Details
-
Epic
-
Status: Resolved
-
Major
-
Resolution: Abandoned
-
1.7.1
-
None
-
NiFi security configuration requires substantial knowledge and effort to deploy
-
To Do
Description
To securely deploy Apache NiFi requires substantial background knowledge, applied familiarity with a disparate set of tools and operating systems, and disjoint manual effort. The NiFi TLS Toolkit and Encrypt Config Toolkits aim to help, but the former is designed for development/sandbox environments, not integration with enterprise certificate authorities (CA). In addition, NiFi requires tightly coupled security configuration when deploying in a cluster environment, and dynamic horizontal scaling is difficult.
This epic will serve as an aggregator for all individual tickets related to an ongoing, holistic effort to streamline, automate, and lower the barrier to entry to configuring a secure NiFi deployment.
- Generating or acquiring signed certificates and converting them to the proper format (JKS, PEM, P12, etc.)
- Integrating with external certificate providers
- Securing the sensitive configuration values
- Automating deployment of configuration values
- Encapsulating/delegating security configuration for containerization efforts
- Automating deployment of TLS cipher suites and protocol versions
- Automating mitigation of TLS vulnerabilities
Attachments
Issue Links
- contains
-
NIFI-5364 ConfigEncryptionTool should handle NiFi Registry
- Resolved
-
NIFI-5365 TLS Toolkit should handle NiFi Registry
- Resolved
-
NIFI-5210 Create service to retrieve TLS configurations from remote endpoint
- Resolved
-
NIFI-5211 Create JSON reader, writer, signer, and verifier
- Resolved
-
NIFI-5212 Configure JettyServer with custom TLS protocols and cipher suites
- Resolved
-
NIFI-1990 Implement consistent security controls for cluster, site-to-site, and API communications
- Open
-
NIFI-3063 TLS Toolkit ignores provided password if longer than 7 characters and switches to auto-generated 7 character password
- Resolved
-
NIFI-5622 Test certificates require SAN values
- Resolved
-
NIFI-1466 Add password strength indicator to password properties
- Resolved
-
NIFI-2437 Enforce HSTS to require HTTPS connections if available
- Resolved
-
NIFI-3890 Create Key Management Controller Service
- Resolved
-
NIFI-4881 Provide TLS "auto-secure" feature
- Resolved
-
NIFI-3887 Add verbose mode to TLS Toolkit
- Resolved
-
NIFI-7134 Enable JettyServer to automatically detect keystore changes and update
- Resolved
-
NIFI-1480 Allow different cipher suites configurable properties for NiFi UI & integrations
- Open
-
NIFI-1995 Support keystores with multiple certificates by exposing alias selection in configuration
- Open
-
NIFI-5398 Identify cluster communication endpoints via combination of hostname and certificate rather than just certificate DN
- Open
-
NIFI-5443 Improve cluster configuration for dynamic scaling
- Open
-
NIFI-1478 Audit SSLContextFactory and SSLSocketFactory usage throughout application
- Resolved
-
NIFI-1477 Import trusted CA certificates into NiFi local truststore
- Resolved
-
NIFI-2653 Encrypted configs should handle variable registry
- Resolved
-
NIFI-2959 TLS Toolkit should provide the correct DN to authorizers.xml for the Initial Admin Identity
- Resolved
-
NIFI-3062 Provide better error message on startup if invalid length keystore password used in conjunction with PKCS12 keystore
- Resolved
-
NIFI-3740 Hostname validation error message can be unclear if SAN fails but CN matches hostname
- Resolved
-
NIFI-4247 TLS Toolkit should parse regex in SAN fields
- Resolved
-
NIFI-4573 Improve error messaging when users do not enter password for flow encryption migration
- Resolved
-
NIFI-5363 Enhance NiFi Toolkit to handle NiFi Registry
- Resolved
-
NIFI-5366 Implement Content Security Policy frame-ancestors directive
- Resolved
-
NIFI-5400 NiFiHostnameVerifier should be replaced
- Resolved
-
NIFI-5473 Add documentation for using intermediate CA with TLS toolkit
- Resolved
-
NIFI-5476 Enable TLS Toolkit (standalone) to sign certificates with external CA certificate
- Resolved
-
NIFI-5586 Add capability to generate ECDSA keys to TLS Toolkit
- Resolved
-
NIFI-5620 Standardize TLS Toolkit standalone and client/server command-line flags
- Resolved
-
NIFI-3171 Improve error message when long password is used for config encryption on machine without JCE policies
- Resolved
-
NIFI-1277 Audit current use of cryptography throughout application
- Resolved
-
NIFI-1525 Audit use of private keys throughout application
- Resolved
-
NIFI-5285 Re-evaluate memory/time cost parameters for 2018
- Resolved
- incorporates
-
NIFI-7767 SAN not being added to certificates using tls-toolkit
- Resolved
-
NIFI-3691 Provide utility to verify configured security settings and certificates
- Resolved
-
NIFI-7783 TLS Toolkit should include the CA CN as a SAN
- Resolved
- Is contained by
-
NIFI-5485 Enable TLS Toolkit (client/server) to sign certificates with external CA certificate
- Resolved
- relates to
-
NIFI-7468 Improve internal handling of SSL channels
- Resolved
-
NIFI-5481 Add New Sensitive Property Providers
- Resolved
-
NIFI-7673 Toolkit in diagnostic mode should verify independent node
- Resolved