nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <>
Subject Re: UI is not opening after forming nifi 1.0.0 secure cluster in windows
Date Fri, 11 Nov 2016 18:05:05 GMT

Is this the same issue as [1]? Running the OpenSSL command I provided will give a lot of feedback
about why the socket connection is actually failing (or if it’s only failing in the browser
rather than via command-line).

To extract the CA cert, client cert, and client private key from the keystore and truststore,
depending on how you generated them, you can use the following commands:

Did you use the provided TLS Toolkit [2] to generate the CA cert, server cert, and client

If you used the TLS Toolkit, as described in the Admin Guide and in the article you referenced,
you should have a CA certificate (nifi-cert.pem) and private key (nifi-key.key) as well as
a client certificate and private key (CN=<something_you_typed>_OU=Apache NiFi.p12),
and individual keystore and truststore for each NiFi node in respectively named directories.
In this case, you just need to export the client certificate and key from the PKCS12 keystore
and use them as follows:

Extract client certificate from keystore:

$ openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -out client.der -nodes
$ openssl x509 -inform der -in client.der -out client.pem

Extract client private key from keystore:

$ openssl pkcs12 -in CN=<something_you_typed>_OU=Apache NiFi.p12 -nodes -nocerts -out

Run the original command:

$ openssl s_client -connect <host:port> -debug -state -cert client.pem -key client.key
-CAfile nifi-cert.pem

Did you do this manually?

If you did this manually, it is likely you did not create a client certificate, in which case
if you have no other authentication platform configured (Kerberos, LDAP), NiFi will demand
a client certificate on every connection in order to authenticate the user. If no client cert
is provided, the connection will fail. You can temporarily use the server certificate as a
client certificate to verify this is the case, but this is not a permanent solution and is
very unsafe.

Extract server cert from keystore (necessary to identify “client” on connection):

$ keytool -export -alias <your_alias> -file nifi.der -keystore <keystore.jks>
$ openssl x509 -inform der in nifi.der -out nifi.pem

Extract server private key from keystore (necessary to authenticate “client” on connection):

$ keytool -importkeystore -srckeystore <keystore.jks> -destkeystore keystore.p12 -deststoretype
$ openssl pkcs12 -in keystore.p12 -nodes -nocerts -out nifi.key

Extract CA cert (likely the same as the server cert if you self-signed) from truststore (necessary
to validate server certificate on connection):

$ keytool -export -alias <your_alias> -file ca.der -keystore <truststore.jks>
$ openssl x509 -inform der -in ca.der -out ca.pem

Then run the original command I provided:

$ openssl s_client -connect <host:port> -debug -state -cert nifi.pem -key nifi.key -CAfile


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Nov 10, 2016, at 10:54 PM, Manojkumar Ravichandran <>
> Hi,
> Thanks for your response,error I received in browser has been attached
> I have generated the key store and truststore file using the java keytool,
> Is it necessary to generate the key file in open ssl ?
> In nifi-app.log everything seems right,except this warning message
> org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling protocol message
in response to message type: CONNECTION_REQUEST due to Software
caused connection abort: socket write error
> 	at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(
> 	at$2$ [nifi-socket-utils-1.0.0.jar:1.0.0]
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker( [na:1.8.0_91]
> 	at java.util.concurrent.ThreadPoolExecutor$ [na:1.8.0_91]
> 	at [na:1.8.0_91]
> Regards,
> Manojkumar R
> On Fri, Nov 11, 2016 at 11:14 AM, Andy LoPresto < <>>
> What is the error you receive in your browser when you try to navigate to the UI? Are
you connecting to the correct port?
> Can you run an OpenSSL s_client command to try to connect via the command line? You will
need the CA cert, the client certificate, and the client private key to attempt the connection
> $ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem>
-key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>
> Are there any errors in $NIFI_HOME/logs/nifi-app.log or $NIFI_HOME/logs/nifi-bootstrap.log?
Are there any entries in $NIFI_HOME/logs/nifi-user.log?
> Andy LoPresto
> <>
> <>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>> On Nov 10, 2016, at 8:41 PM, Manojkumar Ravichandran < <>>
>> Hi,
>> Tried to form a secure cluster in nifi 1.0.0 in windows by following the instructions
from the below link
>> It seems like in log file cluster has been formed and heart beats are transferring
successfully, everything has been settled fine and it shows in log file that URL has been
launched in the specified port number, but UI is not opening in the browser of cluster machines.
>> To overcome this,I have turned off the firewall settings and but still UI is not
opening in the borwser
>> What will be reason for it ?
>> Regards,
>> Manojkumar R
> <SecureClusterUI-Error.png>

View raw message