there any errors in $NIFI_HOME/logs/nifi-app.log or $NIFI_HOME/logs/nifi-bootstrap.log? Are there any entries in $NIFI_HOME/logs/nifi-user.log?

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Nov 10, 2016, at 8:41 PM, Manojkumar Ravichandran <[hidden email]> wrote:

Hi,

Tried to form a secure cluster in nifi 1.0.0 in windows by following the instructions from the below link

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

It seems like in log file cluster has been formed and heart beats are transferring successfully, everything has been settled fine and it shows in log file that URL has been launched in the specified port number, but UI is not opening in the browser of cluster machines.

To overcome this,I have turned off the firewall settings and but still UI is not opening in the borwser

What will be reason for it ?


Regards,

Manojkumar R



<SecureClusterUI-Error.png>


signature.asc (859 bytes) Download Attachment