Apache NiFi Setup and Security on Amazon Linux

Apache NiFi Setup and Security on Amazon Linux

04 March 2022

Hi, friends in this blog we are going to set up NiFi and configure it to secure it with client certificates.

So, let’s begin the setup:

  • First, we will update the server and install Java package:
  • yum update -y

  • Install wget package:
  • yum install wget

Install Java 8 version:

sudo yum install java-1.8.0-openjdk

  • You can select the Java version by the following command if you have multiple versions present:
  • sudo update-alternatives –config java

  • Now you can extract the java path from the above output and set the java_home as follows:
  • export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171–2.6.13.0.el7_4.x86_64

  • export the PATH variable:
  • export PATH=$PATH:$JAVA_HOME/bin

Now you have installed java successfully.

Its time to Install Nifi:

  • Extract the nifi tar file:
  • tar -xvf nifi-1.13.2-bin.tar.gz

  • Now you can go to “nifi-1.13.2” directory:
  • Apache-NiFi-Setup-and-Security-on-Amazon-Linux-image1

  • Now, go to “bin” directory to run the nifi.sh script and you can start, stop and restart it.
  • ./nifi.sh start

    ./nifi.sh stop

    ./nifi.sh restart

  • You can see logs of nifi in logs directory “nifi-app.log”
  • tail -f nifi-app.log

Check the nifi is runnnig on which port mostly it will run on 8080 port:

sudo netstat -tulpn | grep LISTEN

If it is running on 127.0.0.1 internal IP it will not be accessible from outside so go to nifi.properties and change following before that stop the nifi:

./nifi.sh stop

Then go to nifi.properties in conf directory, following is the example configuration, you need to change “nifi.web.http.host”:

# web properties #

#############################################

# For security, NiFi will present the UI on 127.0.0.1 and only be accessed through this loopback interface.

# Be aware that changing these properties might affect how your instance can be accessed without any restriction.

# We recommend configuring HTTPS instead. The administrator’s guide provides instructions on how to do this.

nifi.web.http.host=127.0.0.1

nifi.web.http.port=8080

nifi.web.http.network.interface.default=

With this:

# web properties #

#############################################

# For security, NiFi will present the UI on 127.0.0.1 and only be accessed through this loopback interface.

# Be aware that changing these properties might affect how your instance can be accessed without any restriction.

# We recommend configuring HTTPS instead. The administrator’s guide provides instructions on how to do this.

nifi.web.http.host=

nifi.web.http.port=8080

nifi.web.http.network.interface.default=

And start the nifi

./nifi.sh start

Congratulations you successfully setup NiFi, you can access NiFi by your IP address and port number on the browser.

Install NiFi Toolkit:

To secure the NiFi by client certificate we will need to create a client certificate, and we are creating those certificates using NiFi toolkit.

  • Extract the nifi tar file:
  • tar -xvf nifi-toolkit-1.14.0-bin.tar.gz

Now to generate the certificates run following command:

bin/tls-toolkit.sh standalone -n ‘localhost’ -C ‘CN=username,OU=NIFI’

Note: You can put as many User’s client certificates by adding “CN=username,OU=NIFI” in above command.

It will create client certificate’s and their password files which you can share them with users, also it will create some files which you will need to replace them with existing one’s those are: nifi.properties, TrustStore.jks, and KeyStore.jks.

After replacing them you need to edit authorisers.xml file:

  • At last find <authorizer> section and put as follows:
  • <property name=”Initial Admin Identity”>CN=username, OU=NIFI</property>

    <property name=”Node Identity 1″>CN=username, OU=NIFI</property>

    Also go up in same file and find <accessPolicyProvider> and put as follows:

    <property name=”Initial Admin Identity”>CN=username, OU=NIFI</property>

    <property name=”Node Identity 1″>CN=username, OU=NIFI</property>

    Go little up in same file and find <userGroupProvider> and pot following lines:

    <property name=”Initial User Identity 1″>CN=username, OU=NIFI</property>

  • After that start the nifi.
  • Import client certificate into Web Browser and you can access the NiFi at 9443 port.
  • Go to NIFI UI by using localhost certificates.
  • And you can give other users the permission as well.

search
Request a quote