NiFi: NiFi 1.23.x issues with weak ciphers/encryption types

Issues

After upgrade to NiFi 1.23.1 our nifi instances is failed to starting up with these error messages:

Error #1

tail -f /var/log/nifi/nifi-app.log

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=AD-server.example.com
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=AD-server.example.com

Yes we are using AD server which have old 1024 bit encryption keys. It is in other department's responsibility, I heard they've planned to do an upgrade soon. We just can do changes in client side.

Let's make java accept 1024 bit keys by change /etc/crypto-policies/back-ends/java.config

Before:

jdk.tls.ephemeralDHKeySize=2048
jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
jdk.tls.legacyAlgorithms=

After:

jdk.tls.ephemeralDHKeySize=2048
jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 1024
jdk.tls.disabledAlgorithms=DH keySize < 1024, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
jdk.tls.legacyAlgorithms=

Error #2

After restart. Nifi still failed with these error:

2023-10-16 15:30:43,141 WARN org.apache.nifi.web.server.JettyServer: Failed to start web server... shutting down.
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'niFiWebApiConfiguration': BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: Error creating RangerBasePlugin
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:537)
        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
        at org.apache.nifi.NiFi.main(NiFi.java:332)
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.method.configuration.PrePostMethodSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: Error creating RangerBasePlugin
        at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:800)
        ... 48 common frames omitted
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: Error creating RangerBasePlugin
        at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:800)
        ... 74 common frames omitted
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: Error creating RangerBasePlugin
        at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:176)
        ... 97 common frames omitted
Caused by: org.apache.nifi.authorization.exception.AuthorizerCreationException: Error creating RangerBasePlugin
        at org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer.onConfigured(RangerNiFiAuthorizer.java:142)
        ... 107 common frames omitted
Caused by: org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: nifi/server01.example.com@EXAMPLE.COM from keytab /var/run/cloudera-scm-agent/process/1546351194-nifi-NIFI_NODE/nifi.keytab javax.security.auth.login.LoginException: Unable to obtain password from user
        at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2016)
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1361)
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1140)
        at org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer.onConfigured(RangerNiFiAuthorizer.java:130)
        ... 125 common frames omitted
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

After a day of searching, I fix it by adding allow_weak_crypto = true to /etc/krb5.conf

References

• https://stackoverflow.com/a/69541972/1377004

• https://discourse.igniterealtime.org/t/ldaps-connection-problem/90194

• https://stackoverflow.com/a/72731392

• Kerberos authentication fails with an Encryption type RC4 with HMAC is not supported/enabled error in AM (All versions) | ForgeRock Backstage