Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-7673

Toolkit in diagnostic mode should verify independent node

Agile BoardAttach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments



      • Incomplete chainĀ 
      • All nodes have wildcard certificates. Cannot identify one node from the other
      • Use any certs as long as prerequisites are aligned with NiFi.
      • Build monitoring for expiration of TLS certificates
      • Ambari using NiFi CA, overrides/corrupts if using external certs
      • Populate authorization.xml file if using external certs
      • Have internal method to avoid removal of authorization.xml and users.xml
      • Explicit document with prerequisites for certs
      • --additionalCACertificate <arg> for Client-Server model
      • Validate certs if not using CA toolkit
      • Firewall/DNS issues resolving multiple nodes in cluster
      • Independent node configuration verification
      1. Priority 0
      2. Addresses B, C, D, J
      3. Description: Verifies each node has the correct configuration files and passwords available, and that the key/certificate contents of the keystore and truststore are correct for that node
      4. Steps
      5. Run on each node
      6. Read the nifi.properties file
      7. Verify the keystore and truststore are located at the correct file path
      8. Verify the keystore password, key password, and truststore password are correct
      9. Verify that the keystore contains a single private key entry and a public certificate which identifies this host
      10. CN
      11. SAN
      12. Not wildcard (or at least unique SAN present)
      13. EKU
      14. Certificate validity dates
      15. Key size
      16. Other OIDs
      1. Verify that the truststore contains at least one public certificate
      2. Verify that the truststore contains a public certificate which verifies the private key in the keystore for this node (i.e. this node would trust itself/the signer of itself)


        Issue Links


          This comment will be Viewable by All Users Viewable by All Users


            VedaKadam Veda Kadam
            VedaKadam Veda Kadam



              Time Tracking

              Original Estimate - Not Specified
              Not Specified
              Remaining Estimate - 0h
              Time Spent - 8h 20m
              8h 20m


                Issue deployment