Also available as:
loading table of contents...

Security Configuration

NiFi provides several different configuration options for security purposes. The most important properties are those under the "security properties" heading in the file. In order to run securely, the following properties must be set:

Property Name


Set to true to specify that connecting clients must authenticate themselves. This property is used by the NiFi cluster protocol to indicate that nodes in the cluster will be authenticated and must have certificates that are trusted by the Truststores.

Filename of the Keystore that contains the server's private key.

The type of Keystore. Must be either PKCS12 or JKS. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.

The password for the Keystore.

The password for the certificate in the Keystore. If not set, the value of will be used.

Filename of the Truststore that will be used to authorize those connecting to NiFi. A secured instance with no Truststore will refuse all incoming connections.

The type of the Truststore. Must be either PKCS12 or JKS. JKS is the preferred type, PKCS12 files will be loaded with BouncyCastle provider.

The password for the Truststore.

Once the above properties have been configured, we can enable the User Interface to be accessed over HTTPS instead of HTTP. This is accomplished by setting the and nifi.web.https.port properties. The property indicates which hostname the server should run on. If it is desired that the HTTPS interface be accessible from all network interfaces, a value of should be used. To allow admins to configure the application to run only on specific network interfaces,* or* properties can be specified.

It is important when enabling HTTPS that the nifi.web.http.port property be unset.

Similar to, the web server can be configured to require certificate based client authentication for users accessing the User Interface. In order to do this it must be configured to not support username/password authentication using Lightweight Directory Access Protocol (LDAP) or Kerberos. Either of these options will configure the web server to WANT certificate based client authentication. This will allow it to support users with certificates and those without that may be logging in with their credentials or those accessing anonymously. If username/password authentication and anonymous access are not configured, the web server will REQUIRE certificate based client authentication. See User Authentication for more details.

Now that the User Interface has been secured, we can easily secure Site-to-Site connections and inner-cluster communications, as well. This is accomplished by setting the and properties, respectively, to true.