Configuring NiFi Authentication and Proxying with Apache Knox
Also available as:
PDF

Generating Knox Certificates Using the TLS Toolkit

You can generate the certificates used by Knox when proxying NiFi using the TLS Toolkit.

Ensure that Java is set correctly for your environment.

  1. As the Knox user, start the TLS Toolkit. For the location of the TLS Toolkit, see the HDF Release Notes for release-specific download information.

    For example:

    /var/lib/ambari-agent/tmp/nifi-toolkit-1.7.0.3.2.0.0-520/bin/tls-toolkit.sh
    client --subjectAlternativeNames "CN=$KNOX_HOSTNAME, OU=KNOX"
    -F
    -f /home/knox/nifi-ca-config.json
    

    The toolkit requests a new certificate and creates two new files containing the keystore and truststore:

    /home/knox/knox-nifi-keystore.jks
    /home/knox/knox-nifi-truststore.jks
    
  2. Import the Knox certificate for NiFi into the Knox gateway.jks file:
    keytool
    -importkeystore
    -srckeystore /home/knox/knox-nifi-keystore.jks
    -destkeystore /usr/hdf/current/knox-server/data/security/keystores/gateway.jks
    -deststoretype JKS
    -srcstorepass $KEYSTORE_PASSWORD
    -deststorepass $KNOX_MASTER_PASSWORD
    

    The gateway.jks file now contains a PrivateKeyEntry for NiFi.

  3. Import the NiFi CA truststore into the Knox gateway.jks file:
    keytool
    -importkeystore
    -srckeystore /home/knox/knox-nifi-truststore.jks
    -destkeystore /usr/hdf/current/knox-server/data/security/keystores/gateway.jks
    -deststoretype JKS
    -srcstorepass $TRUSTSTORE_PASSWORD
    -deststorepass $KNOX_MASTER_PASSWORD
    

    The gateway.jks file should now contain a trustedCertEntry for NiFi.

  4. Verify that the proper keys are in the gateway.jks file:
    keytool
    -keystore /usr/hdf/current/knox-server/data/security/keystores/gateway.jks
    -storepass $KEYSTORE_PASSWORD
    -list
    -v
    

You see nifi-key and nifi-cert in addition to the gateway-identity key.