NiFi can be used to process sensitive data, so administrators may find that they wish to secure the NiFi User interface. One of NiFi’s security mechanisms is mutual authentication with X.509 certificates.
I installed 3 instances of NiFi in 3 different instances of Ec2 (NCM in one instance, Node1 in second instance, Node2 in third instance). We can install 3 instances of NiFi in a single Ec2 instance as NiFi is lightweight.
Mutual authentication with X.509 certificates
The client requests resource, server presents the server certificate, client verifies server certificate.
Server requests client certificate, client presents certificate, server verifies client certificate and verifies client access rights.
Client accesses protected resource.
I created one Certificate Authority to sign the keys for servers, created keystores for all the 3 servers and created User key for key based authentication.
X.509 Certificates
Creating Certificate Authority
Below command generates CA private key.
Below command incorporates information such as Country Name, State, Locality, Organization name, organizational unit name and Common Name to our certificate request.
Below command converts pem encoding to der encoding which will be used by Java to generate a java keystore.
Below command adds the certificate to keystore.
Below is the screen shot of certificates generated.
Creating Server Keystore
It is recommended to use same password for both key password and keystore password. Below is the command to create server private key.
Below is the command to generate a Certificate Signing request.
Below is the command to get the key signed by CA
Below is the command to import public key for CA to our keystore.
Below is the command to import signed .crt to keystore.
Below is the screenshot of certificates generated.
We need to follow the same process for the other two instances also and create separate server keystores for each instance.
User keys for key based authentication
Below commands were used to generate user keys
Below is the screenshot of keys generated.
Upload the user1.p12 to browser certs to authenticate against our secure NiFi.
Manually add the ROLE_ADMIN to authorized-users.xml
NCM
The certificates generated in previous steps were used to configure nifi.properties file. Below are the screenshots of modified properties for NCM.
Node 1
The keystore for node1 was generated by following the same steps (Creating server keystore).
Once the keystore was generated the properties file was modified as per below screenshot.
Node 2
The keystore for node 2 was generated by following the same steps (Creating server keystore).
Once the keystore was generated the properties file was modified as per below screenshot.
Once configured the properties file in all 3 instances, restart the NiFi server in all instances.
Open the browser, where the user key certificate was loaded and login to secure https url of NiFi running on NCM.
Bingo! we successfully secured our cluster using Mutual authentication with X.509 certificates and NiFi now can process sensitive data securely.
Hurray! It’s my first blog and I will try to keep all the posts more practical and interesting. In the next blog we will add one more layer of security to our NiFi cluster with Kerberos.