Securing Cloudera Flow Management
Also available as:
PDF

Get Client Certificates for Authentication

After you install NiFi CA, you can use the NiFi Toolkit to generate a client certificate for users you wish to authenticate. You can do this with NiFi Toolkit binaries running locally or located on agent machines where CFM is installed.

Example of creating a client certificate using the NiFi Toolkit in CFM parcel:

#ensure java home is set before execution
<parcel_home_dir>/CFM/TOOLKIT/bin/tls-toolkit.sh client -c <nifi-ca-host-fdqn>l -t
          <nifi-ca-token> -p <nifi-ca-port -D <user-dn> -T PKCS12

Once pkcs12 keystore is created, use the password information from the config.json to import the keystore.pkcs12 file into browser.

When you are logging into a secured NiFi or NiFi Registry instance, services search first for any client certificate imported in the browser for authentication. If the client certificate exists and the certificate DN/Identity represents a user that is authorized to access the UI or Flow (as an initial admin or manually configured in NiFi/NiFi Registry), they are successfully log in. Otherwise, if a login-identity provider is configured for Kerberos/LDAP, a login screen displays.