Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1995

Support keystores with multiple certificates by exposing alias selection in configuration

    XMLWordPrintableJSON

Details

    Description

      Some users and organizations would like to provide different certificates for identification of the same NiFi instance when acting in different roles (for example, one certificate to identify the server for the API / UI interaction, and another to identify the server in cluster communications and/or site-to-site communications). A preliminary list of roles is:

      • API / UI host
      • remote authorization / authentication repositories (communicating with Ranger, LDAP, KDC, etc.)
      • cluster (node/NCM/Zookeeper)
      • site-to-site
      • client when connecting to remote services during data flow (InvokeHTTP, PutSQL, etc.)

      This should be implemented in a manner that does not break the default operation (i.e. a keystore with a single certificate value) but allows easy overriding for one or more of the roles listed above.

      Attachments

        Issue Links

          depends upon

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-1478 Audit SSLContextFactory and SSLSocketFactory usage throughout application

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          Is contained by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. NIFI-5458 Improve NiFi TLS and certificate management

          • Major - Major loss of function.
          • Resolved
          is depended upon by

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5586 Add capability to generate ECDSA keys to TLS Toolkit

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. NIFI-1990 Implement consistent security controls for cluster, site-to-site, and API communications

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. NIFI-1981 Cluster communication requires client certificates even if needClientAuth set to false

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          relates to

          New Feature - A new feature of the product, which has yet to be developed. NIFI-3890 Create Key Management Controller Service

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              alopresto Andy LoPresto
              alopresto Andy LoPresto
              Votes:
              3 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: