I enabled TLS in NiFi by running the below command,
nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/bin/tls-toolkit.sh standalone -n "{my-ip},localhost" -C 'CN={my-ip}' -C 'CN=localhost' -o ./certs
This created the files required for TLS under the directory certs.
I moved the files under the directory certs into the conf folder of the deployment in my machine.
Installed the certificate to my machine's Keychain Access.
Now started the server using bin/nifi.sh start. My server starts, I am able to hit the server, But my request is not authorized.
I am getting the below error,
Not authorized for the requested resource. Contact the system
administrator.
Once TLS is enabled in Apache NiFi, anonymous access is no longer enabled by default. You will need to authenticate as a user in order to access the UI/API. There are three authentication mechanisms available -- client certificates, LDAP, or Kerberos. Once you configure an Initial Admin Identity in $NIFI_HOME/conf/authorizers.xml (this would be the exact CN of the client certificate you issued in the TLS Toolkit command), that user can authenticate and use the user management tools in NiFi to add additional users.
You can find more information in the NiFi Admin Guide. Bryan Bende has also written a detailed walkthrough of the process.
One note about the command you posted above -- I am not sure what your desired output is, but the command is issuing a server certificate for my-ip and another for hostname, but then two client certificates with those DNs as well. In general, you want a server certificate for hostname (possibly with a SAN entry for my-ip), and a client certificate with a DN like CN=alopresto, OU=Apache NiFi.
For example:
./bin/tls-toolkit.sh standalone
-n 'nifi.nifi.apache.org'
--subjectAlternativeNames '123.234.234.123'
-C 'CN=alopresto, OU=Apache NiFi'
-P password
-S password
-B password
-f ...conf/nifi.properties
-o ...conf/
Related
I have generated client certificates, how do I use the client certificates to authenticate the user to LDAP server just using LDAP utils ldapsearch,ldapmodify? I want a password less authentication process for the user.
The certificate and key settings are documented in the ldap.conf(5) man page. You are looking for the TLS_CERT and TLS_KEY options.
Note that these are documented as user-only options, meaning that they can be set as environment variables (respectively LDAPTLS_CERT and LDAPTLS_KEY) or in a personal ldaprc file, but not in the system-wide ldap.conf file.
With the certificate and key settings, use -Y EXTERNAL with the ldap tools. For example (using the environment variables):
LDAPTLS_CERT=user-cert.pem LDAPTLS_KEY=user-priv.key ldapwhoami -H ldap://server -ZZ -Y EXTERNAL
Before i start with my problem:
I've got a website which is protected by a reverse proxy (nginx). So the client is not allowed to connect directly to the website. It must connect to nginx and nginx shows then the content of the website.
Now i wanted to add more "security" features. I installed samba4 as it is usable as a AD DC and wanted to use LDAP (which is included in samba4?) to authenticate the clients which are trying to reach the website.
So before a client can actually see the website it must connect to nginx and then authenticate itself (with LDAP credentials) and then it can view the websites content.
I configured nginx with the module ldap_http_authentication (see configuration below) and it is working. When the client tries to view the website i need to login with some LDAP Credentials, but when i try to authenticate the client it just doesn't work. it says that the LDAP credentials are wrong.
How can i add LDAP users when LDAP comes with samba? I just don't know which credentials to use. I added some users to samba like "test" and tried to use their credentials to authenticate, but they don't work as well.
So which credentials do i have to use for "binddn" and "binddn_passwd"? Where do I have to create them or get them?
My nginx ldap configuration:
ldap_server adds {
url "ldap://192.168.50.131/dc=test,dc=dom?sAMAccountName?sub?";
binddn "TEST\\USERNAME";
binddn_passwd "password";
connect_timeout 5s;
bind_timeout 5s;
request_timeout 5s;
require valid_user;
satisfy any;
}
Thanks!
edit:
i tried to add some users with the command:
ldapadd -x -D cn=admin,dc=test,dc=dom -W -f add_user.ldif
but it just returns:
"Enter LDAP Password: ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required."
Btw: I've never set an LDAP Password, i just installed samba4. That's all!
By default samba4 require start_tls.
For a start you should try to switch the url to ldaps://
Then you need:
if you don't have a certified certificate
ssl_check_cert off
a certificate for the tls transaction
ssl_ca_file /etc/pki/tls/certs/whatever.crt
For ldapXXXXX commands you need the -Z switch
You also need to check that you ldap.conf file contains the URI and BASE:
URI ldaps://ldap.server.com
BASE "dc=domain,dc=example,dc=com"
You also need the 2 following:
a client certificate for the tls transaction
TLS_CACERT=/etc/pki/tls/certs/whatever.crt
What to do if certificate is not valid
TLS_REQCERT allow
I've got problems connecting secure (SSL) to an IBM LDAP server using an openLDAP client.
