Some users of Clockspring would like to log in to Clockspring using a certificate. These certificates are commonly managed on physical tokens (CAC, PIV, etc) and should be used for all authentication to Clockspring.
In order to do this we have a few simple steps to follow:
1. Add your certificate CAs to your truststore
By default, Clockspring uses the java truststore located at /etc/pki/ca-trust-extracted/java. However, you should not directly manipulate this file as changes could be lost. In order to update this truststore perform the following actions:
Install the ca-certificates package
sudo yum install ca-certificates
Enable the dynamic CA configuration feature
sudo update-ca-trust force-enable
Add it as a new file to /etc/pki/ca-trust/source/anchors
sudo cp rootCert.crt intermediateCert.crt /etc/pki/ca-trust/source/anchors/
Update the CA trust
sudo update-ca-trust extract
2. Once the truststore has been updated we need to configure Clockspring to use it using the 'Managed Authorizer'. Assuming the current install is in Single User Mode (login with 'Admin' credentials) update /opt/clockspring/conf/clockspring.properties:
nifi.security.user.authorizer=managed-authorizer
3. Edit the /opt/clockspring/conf/authorizers.xml file to add the initial user and admin identities of the first user you want to add. This user will be able to log in to Clockspring after service restart with Administrative privileges. All additional users should be added via the Clockspring UI.
Once in the file add the certificate path to the "Initial User Identity 1"
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=John Doe, OU=R&D, O=Company Ltd., L=Dublin 4, S=Dublin, C=IE</property>
</userGroupProvider>Then also add that user to the "Initial Admin Identity" to give this user administrative rights on first login for additional configuration.
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=John Doe, OU=R&D, O=Company Ltd., L=Dublin 4, S=Dublin, C=IE</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>You should not need to modify any properties other than Initial User Identity 1 and Initial Admin Identity
4. In order for Clockspring to respect this change you must remove the old authorizations.xml file where user information is stored so that it can rebuild it
rm /opt/clockspring/conf/authorizations.xml
5. Restart Clockspring
sudo systemctl restart clockspring
Now when you browse to Clockspring you should be prompted to select your certificate and PIN (if required) then dropped onto the Clockspring canvas.
All future users should should be created within the Clockspring UI and have the username that aligns with their certificate path in the same format as was used above. Then assign them permissions as necessary through the policy menu and/or the Process Group policy.
For more information on how to manage users within Clockspring see the Clockspring User Guide here.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article