nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopresto.apa...@gmail.com>
Subject Re: HMAC key storage?
Date Sun, 18 Dec 2016 14:58:04 GMT
Simon's suggestion is the best out of the box solution. NiFi does not provide key storage,
as that is not part of the core feature set of data flow. 

If you wish to integrate with an HSM or software-defined sensitive data vault, at this time,
you'll need to write that connector yourself via whatever mechanism it exposes (Java API,
PKCS#11, etc.). 

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Dec 18, 2016, at 11:26, Jonathan Telfer <jntelfer@gmail.com> wrote:
> 
> Hi Simon
> 
> Thanks for the quick response. I was aware of the sensitive property (already using it
for a password field) but I wasn’t aware it might be appropriate for storing the key material
for the sha256 itself. Was expecting to have to use some kind of key store service.
> 
> I’ll give that a try.
> 
> Thanks
> 
> 
>> On 18 Dec 2016, at 10:19, Simon Elliston Ball <simon@simonellistonball.com>
wrote:
>> 
>> This sounds like a job for sensitive properties to me. If you create a property on
your custom processor and mark it with .senstive(true) in your builder, then the value stored
in the flow conf will be available as a regular property, but encrypted on disk with a key
specified in the nifi.properties. See https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java#L172
for an example of how this works. 
>> 
>> Simon
>> 
>> 
>>> On 18 Dec 2016, at 09:32, Jonathan Telfer <jntelfer@gmail.com> wrote:
>>> 
>>> Hi all
>>> 
>>> I'm currently writing a custom processor to access a non standard messaging protocol.
The protocol requires each call to contain an authorization header signed by a sha256 hmac.

>>> 
>>> I'm using commons HmacUtils to generate the signature, but I need advice on the
best way to store the secret key and make it available to the processor. 
>>> 
>>> Thanks.
>> 
> 

Mime
View raw message