Security
Also available as:
PDF
loading table of contents...

Enabling SSL with a NiFi Certificate Authority

When you enable SSL with the NiFi Certificate Authority (CA) installed, the NiFi CA generates new client certificates for you through Ambari. If you want to enable SSL with a NiFi CA installed, and are planning to use Ranger to manage authorization:

  1. Select the Enable SSL? box.

  2. Specify the NiFi CA token.

If you want to enable SSL with a NiFi CA installed, and are not yet using Ranger to manage authorization:

  1. Check the Enable SSL? box.

  2. Specify the NiFi CA Token.

  3. Verify that the authorizations.xml file on each node does not contain policies. The authorizations.xml is located in {nifi_internal_dir}/conf. By default, this location is /var/lib/nifi/conf/, and the value of {nifi_internal_dir} is specified in the NiFi internal dir field under Advanced nifi-ambari-config.

    [Note]Note

    If authorizations.xml does contain policies, you must delete it from each node. If you do not, your Initial Admin Identity and Node Identities changes do not take effect.

  4. Specify the Initial Admin Identity. The Initial Admin Identity is the identity of an initial administrator and is granted access to the UI and has the ability to create additional users, groups, and policies. This is a required value when you are not using the Ranger plugin for NiFi for authorization.

    The Initial Admin Identity format is CN=admin, OU=NIFI.

    After you have added the Initial Admin Identity, you must immediately generate certificate for this user.

  5. Specify the Node Identities. This indicates the identity of each node in a NiFi cluster and allows clustered nodes to communicate. This is a required value when you are not using the Ranger plugin for NiFi for authorization.

    <property name="Node Identity 1">CN=node1.fqdn, OU=NIFI</property>
    <property name="Node Identity 2">CN=node2.fqdn, OU=NIFI</property>
    <property name="Node Identity 3">CN=node3.fqdn, OU=NIFI</property>

    Replace node1.fqdn, node2.fqdn, and node3.fqdn with their respective fully qualified domain names.