3

Tried to form a secure cluster in nifi 1.0.0 by following the instructions from the below link

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

I have generated keystore and truststore file in the target folder, from nifi-cert.pem and nifi-key.key I have generated the p12 file and loaded it in browser

After starting the nif instances, nodes has been connected and exchanging the heartbeat signals between them and the port specified are listening to their numbers but when we launch the UI, It's not viewing in the browser enter image description here

Update: enter image description here

Update: enter image description here enter image description here

Update: enter image description here

Update: due to org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling protocol message in response to message type: CONNECTION_REQUEST due to java.net.SocketException: Software caused connection abort: socket write error org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling protocol message in response to message type: CONNECTION_REQUEST due to java.net.SocketException: Software caused connection abort: socket write error at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:176) ~[nifi-framework-cluster-protocol-1.0.0.jar:1.0.0] at org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) [nifi-socket-utils-1.0.0.jar:1.0.0] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]

Manoj
  • 390
  • 3
  • 12
  • Do you see any errors in nifi-app.log on any of the nodes? and what are you seeing in the browser window? – Bryan Bende Sep 23 '16 at 13:25
  • No errors in the nifi-app.log file,everything going fine over log file @BryanBende – Manoj Sep 23 '16 at 13:40
  • 1
    Ok seems that its most likely a browser config issue, is that IE or maybe Edge? and have you tried what it said about turning on TLS in the advanced settings? If it is possible it might be a good test to try with another browser like Firefox or Chrome just to see if that works, using the same client cert of course. – Bryan Bende Sep 23 '16 at 13:59
  • I dont think so .. I have already made the necessary changes in it (IE)..In all other browser also i.e Firefox or chrome UI is not loading ... What will be the reason? p12 file is not generated from the tls-toolkit .. I have generated it manually ..May be thats be the reason ? In fact I generated the key without using tls-toolkit package ..In that case also I'm facing same problem – Manoj Sep 23 '16 at 14:16
  • 1
    I see, usually when its working in Firefox or Chrome they will prompt you with the available certs that can be used for the given site, so if its not doing that then something isn't lining up between the client p12 and the keystore/trustore that NiFi is using. There is no requirement to use the TLS toolkit, it just makes it easier. Did you manually create a CA and then use that to create the keystore/trustrore for NiFi and a separate client cert? – Bryan Bende Sep 23 '16 at 14:27
  • Yes, what you mentioned above is exactly what is done by me to create a cert manually .. But still there is an issue in launching UI .. In all my log files, I'm getting the info like above mentioned image .. – Manoj Sep 23 '16 at 14:35
  • The cluster is definitely up based on your latest screenshot, all I can say is to use keytool to double check what is in the client cert, keystore, and truststore make sure it lines up, possibly generate a new client cert to test. – Bryan Bende Sep 23 '16 at 18:32

1 Answers1

2

There are a couple steps you can take to continue debugging:

  • Run NiFi with Java TLS (SSL) debugging enabled. In conf/bootstrap.conf add the line java.arg.15=-Djavax.net.debug=ssl,handshake (ensuring that 15 is a number that does not conflict with your existing list of arguments). This will add a substantial amount of log output, but will explicitly document any TLS handshake negotiation attempts.
  • Use the OpenSSL s_client tool to debug the connection. Running the command below will attempt a handshake negotiation with additional log output: $ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>
    • Substitute your server for <host:port>
    • Substitute your public key certificate for <path_to_your_cert.pem>
    • Substitute your private key for <path_to_your_key.pem>
    • Substitute your server's public key certificate or the CA public key certificate for <path_to_your_CA_cert.pem> You can extract the public key certificate and private key from your PKCS12 keystore by using the following commands
      • Extract the private key: $ openssl pkcs12 -in CN\=Andy_LoPresto_OU\=Apache_NiFi.p12 -nocerts -out client.key
      • Extract the public key: $ openssl pkcs12 -in CN\=Andy_LoPresto_OU\=Apache_NiFi.p12 -clcerts -nokeys -out client.pem

As @bryan-bende pointed out above, the error message in the browser screenshot you shared does seem to indicate that the TLS cipher suites cannot be negotiated due to a protocol version incompatibility. The commands above will output all available cipher suites for the connection. You can also use a tool like CipherScan to enumerate these explicitly.

One possible issue is that Java 7 defaults to TLS 1.0 and Java 8 to TLS 1.2. What OS and JRE are you using to host NiFi?

In some rare cases, a user deploys NiFi with a keystore that does not actually contain an RSA key, and TLS handshake negotiation fails because "no cipher suites are available", when the issue is really that all of the available cipher suites require an RSA key (if not to encrypt the actual channel data, at least to sign the ephemeral keys). Can you verify that the keystore you provided NiFi has a valid (check dates as well) private key available?

Hopefully these steps help you diagnose the issue. If you can provide more information, we're happy to work with you to investigate further.

Andy
  • 13,916
  • 1
  • 36
  • 78
  • I have used windows8 and jre1.8 to host nifi. I have checked and updated all my key and cert file there is nothing wrong in it.As you told I have added the SSL debug property in the boostrap.conf file and went through the generated log file can able to see some information added as like in above image.I have followed this link [link](http://stackoverflow.com/questions/30758303/problems-connecting-via-https-ssl-through-own-java-client) but no use in it.If that is the reason to avoid launching URL in the browser What will be the exact solution to overcome this @Andy – Manoj Sep 24 '16 at 13:39
  • As you can see in the log output, the client (your web browser) is requesting a handshake using SSLv3, which is a very insecure and deprecated protocol version. NiFi does not support communication over this protocol. You need to use a browser that supports TLSv1, TLSv1.1, or TLSv1.2. You said you had enabled this change in your browser, but the message in the original browser screenshot indicates otherwise. Other browsers, like Chrome and Firefox, have these protocols enabled by default. On Java 8, TLSv1.2 is the default. Please retry with a modern browser. – Andy Sep 24 '16 at 17:28
  • I have updated to the latest browser version and restarted the services but still there is problem in launching the url in the browser, While going through the bootstrap logs, I can able to see the information mentioned above.@Andy – Manoj Sep 27 '16 at 13:21
  • The log output you provided is insufficient to fully diagnose the issue. The excerpt you posted explains that it is using a cached client session, some data is read/written, then a `close_notify` signal is sent. I understand you may be hesitant to post the full logs, but if you can sanitize the hostname and key material and post the remainder as a GitHub Gist, that would be much more helpful. – Andy Sep 27 '16 at 19:14
  • While analyzing the log file,I found that before connecting to the nodes, I getting an warning message updated above,may be this is the reason preventing the URL to launch in the browser ? – Manoj Nov 11 '16 at 05:53