nifi1.8.0 upgrade to nifi 1.21.0 with error Migration Required for blank Sensitive Properties Key [nifi.sensitive.props.key]

Question

I just upgraded nifi from 1.8.0 to 1.21.0 New NIFI can start properly without any flow imported. However, when I import old flow, nifi 1.21.0 won't start with the following exception:

2023-05-30 14:39:35,215 ERROR [main] o.a.nifi.properties.NiFiPropertiesLoader Flow Configuration [/data/nifi/persistent/flow.xml.gz] Found: Migration Required for blank Sensitive Properties Key [nifi.sensitive.props.key]
2023-05-30 14:39:35,215 ERROR [main] org.apache.nifi.NiFi Failure to launch NiFi
java.lang.IllegalArgumentException: There was an issue decrypting protected properties
        at org.apache.nifi.NiFi.initializeProperties(NiFi.java:375)
        at org.apache.nifi.NiFi.convertArgumentsToValidatedNiFiProperties(NiFi.java:343)
        at org.apache.nifi.NiFi.convertArgumentsToValidatedNiFiProperties(NiFi.java:339)
        at org.apache.nifi.NiFi.main(NiFi.java:331)
Caused by: org.apache.nifi.properties.SensitivePropertyProtectionException: Sensitive Properties Key [nifi.sensitive.props.key] not found: See Admin Guide section [Updating the Sensitive Properties Key]
        at org.apache.nifi.properties.NiFiPropertiesLoader.getDefaultProperties(NiFiPropertiesLoader.java:245)
        at org.apache.nifi.properties.NiFiPropertiesLoader.get(NiFiPropertiesLoader.java:218)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.apache.nifi.NiFi.initializeProperties(NiFi.java:370)
        ... 3 common frames omitted

It seems to be related to Nifi Migration Required for blank Sensitive Properties Key and should have been fixed in nifi 1.14.

In my old nifi1.8, I don't have any value set for nifi.sensitive.props.key, I'd assume default encryption is used for sensitive information in the nifi flow. After upgrade, the nifi.sensitive.props.key is also left empty, should this be transparent to a user who upgrades from an older version of nifi?

If not, Could anyone please advise the steps to dig out the old default key and specify it in nifi.properties <nifi.sensitive.props.key>?

Please note that neither a new key is needed nor the algorithm is changed. I'm re-using the same nifi.properties and I wish it's transparent to users:

nifi.sensitive.props.key=
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

Thanks.

P K · Answer 1 · 2023-06-01T00:51:38.667

This is what I did recently (when upgraded from NiFi 1.13.2 to 1.21.0). I copied the nifi.security.keystorePasswd or nifi.security.keyPasswd over to nifi.sensitive.props.key.
This fixed the above error and I was able to import the old flows.
LMK if this works for you.
I have copy-pasted my current nifi.properties file below

# security properties #
nifi.sensitive.props.key=VLFHSvHpNLoSIOVj1kALtru9
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

#nifi.security.keystore=./conf/keystore.jks
nifi.security.keystore=./conf/nifinodelocal.keystore
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=VLFHSvHpNLoSIOVj1kALtru9
nifi.security.keyPasswd=VLFHSvHpNLoSIOVj1kALtru9
nifi.security.truststorePasswd=fvemYJRvPvFDN8GYIbTDJzxa
#nifi.security.keystorePasswd=LuN4dsmYVQck4zGd/KsWWm6yWK032nJRUoBL3RfmqVk
#nifi.security.keyPasswd=LuN4dsmYVQck4zGd/KsWWm6yWK032nJRUoBL3RfmqVk
#nifi.security.truststore=./conf/truststore.jks
nifi.security.truststore=./conf/nifinodelocal.truststore
nifi.security.truststoreType=jks
#nifi.security.truststorePasswd=vAUqzegrBpe+Sl1FM38XIUZ2ItSvyvNVDns6PhauRdo
nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

This property cannot be empty anymore. Does your old flow still work in latest nifi? There're steps I've found to migrate flow to latest nifi using nifi-tool. For now, I just remove all old flow configurations and put a temporary string for nifi.sensitive.pros.key and my nifi can start. — Jin Ma, Jun 02 '23 at 17:47
Yes @JinMa. My old flow still works in latest NiFi. First I have versioned my flow from old NiFi into `NiFi registry`, then pointed my new version NiFi to same NiFi registry. In the new NiFi after importing it from NiFi registry, it runs just fine. — P K, Jun 02 '23 at 19:25

nifi1.8.0 upgrade to nifi 1.21.0 with error Migration Required for blank Sensitive Properties Key [nifi.sensitive.props.key]

1 Answers1