{"id":16300,"date":"2023-11-14T12:07:56","date_gmt":"2023-11-14T06:37:56","guid":{"rendered":"https:\/\/opstree.com\/blog\/\/?p=16300"},"modified":"2025-09-11T23:06:36","modified_gmt":"2025-09-11T17:36:36","slug":"securing-nifi-cluster-with-tls-toolkit","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2023\/11\/14\/securing-nifi-cluster-with-tls-toolkit\/","title":{"rendered":"Securing Nifi Cluster with TLS Toolkit"},"content":{"rendered":"\r\n<p><strong>Apache NiFi<\/strong> is an easy-to-use, powerful, and reliable system to process and distribute data. As data flows between different systems it&#8217;s a good practice to ensure the integrity of the data being processed. Securing a NiFi cluster is essential for various reasons, primarily to protect sensitive data, ensure system integrity, and prevent unauthorized access. Apache NiFi provides a TLS toolkit using which we can self-sign\u00a0Certificate Authority (CA)\u00a0and easily issue and sign certificates in the format expected by NiFi.<!--more--><\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>What is the need to secure<\/strong> the Nifi cluster<strong>?<\/strong><\/h2>\r\n\r\n\r\n\r\n<ul>\r\n<li><strong>Data Protection<\/strong>: NiFi clusters often handle sensitive and critical <a href=\"https:\/\/opstree.com\/blog\/2025\/07\/08\/synthetic-data-in-ai-development\/\">data<\/a>. Securing the cluster prevents unauthorized access, tampering, or theft of this data.<\/li>\r\n\r\n\r\n\r\n<li><strong>Preventing Unauthorized Access<\/strong>: Unauthorized access to the NiFi cluster can result in data breaches or system compromise. Implementing authentication and access control measures helps prevent unauthorized users from accessing the cluster.<\/li>\r\n\r\n\r\n\r\n<li><strong>Encryption<\/strong>: Securing the data transmissions within the NiFi cluster through encryption helps safeguard data as it moves across the network, reducing the risk of interception or eavesdropping by unauthorized entities.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"357\" class=\"wp-image-16358\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2023\/11\/screenshot-2023-11-14-120306.png?w=800\" alt=\"\" \/><\/figure>\r\n<p>&nbsp;<\/p>\r\n\r\n\r\n\r\n\r\n\r\n<p>Recently while trying to set up a <a href=\"https:\/\/opstree.com\/blog\/2025\/01\/14\/part-2-automating-data-migration-with-apache-airflow\/\">secure Apache<\/a> Nifi Cluster I faced the challenge of finding proper documentation or any article describing how to do that exactly. In this article, I will explain how we can generate nifi certificate using toolkit and update nifi.properties file accordingly.<\/p>\r\n<p><strong>[\u00a0 Are You looking: <a href=\"https:\/\/opstree.com\/aws-consulting-services\/\">AWS Consulting Services<\/a> ]<\/strong><\/p>\r\n\r\n\r\n\r\n<h2 class=\"wp-block-heading\"><strong>Setting up Apache Nifi Cluster certificate with Toolkit<\/strong><\/h2>\r\n\r\n\r\n\r\n<p><strong>NiFi Toolkit<\/strong> refers to a collection of command-line utilities and tools provided alongside <a href=\"https:\/\/nifi.apache.org\/docs\/nifi-docs\/html\/walkthroughs.html\" target=\"_blank\" rel=\"noopener\">Apache NiFi<\/a>. These tools help with various tasks, such as managing, troubleshooting, and administering NiFi instances.<\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\"><strong>Prerequisites<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>Before you begin this installation, you will need the following:<\/p>\r\n\r\n\r\n\r\n<ul>\r\n<li>Running three node nifi cluster with toolkit installed.<\/li>\r\n\r\n\r\n\r\n<li>Same value<strong> for nifi.sensitive.props.key <\/strong>in nifi.properties file across three nodes.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>In this setup, we will be generating certificates on one instance, and then the private key file and certificate will be copied across other nodes.<\/p>\r\n\r\n\r\n\r\n<p><strong>Step 1 &#8211;<\/strong> Generate certificate on Node 1.<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>cd nifi-toolkit\/bin &amp;&amp; .\/tls-toolkit.sh standalone -B &lt;cert-password&gt; -C 'CN=nifiadmin, OU=NIFI' -n '&lt;hostname1&gt;,&lt;hostname2&gt;,&lt;hostname3&gt;' --nifiDnPrefix 'CN=' --nifiDnSuffix ', OU=NIFI' -o \/opt\/nifi-toolkit\/target -K &lt;keyPassword&gt; -P &lt;trustStorePassword&gt; -S &lt;keyStore-Password&gt;<\/code><\/pre>\r\n\r\n\r\n\r\n<p>This command will generate the following content in \/opt\/nifi-toolkit\/target directory<\/p>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"23\" class=\"wp-image-16359\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2023\/11\/screenshot-2023-11-14-120536.png?w=800\" alt=\"\" \/><\/figure>\r\n\r\n\r\n\r\n<p><br \/><em><strong>Note:<\/strong> Make a note of all the passwords passed in step 1 as they will be needed later to access nifi UI and update nifi.properties.