Apache NiFi is an easy-to-use, powerful, and reliable system to process and distribute data. As data flows between different systems it’s a good practice to ensure the integrity of the data being processed. Securing a NiFi cluster is essential for various reasons, primarily to protect sensitive data, ensure system integrity, and prevent unauthorized access. Apache NiFi provides a TLS toolkit using which we can self-sign Certificate Authority (CA) and easily issue and sign certificates in the format expected by NiFi.
What is the need to secure the Nifi cluster?
- Data Protection: NiFi clusters often handle sensitive and critical data. Securing the cluster prevents unauthorized access, tampering, or theft of this data.
- Preventing Unauthorized Access: Unauthorized access to the NiFi cluster can result in data breaches or system compromise. Implementing authentication and access control measures helps prevent unauthorized users from accessing the cluster.
- Encryption: Securing the data transmissions within the NiFi cluster through encryption helps safeguard data as it moves across the network, reducing the risk of interception or eavesdropping by unauthorized entities.
Recently while trying to set up a secure Apache Nifi Cluster I faced the challenge of finding proper documentation or any article describing how to do that exactly. In this article, I will explain how we can generate nifi certificate using toolkit and update nifi.properties file accordingly.
Setting up Apache Nifi Cluster certificate with Toolkit
NiFi Toolkit refers to a collection of command-line utilities and tools provided alongside Apache NiFi. These tools help with various tasks, such as managing, troubleshooting, and administering NiFi instances.
Prerequisites
Before you begin this installation, you will need the following:
- Running three node nifi cluster with toolkit installed.
- Same value for nifi.sensitive.props.key in nifi.properties file across three nodes.
In this setup, we will be generating certificates on one instance, and then the private key file and certificate will be copied across other nodes.
Step 1 – Generate certificate on Node 1.
cd nifi-toolkit/bin && ./tls-toolkit.sh standalone -B <cert-password> -C 'CN=nifiadmin, OU=NIFI' -n '<hostname1>,<hostname2>,<hostname3>' --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o /opt/nifi-toolkit/target -K <keyPassword> -P <trustStorePassword> -S <keyStore-Password>This command will generate the following content in /opt/nifi-toolkit/target directory
Note: Make a note of all the passwords passed in step 1 as they will be needed later to access nifi UI and update nifi.properties.
Step 2 – Copy hostname2 and hostname3 directories to the other two respective nodes as they contain keystore.jks and truststore.jks files.
scp nifinode2 ubuntu@nifinode2:/opt/nifi-toolkit/target/
scp nifinode3 ubuntu@nifinode3:/opt/nifi-toolkit/target/Step 3 – Now to start nifi cluster in secure mode /opt/nifi/nifi.properties should be updated with security properties on each node with the passwords we generated in Step 1.
nifi.remote.input.secure=true
nifi.web.https.host=<hostname>
nifi.web.https.port=8443
nifi.security.keystore=./pathto/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=<trustStorePassword>
nifi.security.keyPasswd=<keyPassword>
nifi.security.truststore=./pathto/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=<trustStorePassword>
nifi.cluster.protocol.is.secure=true
Step 4 – Now we need to restart nifi on each node to form a secure cluster of nifi nodes.
/opt/nifi/bin/nifi.sh restart/opt/nifi/bin/nifi.sh statusStep 5 – Import CN=nifiadmin_OU=NIFI.p12 certificate generated in step 1 into your preferred browser and access nifi on
https://<hostname>:8443/nifi 
Conclusion
In this blog, I covered the steps to secure nifi cluster with TLS toolkit certificate for secure authentication and authorization. If you guys have any ideas or suggestions about my approach, please comment in the comment section. I would really appreciate your suggestions and feedback. Thanks for reading.
Blog Pundits: Pankaj Kumar and Sandeep Rawat
OpsTree is an End-to-End DevOps Solution Provider.
Connect with Us