Run Apache NiFi in Docker with SSL Enabled

The last two articles in the Apache NiFi series discussed how to run Apache NiFi standalone server and NiFi cluster in Docker. However, those are far from production-ready because they are not secured. The next step in setting up a secured NiFi cluster is spinning up an Apache NiFi instance with SSL enabled in Docker. Though we are moving towards production-ready, this article will use self-signed certificates. In production, you should not use a self-signed certificate. In addition, you may also require additional safety measures like firewall and proxy.
Run Apache NiFi in Docker with SSL Enabled

Step 1:
The first step is creating a self-signed certificate. Though other tools can be used, Apache NiFi Toolkit is used in this article because it generates everything you need with a single command.

Step 1.1:
Download the latest Apache NiFi Toolkit from the official website.

Step 1.2:
Extract the archived file, and change the terminal directory to that folder.
tar -xvzf nifi-toolkit-1.15.3-bin.tar.gz
cd nifi-toolkit-1.15.3

Step 1.3:
Run the following command to generate the SSL certificates and the necessary configurations.
./bin/ standalone -n localhost -C 'CN=admin,OU=NiFi' --subjectAlternativeNames 'localhost,'

The above command generates the certificate, key, keystore, truststore, and the properties file for a NiFi server deployed in localhost.
├── localhost
│   ├── keystore.jks
│   ├──
│   └── truststore.jks
├── nifi-cert.pem
├── nifi-key.key
├── CN=admin_OU=NiFi.p12

Step 2:
Though you can use plain Docker commands, Docker compose is used here to make the instructions clear. In addition, you can also add additional services in the same Docker compose configuration.

Step 2.1:
Create a new folder named nifi anywhere you want.
mkdir ~/nifi
cd ~/nifi

Step 2.2:
Copy the keystore.jks and truststore.jks generated in Step 1.3 to this folder.
cp $NIFI_TOOLKIT_HOME/localhost/keystore.jks ./
cp $NIFI_TOOLKIT_HOME/localhost/truststore.jks ./

Step 2.3:
Create a new file named docker-compose.yml with the following content:
version: "3"
version: "3"
        image: apache/nifi:1.15.0
        container_name: nifi
        restart: unless-stopped
            - 8443:8443
            - NIFI_WEB_HTTPS_PORT=8443
            - NIFI_WEB_PROXY_HOST=
            - NIFI_WEB_HTTPS_HOST=
            - AUTH=tls
            - KEYSTORE_PATH=/opt/certs/keystore.jks
            - KEYSTORE_TYPE=JKS
            - KEYSTORE_PASSWORD=5DheFfyvtPj0aEUuhQhrkT30O767ibhGFDYh02guEUU
            - TRUSTSTORE_PATH=/opt/certs/truststore.jks
            - TRUSTSTORE_PASSWORD=cQUn2CdUfRa5H8clPPYR9nbEbqum9tkW+5GYZtn4ob8
            - NIFI_SECURITY_USER_AUTHORIZER=single-user-authorizer
            - NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER=single-user-provider
          - ./keystore.jks:/opt/certs/keystore.jks
          - ./truststore.jks:/opt/certs/truststore.jks

Note that the NiFi server is configured with a single username (admin) and password (ctsBtRBKHRAx69EqUghvvgEvjnaLjFEB). Running the above configuration will create a new NiFi Docker container using the keystore and truststore generated in Step 1.3.

Step 2.4:

In the above configuration, random KEYSTORE_PASSWORD and TRUSTSTORE_PASSWORD are used. Open the file generated in Step 1.3 and search for and Use the value of as the value of KEYSTORE_PASSWORD and the value of as the value of TRUSTSTORE_PASSWORD.

Step  3:
Run the following command to start the NiFi container.
docker-compose up

Step 4:
Wait for some time for the NiFi to get ready and visit https://localhost:8443/nifi from your browser. You will see a warning page because we are using a self-signed certificate.
Run Apache NiFi in Docker with SSL Enabled

Accept the risk and visit the page. Use the username: admin and password: ctsBtRBKHRAx69EqUghvvgEvjnaLjFEB as defined in the docker-compose.yml to login.

Run Apache NiFi in Docker with SSL Enabled
 Voilà, you now have an SSL-enabled Apache NiFi server running in Docker. The next article will cover how you can deploy an SSL-enabled Apache NiFi cluster in Docker.

Next Post »


Write comments
January 24, 2022 at 3:24 PM delete

Веѕt Αⅾսⅼt Ꮐаⅿе Οոⅼіոе аոⅾ ԝіthοսt ⅼοаⅾіոց іո thе ԝоrⅼⅾ. Click the link now:



Contact Form


Email *

Message *