I'm trying to obtain access to nifi flow project, through nipyapi and LDAP.
I have nify flow and registry up and running, and login/password('login'/'password')
import nipyapi
nipyapi.config.nifi_config.host = 'https://nifiexample.com/nifi'
nipyapi.config.registry_config.host = 'https://nifiexample.com/nifi-registry'
print(nipyapi.canvas.get_root_pg_id())
I read docs and found this method
nipyapi.security.set_service_ssl_context(service='nifi', ca_file=None, client_cert_file=None, client_key_file=None, client_key_password=None)
but as far as I'm not a developer I don't understand how to use it properly.
Can please someone tell me, what else configs/proprieties should I add to run this simple script?
I would recommend using the Secured Connection Demo from the docs. The Python code goes through this process step-by-step.
Understanding how NiFi uses TLS and performs authentication and authorization will also help these steps make sense.
I am facing the ReceiveTimeout while doing datastore backup using the rest utility provided by opendaylight.
However I am not able to manipulate this value to some more as it seems hardcoded in the Java code.
Can someone know where can this be modified and which field to modify it to more value.
Tried looking into "org.opendaylight.controller.cluster.datastore.cfg" but could not find any filed to modify this timeout.
So I'm hoping this is not too discursive a question - but I am looking at encryption and the CodeIgniter encryption library. Great. But I'm just wondering in the following circumstance if there is actually any point encrypting my data?
No open port access to MySQL (all done via key based SSH)
Key stored in CI config file (which resides on the same box)
Server is a Ubuntu Linode (Cloud server)
I am the only person with access to the box
Why should I store my data at rest? Wikipedia mentions "unauthorised access or theft" but that would require physically stealing the box which is unlikely. I guess access to my machine if I'm logged into a database and the data is unreadable but again - unless someone breaks into my house and unlocks my machine its highly unlikely.
I feel like I'm completely missing the point of the new JCEKS keystore format in Wildfly. Maybe you can set me straight.
The way that we have Wildfly configured (and much of the internet instructs us to, for example):
We put the standard keystore entries in a standard Java Key Store ("keystore.jks") file with a password ("jks_pw")
We then create a JCEKS keystore ("keystore.jceks") with a password, salt, and round-count ("jceks_s_n").
We then put "pks_pw" into "keystore.jceks"
We then add the JCEKS password/etc ("jceks_s_n") into our jboss config (standalone.xml) as plain text, defining a entry
We then add a reference to the vault-stored JKS password to our jboss https connector (standalone.xml), as "password="${VAULT::jks::jks::1}".
What the heck did all of that accomplish???
If we just used a JKS file and a password embedded in standalone.xml, the system is susceptible to:
An attacker getting a copy of standalone.xml and the JKS file, in which case all secrets are known.
An attacker getting a copy of the JKS file, in which case an attacker can use brute-force or lookup table attacks.
If we use a JCEKS container in the way described, the system is susceptible to:
(SAME) An attacker getting a copy of standalone.xml, the JKS/JCEKS files, in which case all secrets are known.
(SAME) An attacker getting a copy of the JKS file, in which case an attacker can use brute-force or lookup table attacks.
This would sort of make sense if we put the actual certs inside of the JCEKS file, in which case brute-force and lookup table attacks would be harder in the second case of attack, but so far I haven't found a way to use a JCEKS-formatted keystore directly with an https connector.
Really, the only reason I care too much about this is that we apparently have a security requirement to use the "vault", but it seems pointless.
UPDATE: It is worth noting that by using the vault you're using a "masked" password to the vault in your jboss config file, but I can't figure out what this means. Apparently your masked-password + salt + rounds can unlock the JCEKS keystore (source), so I'm not sure what exactly masking accomplishes. It just seems like a third level of redirection. I've got to be missing something...
JBoss states that the security mechanism behind "vault" is security by obscurity (https://developer.jboss.org/wiki/JBossAS7SecuringPasswords)
How secure is this?
The default implementation of the vault utlizes a Java KeyStore. Its configuration uses Password Based Encryption, which is security by obscurity. This is not 100% security. It only gets away from the problem of clear text passwords in configuration files. There is always a weak link. (As mentallurg suggests in the comments, the keystore password is the weakest link).
Ideally, 3rd party ISV robust implementations of Vaults should provide the necessary security.
Vault uses an unknown password and algorithm perform a symmetric encryption of the keystore password. Without a HSM, you will always face the problem of "where store the, e.g., datasource password". So normally you'd define a property file with an Access-Control-List and store the encoded password there.
The vault just increases the effort of getting the secured password, leaving the attacker to either read the pw in-memory or reverse-engineer the vault encryption algorithm + key.
It is important to to know that the security mechanism behind "vault" is security by obscurity, which means you are just masking your sensetive data. It means if an attacker have access to your standalone.xml and the keystore, he can easily read all your data.
vault "increases the effort" -> the attacker cannot see them directly but with some (little bit) effort.
I've been looking around to get some clarity on this but it seems like I'm the only stupid one having a problem with it.
Case is, I can't connect to Amazon S3 with Espresso. Or I think the case is rather that I don't know how to. I mean, I have my username, access key and secret key. Espresso asks for the username and password. So which one is my password? What should I use as the "server"? The port? I just can't make it work.
Sorry for being stupid but please help me out here. I know there are many of yous who use both Espresso and Amazon S3.
Many thanks in advance.
Way old question, but for the ones (like me) who googles it and ends up here, I found out how to make it work:
Server: s3.amazonaws.com
User name: Your access key
Password: Your secret access key