...
- Download the latest version of
nifi-toolkit
from https://nifi.apache.org/download.html Unpack the contents:
Code Block tar xzvf nifi-toolkit-1.12.1-bin.tar.gz -C /opt/nifi/
Create a directory for the certificate files:
Code Block mkdir -p /opt/nifi/data/ssl
Determine the hostname that will be used to access NiFi from web browsers and from MiNiFi. Then generate the certificates using tls-toolkit:
Code Block # Set the location of Java; the executable should be ${JAVA_HOME}/bin/java export JAVA_HOME=... # Replace <hostname> with the hostname used to access NiFi /opt/nifi/nifi-toolkit-1.12.1/bin/tls-toolkit.sh standalone -n '<hostname>' -C 'CN=minifi, OU=NIFI' -o /opt/nifi/data/ssl # Unpack the certificate and key from the .p12 bundle # Enter the contents of CN=minifi_OU=NIFI.password as the password when prompted (both times) openssl pkcs12 -in /opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 -out /opt/nifi/data/ssl/nifi-rest.key -nocerts -nodes openssl pkcs12 -in /opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 -out /opt/nifi/data/ssl/nifi-rest.crt -clcerts -nokeys
Protect the files by ensuring that only the current user have access to them:
Code Block chmod 755 /opt/nifi/data/ssl chmod 600 /opt/nifi/data/ssl/CN\=minifi_OU\=NIFI.* chmod 700 /opt/nifi/data/ssl/<hostname>
Copy the value of the properties in the
nifi.remote
,nifi.web
,nifi.security
sections from/opt/nifi/data/ssl/<hostname>/nifi.properties
to your NiFi installation'snifi.properties
file, except the for the following two, which should be set like this:Code Block nifi.security.keystore=/opt/nifi/data/ssl/<hostname>/keystore.jks nifi.security.truststore=/opt/nifi/data/ssl/<hostname>/truststore.jks
and add the following settings to your NiFi installation's
nifi.properties
file:Code Block nifi.rest.host=<hostname> nifi.rest.keystorePath=/opt/nifi/data/ssl/CN=minifi_OU=NIFI.p12 nifi.rest.keystorePassword=/opt/nifi/data/ssl/CN=minifi_OU=NIFI.password nifi.rest.keystoreType=PKCS12
Uncomment the
file-provider
section ofauthorizers.xml
in your NiFi installation, and set the Initial Admin Identity:Code Block <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Users File">./conf/users.xml</property> <property name="Initial Admin Identity">CN=minifi, OU=NIFI</property> <property name="Legacy Authorized Users File"></property> <!-- Provide the identity (typically a DN) of each node when clustered, see above description of Node Identity. <property name="Node Identity 1"></property> --> </authorizer>
and restart NiFi; it will create a new user with your Initial Admin Identity name in
users.xml
.Add authorizations for your user in
authorizations.xml
in your NiFi installation:Code Block <!-- generate UUIDs for the policy identifiers --> <policy identifier="1f6ae57a-08bc-11eb-9242-bf69163fde10" resource="/site-to-site" action="R"> <!-- copy the user identifier from users.xml --> <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/> </policy> <policy identifier="282818e0-08bc-11eb-8508-2b51c9d70d42" resource="/site-to-site" action="W"> <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/> </policy> <!-- copy the port identifier from Remote Process Groups/Input Ports/id in the minifi config.yml --> <policy identifier="f512f796-7afb-4c9f-ab68-b5eaf6d5d0cf" resource="/data-transfer/input-ports/c171f9da-689f-41e2-98c4-9d785c59c306" action="R"> <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/> </policy> <policy identifier="b4e836ee-d526-4e16-8bf3-ee1d8fa3d5e6" resource="/data-transfer/input-ports/c171f9da-689f-41e2-98c4-9d785c59c306" action="W"> <user identifier="9cd6ec42-b3da-3a3a-8405-7264746e0e42"/> </policy> <!-- you will also need a pair of policies for resource="/data-transfer/output-ports/..." if you want S2S data transfer from NiFi to MiNiFi -->
...