Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-5458

Improve NiFi TLS and certificate management

    XMLWordPrintableJSON

Details

    • NiFi security configuration requires substantial knowledge and effort to deploy
    • To Do

    Description

      To securely deploy Apache NiFi requires substantial background knowledge, applied familiarity with a disparate set of tools and operating systems, and disjoint manual effort. The NiFi TLS Toolkit and Encrypt Config Toolkits aim to help, but the former is designed for development/sandbox environments, not integration with enterprise certificate authorities (CA). In addition, NiFi requires tightly coupled security configuration when deploying in a cluster environment, and dynamic horizontal scaling is difficult.

      This epic will serve as an aggregator for all individual tickets related to an ongoing, holistic effort to streamline, automate, and lower the barrier to entry to configuring a secure NiFi deployment.

      • Generating or acquiring signed certificates and converting them to the proper format (JKS, PEM, P12, etc.)
      • Integrating with external certificate providers
      • Securing the sensitive configuration values
      • Automating deployment of configuration values
      • Encapsulating/delegating security configuration for containerization efforts
      • Automating deployment of TLS cipher suites and protocol versions
      • Automating mitigation of TLS vulnerabilities

      Attachments

        Issue Links

          contains

          Sub-task - The sub-task of the issue NIFI-5364 ConfigEncryptionTool should handle NiFi Registry

          • Major - Major loss of function.
          • Resolved

          Sub-task - The sub-task of the issue NIFI-5365 TLS Toolkit should handle NiFi Registry

          • Major - Major loss of function.
          • Resolved

          Sub-task - The sub-task of the issue NIFI-5210 Create service to retrieve TLS configurations from remote endpoint

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Sub-task - The sub-task of the issue NIFI-5211 Create JSON reader, writer, signer, and verifier

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Sub-task - The sub-task of the issue NIFI-5212 Configure JettyServer with custom TLS protocols and cipher suites

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. NIFI-1990 Implement consistent security controls for cluster, site-to-site, and API communications

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. NIFI-3063 TLS Toolkit ignores provided password if longer than 7 characters and switches to auto-generated 7 character password

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. NIFI-5622 Test certificates require SAN values

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NIFI-1466 Add password strength indicator to password properties

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NIFI-2437 Enforce HSTS to require HTTPS connections if available

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NIFI-3890 Create Key Management Controller Service

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NIFI-4881 Provide TLS "auto-secure" feature

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NIFI-3887 Add verbose mode to TLS Toolkit

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NIFI-7134 Enable JettyServer to automatically detect keystore changes and update

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-1480 Allow different cipher suites configurable properties for NiFi UI & integrations

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-1995 Support keystores with multiple certificates by exposing alias selection in configuration

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5398 Identify cluster communication endpoints via combination of hostname and certificate rather than just certificate DN

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5443 Improve cluster configuration for dynamic scaling

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-1478 Audit SSLContextFactory and SSLSocketFactory usage throughout application

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-1477 Import trusted CA certificates into NiFi local truststore

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-2653 Encrypted configs should handle variable registry

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-2959 TLS Toolkit should provide the correct DN to authorizers.xml for the Initial Admin Identity

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-3062 Provide better error message on startup if invalid length keystore password used in conjunction with PKCS12 keystore

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-3740 Hostname validation error message can be unclear if SAN fails but CN matches hostname

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-4247 TLS Toolkit should parse regex in SAN fields

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-4573 Improve error messaging when users do not enter password for flow encryption migration

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5363 Enhance NiFi Toolkit to handle NiFi Registry

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5366 Implement Content Security Policy frame-ancestors directive

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5400 NiFiHostnameVerifier should be replaced

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5473 Add documentation for using intermediate CA with TLS toolkit

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5476 Enable TLS Toolkit (standalone) to sign certificates with external CA certificate

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5586 Add capability to generate ECDSA keys to TLS Toolkit

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5620 Standardize TLS Toolkit standalone and client/server command-line flags

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-3171 Improve error message when long password is used for config encryption on machine without JCE policies

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Task - A task that needs to be done. NIFI-1277 Audit current use of cryptography throughout application

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Task - A task that needs to be done. NIFI-1525 Audit use of private keys throughout application

          • Major - Major loss of function.
          • Resolved

          Task - A task that needs to be done. NIFI-5285 Re-evaluate memory/time cost parameters for 2018

          • Major - Major loss of function.
          • Resolved
          incorporates

          Bug - A problem which impairs or prevents the functions of the product. NIFI-7767 SAN not being added to certificates using tls-toolkit

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NIFI-3691 Provide utility to verify configured security settings and certificates

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-7783 TLS Toolkit should include the CA CN as a SAN

          • Major - Major loss of function.
          • Resolved
          Is contained by

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5485 Enable TLS Toolkit (client/server) to sign certificates with external CA certificate

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. NIFI-7468 Improve internal handling of SSL channels

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. NIFI-5481 Add New Sensitive Property Providers

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-7673 Toolkit in diagnostic mode should verify independent node

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              alopresto Andy LoPresto
              Votes:
              3 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 40m
                  40m