Securing Cloudera Flow Management
Also available as:

Get Client Certificates for Authentication

After you install NiFi CA, you can use the NiFi Toolkit to generate a client certificate for users you wish to authenticate. You can do this with NiFi Toolkit binaries running locally or located on agent machines where CFM is installed.

Example of creating a client certificate using the NiFi Toolkit in CFM parcel:

#ensure java home is set before execution
<parcel_home_dir>/CFM/TOOLKIT/bin/ client 
-c <nifi-ca-host-fdqn> 
-t <nifi-ca-token> 
-p <nifi-ca-port 
-D <user-dn> 

Once pkcs12 keystore is created, use the password information from the config.json to import the keystore.pkcs12 file into browser.

When you are logging into a secured NiFi or NiFi Registry instance, services search first for any client certificate imported in the browser for authentication. If the client certificate exists and the certificate DN/Identity represents a user that is authorized to access the UI or Flow (as an initial admin or manually configured user in NiFi/NiFi Registry), they are successfully logged in. Otherwise, if a login-identity provider is configured for Kerberos/LDAP, a login screen displays.