Nifi security without TLS? - ssl

Some background... I'm trying to run a nifi registry on ECS. I'm using the apache/nifi-registry:latest container image.
I'm unable to set this up via TLS (without baking my cert details into my dockerfile which is a security nightmare). Is there another way to still be able to use the registry with users/etc and NOT need to be running on HTTPS ports?
I'd prefer to run this container on port 18080 still, but it appears when doing so I'm unable to login/really do anything with nifi reg?

Related

How to configure certificates for Grafana MQTT plugin to connect to HiveMQ cloud broker

I'm running Grafana 9.3.6 installed via apt-get on Ubuntu 20.04.5
I have a HiveMQ cloud broker I'm trying to connect to.
Previously I succeeded to connect via mosquitto command line tool and mosquittopp C++ interface. These required me to provide a certificate or certificate path.
I used the .pem file provided by HiveMQ with the command line tool.
I provided the /etc/ssl/certs/ path for the C++ interface (the 1st option did not work out)
Now I'm trying to connect via the Grafana MQTT plugin. I installed it using
grafana-cli plugins install grafana-mqtt-datasource.
When trying to add it in the web gui, I get the following error:
error connecting to MQTT broker: network Error : EOF
I can see some messages going back and forth in Wireshark so I assume the problem is with the certificates.
I tried editing the grafana.ini file without success. It's not completely clear which file/path should I add where and what other options I need to set.
Edit: the grafana.ini file had nothing to do with this.
As #hardillb pointed out, I had to pay attention to the URL scheme. After putting tls:// in front of the broker URL as described in grafana-mqtt-datasource, everything worked.

ActiveMQ WSS gives ERR_CERT_COMMON_NAME_INVALID

I basically follow the steps in this question to create SSL certificates for ActiveMQ. Now with some help, I can connect my C# application to ActiveMQ. However when I tried to connect my Angular application to it, I got ERR_CERT_COMMON_NAME_INVALID error.
I actually have an ActiveMQ instance running in AmazonMQ and it works fine with my Angular application. So I think this is the issue of the certificate when I try to run the ActiveMQ in my own docker image.
For some details, I am using a domain name dev.com pointing to 127.0.0.1, which is set in host file. I am using dev.com to access both C# application and Angular application so I plan to use wss://dev.com:61619 to access ActiveMQ from my Angular application. When I generate keystore, I specify dev.com as the CN. In addition, I have another self-signed certificate generated with OpenSSL for Angular and C# application, not sure if there will be any conflict between them.
Can anyone please help to see what could be wrong?
Thank you

Adding an SSL cert to Lita bot using Docker

I've connected my Lita bot to a Diaglogflow agent via the lita-api-ai plugin and (currently) a Firebase-enabled fulfillment script edited inline on the Dialogflow site.
I'd like to convert that webhook into ruby and host it as a handler in Lita itself, but Dialogflow requires SSL on the webhook endpoint.
I'm using the standard docker setup for Lita on CoreOS, and I'd like to use a Let's Encrypt cert. How can I do this? I'm not experienced with the innards of Docker or a ruby app like Lita (as opposed to a full-blown nginx/Apache setup) -- can I put something around Docker to handle the SSL? Do I need to modify the Docker image itself?
The best way to go about this is to install a web server (nginx, caddy, etc.) to handle SSL termination. It should then proxy requests to the Docker instance. You can use nginx-proxy with the LetsEncrypt companion as the basic setup, although you'll need to alter the Lita systemd script to include config and environment variables (e.g., VIRTUAL_HOST, expose).
nginx-proxy listens for container changes to dynamically update its proxying, but I created systemd services for both nginx-proxy and the LetsEncrypt companion so that they would start on boot.

Is Weblogic Node Manager SSL setup required while implementiing SSL for Application

In Weblogic, I have more than one Machines created using Node Manager. We have been told to setup SSL implementation for our Application which is deployed across created machines in a single Weblogic Admin Console.
So for the Application we had configured certificate using .jks file and configured SSL listen port by enabling it.
However we have been told to secure Node Manager machines in which application are deployed across as well. While enabling Node Manager type to SSL instead of Plain I am getting SSLException. By the fact we no need to secure Machines which were created using Node Manager, only securing Application is sufficient. Is am I right. Else is it required to Secure Machines -> Node Manager as well.
When I am turning SSL in Machines -> Node Manager, what are the things I have to consider to avoid SSLException. Is the Weblogic restart required If configure this or so. For now I do not have UNIX access, hence I couldn't do that at this moment.
Please advise on this situation. Without securing Machines -> Node Manager I am able run the application. But not able to access it using https. Only http for the Application is working.
Please advise on the situation.
SSL for node manager is optional as there's no application related sensitive data that flows in this layer.
You mention even after configuring jks you can't get the server and hence the application listening on https. Could you elaborate what steps did you follow. Note this has nothing to do with node manager

Renewing SSL certificate Service Fabric endpoint

How can I renew certificate on a service fabric https endpoint after it expires?
I use port sharing for multi-domain support (WebListener) and netsh to bind cert to ip:port (I can't use manifest file to bind domain name, is not supported now).
But if I don't want to upload new package version (only for run SetupEntryPoint) is there a way to send a netsh command to VM Scale Sets?
If you want to run the same command, like netsh, on all the VMs in a scale set, a good way to do this is to use a custom script extension. You can add a custom script extension using the PowerShell cmdlet Add-AzureRmVmssExtension.