I have an issue connecting a Minifi-c++ instance to a C2 (Command&Control) server.
I have set up a secure Nifi instance and I have successfully set up a Minifi-c++ instance and a minifi-C2, both connected to the Nifi instance directly.
I have verified that the manually configured Minifi is sending through S2S correctly.
I have also verified that the C2 server can provide a configured template (at least when the request is done from a browser with the right credentials).
Now that I have discarded all connectivity/network and authentication issues, the only thing remaining is to enable the c2 configuration options in Minifi.
nifi.remote.input.secure=true
nifi.security.need.ClientAuth=true
nifi.security.client.certificate=./conf/cert.pem
nifi.security.client.private.key=./conf/key.pem
nifi.security.client.pass.phrase=./conf/password
nifi.security.client.ca.certificate=./conf/chain.pem
#nifi.rest.api.user.name=
#nifi.rest.api.password=
nifi.c2.enable=true
nifi.c2.agent.protocol.class=RESTSender
nifi.c2.rest.url="https://myUrl:15005/c2/c2-protocol/heartbeat"
nifi.c2.rest.url.ack="https://myUrl:15005/c2/c2-protocol/acknowledge"
nifi.c2.flow.base.url="https://myUrl:15005/c2/c2-protocol"
nifi.c2.root.classes=DeviceInfoNode,AgentInformation,FlowInformation
nifi.c2.agent.heartbeat.period=5000
nifi.c2.agent.heartbeat.reporter.class=RESTReceiver
nifi.c2.agent.class=RemoteMinifyTest
nifi.c2.agent.identifier=CN=test-minifi
nifi.c2.root.class.definitions=metrics
nifi.c2.root.class.definitions.metrics.name=metrics
# ... more metrics stuff
The Minifi instance fails anti-climatically with
[...::Properties] [info] Using configuration file to load configuration for UID properties
from ./conf/minifi-uid.properties (located at ...)
[main] [info] MINIFI_HOME=/path-to-minify
[...::Properties] [info] Using configuration file to load configuration for MiNiFi configuration
from ./conf/minifi.properties (located at ...)
[...::PythonCreator] [info] Adding ... some python stuff
[...::FlowController] [info] FlowController NiFi Configuration file ./conf/config.yml <- empty
[main] [info] Loading FlowController
[...::FlowController] [info] Load Flow Controller from file ./conf/config.yml
[...::FlowController] [info] Loaded root processor Group
[...::FlowController] [info] Initializing timers
[...::FlowController] [info] Loaded controller service provider
[...::FlowController] [info] Loaded flow repository
[...::FlowController] [info] Starting Flow Controller
[...::StandardControllerServiceProvider] [info] Enabling 0 controller services
[...::C2Agent] [info] Class is RESTSender
[...::FlowController] [info] Started Flow Controller
[main] [info] MiNiFi started
[...::TailFile] [error] store state file failed
The only thing being registered on the C2 server is
DEBUG [qtp1356728614-16] X509AuthenticationProvider Authenticating X509AuthenticationToken
with principal CN=test-minifi
DEBUG [qtp1356728614-16] C2AnonymousAuthenticationFilter SecurityContextHolder not
populated with anonymous token, as it already contained:
'org.apache.nifi.minifi.c2.security.authentication.C2AuthenticationToken@b51a431b: Principal:
CN=test-minifi; Credentials: [PROTECTED]; Authenticated: true; Details: null;
Granted Authorities: TEST'
which shows up once for every heartbeat
My Minifi instance is identifying itself correctly and the appropriate authorizations have been provided
# authorities.xml
CN=test-minifi:
- TEST
# authorizations.xml
Default Action: deny
Paths:
/c2/config:
Default Action: deny
Actions:
- Authorization: TEST
Query Parameters:
class: RemoteMinifyTest
Action: allow
/c2/config/contentTypes:
Default Action: deny
Actions:
- Authorization: TEST
Action: allow
What am I missing?
I'm facing this same problem and so far my research points that minifi-c2 is made to work specificly with MiNiFi Java agent, and its only purpose is to supply config.yml files to them. I have found a way to implement a NiFi C2 server using EFM, cloudera edge management and NiFi Registry here: https://docs.cloudera.com/cem/1.2.0/minifi-agent-quick-start/topics/cem-configure-c2-properties-for-minifi-cpp.html
It's a littly messy but it supplies all required REST service endpoints required for C2 protocol. MiNiFi CPP agent supports full C2 protocol, here you can read a little bit more about the services required for C2 agents and servers https://cwiki.apache.org/confluence/display/MINIFI/C2+Design#C2Design-HTTP/SProtocol
Hope it helps, i'm about to test it myself, I'll update my answer with the results.
ADDED: 15/12/2020
As suspected MiNiFi C++ agent requires a full C2 Server, so after testing the CEM EFM configuration tutorial everything worked. The only thing I had some issues was on configuring efm to use MySQL db service, so I had to use default H2 storage.
After creating the flow for the MiNiFi class and publishing it, the agent listened to it and retrieved it from th NiFi Registry.
And after setting (sadly manually) the remote port identifiert to the Remote Process Group Processor, NiFi started receiving data flows from MiNiFi C++ agent.
Hope it helps!