<\/em><\/p>\r\n\r\n\r\n\r\n<p><strong>Step <\/strong>2 &#8211; Copy hostname2 and hostname3 directories to the other two respective nodes as they contain keystore.jks and truststore.jks files.<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>scp nifinode2 ubuntu@nifinode2:\/opt\/nifi-toolkit\/target\/\r\nscp nifinode3 ubuntu@nifinode3:\/opt\/nifi-toolkit\/target\/<\/code><\/pre>\r\n\r\n\r\n\r\n<p><strong>Step <\/strong>3 &#8211; Now to start nifi cluster in secure mode \/opt\/nifi\/nifi.properties should be updated with security properties on each node with the passwords we generated in Step 1.<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>nifi.remote.input.secure=true\r\nnifi.web.https.host=&lt;hostname&gt;\r\nnifi.web.https.port=8443\r\nnifi.security.keystore=.\/pathto\/keystore.jks\r\nnifi.security.keystoreType=jks\r\nnifi.security.keystorePasswd=&lt;trustStorePassword&gt;\r\nnifi.security.keyPasswd=&lt;keyPassword&gt;\r\nnifi.security.truststore=.\/pathto\/truststore.jks\r\nnifi.security.truststoreType=jks\r\nnifi.security.truststorePasswd=&lt;trustStorePassword&gt;\r\nnifi.cluster.protocol.is.secure=true\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n<p><strong>Step <\/strong>4 &#8211; Now we need to restart nifi on each node to form a secure cluster of nifi nodes.<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>\/opt\/nifi\/bin\/nifi.sh restart<\/code><\/pre>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>\/opt\/nifi\/bin\/nifi.sh status<\/code><\/pre>\r\n\r\n\r\n\r\n<p><strong>Step <\/strong>5 &#8211; Import <strong>CN=nifiadmin_OU=NIFI.p12<\/strong> certificate generated in step 1 into your preferred browser and access nifi on<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code><strong>https:\/\/&lt;hostname&gt;:8443\/nifi<\/strong> <\/code><\/pre>\r\n\r\n\r\n\r\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"72\" class=\"wp-image-16360\" src=\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2023\/11\/screenshot-2023-11-14-120643.png?w=800\" alt=\"\" \/><\/figure>\r\n<p>&nbsp;<\/p>\r\n\r\n\r\n\r\n<p><strong>[ Also Read: <a href=\"https:\/\/opstree.com\/blog\/2025\/08\/12\/model-context-protocol\/\">Model Context Protocol(MCP)<\/a> ]<\/strong><\/p>\r\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\r\n\r\n\r\n\r\n<p>In this blog, I covered the steps to secure nifi cluster with TLS toolkit certificate for secure authentication and authorization. If you guys have any ideas or suggestions about my approach, please comment in the comment section. I would really appreciate your suggestions and feedback. Thanks for reading.<\/p>\r\n\r\n\r\n","protected":false},"excerpt":{"rendered":"<p>Apache NiFi is an easy-to-use, powerful, and reliable system to process and distribute data. As data flows between different systems it&#8217;s a good practice to ensure the integrity of the data being processed. Securing a NiFi cluster is essential for various reasons, primarily to protect sensitive data, ensure system integrity, and prevent unauthorized access. Apache &hellip; <a href=\"https:\/\/opstree.com\/blog\/2023\/11\/14\/securing-nifi-cluster-with-tls-toolkit\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Securing Nifi Cluster with TLS Toolkit&#8221;<\/span><\/a><\/p>\n","protected":false},"author":217204634,"featured_media":29689,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[28070474],"tags":[3768,319067111,768739308,676319247,343865,4996032],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2023\/11\/Securing-Nifi-Cluster-with-TLS-Toolkit.png","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-4eU","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/16300"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/217204634"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=16300"}],"version-history":[{"count":26,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/16300\/revisions"}],"predecessor-version":[{"id":29690,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/16300\/revisions\/29690"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/29689"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=16300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=16300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=16300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}