Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.11.4
-
None
Description
- Incomplete chainĀ
- All nodes have wildcard certificates. Cannot identify one node from the other
- Use any certs as long as prerequisites are aligned with NiFi.
- Build monitoring for expiration of TLS certificates
- Ambari using NiFi CA, overrides/corrupts if using external certs
- Populate authorization.xml file if using external certs
- Have internal method to avoid removal of authorization.xml and users.xml
- Explicit document with prerequisites for certs
- --additionalCACertificate <arg> for Client-Server model
- Validate certs if not using CA toolkit
- Firewall/DNS issues resolving multiple nodes in cluster
- Independent node configuration verification
- Priority 0
- Addresses B, C, D, J
- Description: Verifies each node has the correct configuration files and passwords available, and that the key/certificate contents of the keystore and truststore are correct for that node
- Steps
- Run on each node
- Read the nifi.properties file
- Verify the keystore and truststore are located at the correct file path
- Verify the keystore password, key password, and truststore password are correct
- Verify that the keystore contains a single private key entry and a public certificate which identifies this host
- CN
- SAN
- Not wildcard (or at least unique SAN present)
- EKU
- Certificate validity dates
- Key size
- Other OIDs
- Verify that the truststore contains at least one public certificate
- Verify that the truststore contains a public certificate which verifies the private key in the keystore for this node (i.e. this node would trust itself/the signer of itself)
