0

We have a Teiid 12.3 server running which is configured using ssl. We are able to connect this teiid server using tools like pentaho etl, squirrel sql client, Tableau etc. we are using trustore file to connect these tools. But we are not able to connect Teiid server in Apache NIfi. We tried the following ways to include trustore –

  1. Adding the trustore in the run nifi.bat

    • set JAVA_ARGS=-Dorg.apache.nifi.bootstrap.config.log.dir=%NIFI_LOG_DIR% -Dorg.apache.nifi.bootstrap.config.pid.dir=%NIFI_PID_DIR% -Dorg.apache.nifi.bootstrap.config.file=%BOOTSTRAP_CONF_FILE% -Djavax.net.ssl.trustStore=teiid-dummy.truststore -Djavax.net.ssl.trustStorePassword=1234

  2. Creating a StandardSSLContextService but we cant use this service in ExecuteSQL or QueryDatabaseTableRecord processors

  3. Added trustore details in the teiid connect url -- jdbc:teiid:VDB@mms://abc123.com:443;enableTLS=true;trustStorePath=E:/nifi-1.11.4-bin/nifi-1.11.4/bin/teiid_dummy.truststore;trustStorePassword=1234

    • Errors: TEIID 200020 Error establishing socket to host and port. Sun.security.validator.validatorException : PKIX path building failed:

  4. configured trustore in below file as well but no use giving same error.

File Name : Nifi.properties

nifi.security.truststore==E:\nifi-1.11.4-bin\nifi-1.11.4\bin\teiid-dummy.truststore
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=1234

File name: run_nifi.bat

set JAVA_ARGS=-Dorg.apache.nifi.bootstrap.config.log.dir=%NIFI_LOG_DIR% -Dorg.apache.nifi.bootstrap.config.pid.dir=%NIFI_PID_DIR% -Dorg.apache.nifi.bootstrap.config.file=%BOOTSTRAP_CONF_FILE% -Djavax.net.ssl.trustStore=teiid3-ssl.truststore -Djavax.net.ssl.trustStorePassword=1234

error

daggett
  • 26,404
  • 3
  • 40
  • 56
Amar Kale
  • 1
  • 1
  • try teiid specific properties or teiid properties file approach: https://docs.jboss.org/teiid/7.7.0.Final/client-developers-guide/en-US/html/ssl.html#d0e1534 BTW: to set java properties in the nifi you have to modify the `conf/bootstrap.conf`file – daggett Apr 28 '20 at 15:12
  • Thank you so much . I have tried your solution but no luck... I have tried connecting apache nifi with teiid data virtulization without SSL and it was successful. But with SSL I was not able to connect – Amar Kale May 06 '20 at 19:33
  • have you changed `bootstrap.conf` to set truststore? – daggett May 06 '20 at 20:08

2 Answers2

0

Have you verified that the Teiid server presents the full certificate chain during TLS negotiation, and that the complete chain is present in the truststore you've configured? PKIX path building errors indicate that the client (NiFi) is unable to map the public certificate presented by the server (Teiid) to a trusted certificate in its truststore. Please provide the public certificate (hostname redacted if necessary) of your Teiid server and the contents of the truststore you're associating with NiFi.

Response to comment:

The property value nifi.security.truststore in $NIFI_HOME/conf/nifi.properties is where the path to the NiFi application truststore is set. The communication mechanism from NiFi to Teiid is not specified in the question. If it is a component in the flow (e.g. processor or controller service), those components should reference an SSLContextService controller service and specify a truststore path there. If the component does not support an SSL CS, either the DBCP JDBC connection URL should include settings to enable TLS or a feature request Jira should be filed.

Andy
  • 13,916
  • 1
  • 36
  • 78
  • i think the question - how to set up truststore for nifi. seems nifi.properties and run_nifi.bat is not a correct way. – daggett Apr 28 '20 at 18:34
  • Thank you Andy and dagett. As mentioned I was able to make connections in both teiid and nifi without SSL. I have verified the SSL public certificate and it's works fine with other tools like tabelu, pentaho, squirrel SQL client ..then why not apache nifi. – Amar Kale May 06 '20 at 19:38
  • I can't speak for any other tools. They may have less restrictive truststores, they may not do any hostname verification, etc. NiFi will only trust certificates you explicitly tell it to trust. You will need to obtain the public certificate of the Teiid server and import it into the truststore used for the NiFi connection. Since this is not delegating trust to an `SSLContextService`, I suspect it's using the JRE `cacerts` truststore file. You could back that up and import the Teiid certificate to it to verify. – Andy May 07 '20 at 00:59
0

Thank you so much daggett.Thanks a lot ...your solution worked (bootstrap.conf)

Followed below step and it worked perfectly fine. 1) Place the Trustore “ssl-teiid.truststore” in the NiFi bin directory 2) Go to Nifi conf directory and open file bootstrap.conf 3) Add two arguments in it mentioning the Trustore path and password. Refer this – java.arg.18=-Djavax.net.ssl.trustStore=E:/nifi-1.11.4-bin/nifi-1.11.4/bin/ssl-teiid.truststore

java.arg.19.=-Djavax.net.ssl.trustStorePassword=mention the Trustore password

4) Start NiFi 5) Created the DBConnectionPool service for the DataVirtualization url. 6) Create ExecuteSQL processor , use the above created DBConnectionPool service and query any of the DataVirtualization views through it

Thank you so much Andy for your help.

Amar Kale
  • 1
  • 1