Nifi-install-config

developer-guide

Nifi

install nifi

wget http://mirrors.tuna.tsinghua.edu.cn/apache/nifi/1.3.0/nifi-1.3.0-bin.tar.gz
tar -zvxf nifi-1.3.0-bin.tar.gz

config

At a minimum, we recommend editing the nifi.properties file and entering a password for the nifi.sensitive.props.key

cd nifi-1.3.0/conf
vim nifi.properties

打开文件后，找到nifi.sensitive.props.key配置选项（在vim编辑器下使用查找指令：/nifi.sensitive.props.key）

# security properties #
nifi.sensitive.props.key=howtoinstall
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

start

From the /bin directory, execute the following commands by typing ./nifi.sh :

start: starts NiFi in the background

stop: stops NiFi that is running in the background

status: provides the current status of NiFi

run: runs NiFi in the foreground and waits for a Ctrl-C to initiate shutdown of NiFi

install: installs NiFi as a service that can then be controlled via
	service nifi start

	service nifi stop

	service nifi status

Configuration Best Practices

Increase the number of TCP socket ports available

• This is particularly important if your flow will be setting up and tearing down a large number of sockets in small period of time.

		sudo sysctl -w net.ipv4.ip_local_port_range="10000 65000"

Set how long sockets stay in a TIMED_WAIT state when closed

• You don’t want your sockets to sit and linger too long given that you want to be able to quickly setup and teardown new sockets. It is a good idea to read more about it but to adjust do something like

sudo sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait="1"

Tell Linux you never want NiFi to swap

• Swapping is fantastic for some applications. It isn’t good for something like NiFi that always wants to be running. To tell Linux you’d like swapping off you can edit /etc/sysctl.conf to add the following line

   vm.swappiness = 0

TLS Generation Toolkit

Standalone

wget http://mirrors.tuna.tsinghua.edu.cn/apache/nifi/1.3.0/nifi-toolkit-1.3.0-bin.tar.gz
tar -zxvf nifi-toolkit-1.3.0-bin.tar.gz

Standalone — generates the certificate authority, keystores, truststores, and nifi.properties files in one command.
Standalone mode is invoked by running ./bin/tls-toolkit.sh standalone -h which prints the usage information along with descriptions of options that can be specified.

cd nifi-toolkit-1.3.0
./bin/tls-toolkit.sh standalone -h

The most common options to specify are:

• -n,--hostnames The comma-separated list of hostnames that you’d like to generate certificates for. It can be specified multiple times. Range and instance patterns are supported. See below for details.

• -C,--clientCertDn The DN that you’d like to generate a client certificate for. It can be specified multiple times.

• -f,--nifiPropertiesFile The base nifi.properties file that the tool will update for each host.

• -o,--outputDirectory The directory to use for the resulting Certificate Authority files and NiFi configurations. A subdirectory will be made for each host.

• Hostname Patterns:
  • Create 4 sets of keystore, truststore, nifi.properties for localhost along with a client certificate with the given DN:bin/tls-toolkit.sh standalone -n 'localhost(4)' -C 'CN=username,OU=NIFI'
  • Create keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains:bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain'
  • Create 2 sets of keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains along with a client certificate with the given DN:bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI'

Client/Server

Server

The CA server is invoked by running ./bin/tls-toolkit server -h prints the usage information along with descriptions of options that can be specified.

• -f,--configJson The location of the json config (written after first run)

• -F,--useConfigJson Loads all relevant configuration from the config json (configJson is the only other argument necessary)

• -t,--token The token used to prevent man in the middle attacks (this should be a long, random value and needs to be known when invoking the client)

• -D,--dn The DN for the CA

ClientThe

client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running ./bin/tls-toolkit.sh client -h which prints the usage information along with descriptions of options that can be specified.

• -f,--configJson The json config file

• -c,--certificateAuthorityHostname The hostname of the CA

• -D,--DN The DN for the CSR (and Certificate)

• -t,--token The token used to prevent man in the middle attacks (this should be a long, random value and needs to be the same one used to start the CA server)

• -T,--keyStoreType The type of keystore to create (leave default for NiFi nodes, specify PKCS12 to create client cert)