A connection like the following, which is not using SSL works fine:
ldapsearch -h <LDAP server host name> -D <bind dn> -w ? -b <base dn> <filter>
But when I add the -Z option to use a secure LDAP connection (SSL) like shown in the following ldapsearch an error occours:
ldapsearch -h <LDAP server host name> -Z -D <bind dn> -w ? -b <base dn> <filter>
The error says:
ldap_simple_bind: Can't contact LDAP server
Attempted communication over SSL.
The extended error is 116.
Here I found out that I have to add ssl start_tls to the clients configuration file (ldap.conf) to enable SSL in openLDAP: http://www.openldap.org/faq/data/cache/185.html
After reading the description above I'm not sure if the author is dealing with an openLDAP client and an openLDAP server and if this is the only change that have to be made to make the connection work.
Does anybody here know if it is possible to connect from an openLDAP client to an IBM LDAP server using an SSL connection?
Does anybody have experience with this topic?
Thanks a lot!
As far as I know, OpenSSL no longer provides CA signer certificates in its trust store (i.e., CA cert file). Therefore, you will have to configure OpenLDAP's ldapsearch through the file .ldaprc or ldap.conf to specify the location of the trust store that has the signer certificates for your LDAP server. Something like this:
TLS_CACERT /usr/ssl/certs/my.ldapserver.certs.pem
# TLS_CACERTDIR /usr/ssl/certs/
TLS_REQCERT never|allow||try|demand|hard
See
http://www.openldap.org/software/man.cgi?query=ldap.conf&format=html
http://www.openldap.org/faq/data/cache/185.html
for more details.
IBM's website has a discussion of this error.
A number of possibilities, mostly server side, about keys not being in the keystore, expired, or not using port 636. So you can look at this and see if it helps you.
I am developing a WCF service, which uses SSL certificate for transport security.
I followed various tutorial and hints online to generate and import the certificate. The certificate is imported using the following command:
certmgr.exe -add -all -c <filename>.pfx -s -r localMachine my
My WCF service is running happily using the imported certificate under console mode. Problem starts when I switched my service to be hosted with a Windows Service, which is running as "NETWORK SERVICE". The exception is complaining that the application has no access to the private key installed.
So I used FindPrivateKey.exe and found out that the private key is actually installed in the current user's AppData folder:
C:\Users\<username>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3289377140-263254259-3378496556-1105\d3a0de64e6f0513692d593a77a71d3ac_15824a33-515a-493c-a33f-38a7b852e11a
It would not work even if I grant "NETWORK SERVICE" user the access right to this file.
At the end I have to remove the certificate, and re-imported using MMC, which placed the private key to:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c3ccd4300462fe2aa7cec7f747fbd075_15824a33-515a-493c-a33f-38a7b852e11a
So my question is, how can I get certmgr to place the private key in C:\ProgramData\ instead of current user's AppData?
You should not try to work with certificates on file level. It is internal implementation that is not guarantied to be supported.
There is a MS tool that can help you:
The Microsoft Windows HTTP Services (WinHTTP) certificate
configuration tool, "WinHttpCertCfg.exe", enables administrators to
install and configure client certificates in any certificate store
that can be accessed by the Internet Server Web Application Manager
(IWAM) account.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384088(v=vs.85).aspx
Command that you need to run:
This command grants access to the private key of the "MyCertificate"
certificate in the "My" certificate store for the TESTUSER account.
winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER
Use this link to install the tool:
http://www.microsoft.com/en-us/download/details.aspx?id=19801
Similar to this question, I need the ability to require username + password without transport security. But in my situation the actual IIS server doesn't have SSL, but the proxy in front of it does.
This is where WCF has an issue - because the box hosting it won't allow this type of security without SSL. So in short - do I need to write my own binding for this or did I miss some type of workaround for this very situation?
Yes, WCF will require encrypted communication if you need to pass a username/password.
I think the only way is to create a certificate to use for safe communication (security at message level). You can easily do this with makecert, like this:
makecert.exe -sr LocalMachine -ss My -a sha1 -n CN=localhostCA -sky exchange -pe
You may need to grant access to this certificate for the IIS user, using the Windows HTTP Services Certificate Configuration Tool. Then, run the following command (given that "ASPNET" is the appropriate IIS user):
winhttpcertcfg -g -c LOCAL_MACHINE\My -s localhostCA -a ASPNET
Replace "localhostCA" with the name of your certificate.