How to listen to https with ListenHTTP in NiFi

Posted on 31 Dec 2015

NiFi provides a way of listening for HTTP requests on a port on a NiFi node. The ListenHTTP processor feeds the content of the request as a FlowFile into the rest of the flow. By default it provides a plain text HTTP service. However, you can also configure the processor to provide an SSL endpoint.In order to configure the SSL endpoint, we need to provide a certificate for the server. In NiFi this is provided by a controller service, in this case StandardSSLContextService.

When configuring the SSL Service we need to provide a keystore and truststore. These can be created with the Java keytool.

#!/bin/sh

KEYPASS=changeit
STOREPASS=changeit

echo "Generate server certificate and export it"
${JAVA_HOME}/bin/keytool -genkey -alias server-alias -keyalg RSA -keypass $KEYPASS -storepass $STOREPASS -keystore keystore.jks
${JAVA_HOME}/bin/keytool -export -alias server-alias -storepass $STOREPASS -file server.cer -keystore keystore.jks

echo "Create trust store"
${JAVA_HOME}/bin/keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass $KEYPASS -storepass $STOREPASS

This will yield two key files, cacerts.jks and keystore.jks (and server.crt, which is not strictly necessary beyond this step, but contains an exported version of the server certificate).

Note that the details requested when creating the server certificate form the DN, or distinguishing name of the server certificate. Since the keystore can in theory contain multiple certificates, NiFi will need the DN to determine which certificate is used.

Once we have the two files, we can setup the controller service:

Now we have a service we can give to the ListenHTTP processor, and a DN. Set these properties, and we have a fully SSL encrypted service listening for POST requests. Of course in this instance we are not using a certificate signed by a proper authority, so we can either have our client use the same cacerts file we produced here, or our course get a more properly trusted certificate.

StackOverflow Flair

profile for Simon Elliston Ball at Stack Overflow, Q&A for professional and enthusiast programmers