This page provides technical notes on the process we went through to setup the technical systems.
Setting up the Nifi Truststore to be able to access DHIS2
The DHIS2 server's URL is https://www.dhis2.org.mz, but their SSL certificate has the baseUrl set to dhis2.org.mz (without the www). Nifi sees this difference and throws an error when trying to run an InvokeHttp processor to authenticate with DHIS2. In order to get around this, we had to create a StandardSSLContextService that uses a local certificate truststore that's on the Nifi server. The following code was used to create a truststore on the server with the DHIS2 Mozambique server.
The TLS version was found by accessing: https://www.ssllabs.com/ssltest/analyze.html?d=www.dhis2.org.mz&latest
Notes on Trusted Store - Downloaded the dhis2 Mozambique certificate and stored it in a file named dhis2moz.pem openssl s_client -showcerts -servername www.dhis2.org.mz -connect www.dhis2.org.mz:443 < /dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > dhis2moz.pem - Verified I could access the dhis2 server with curl referencing that certificate curl --cacert dhis2moz.pem -u USERNAME:PASSWORD https://www.dhis2.org.mz/prod/api/28/me - Created a store file in the server cd /opt/nifi/nifi-1.5.0/conf sudo keytool -importcert -keystore cacerts.jks -alias CA-cert -storepass CREATEPASSWORD -file ~/dhis2moz.pem sudo chown nifi:nifi cacerts.jks - Got into nifi and created a StandardSSLContextService properties: Truststore Filename: /opt/nifi/nifi-1.5.0/conf/cacerts.jks Truststore Type: JKS TLS Protocol: TLSv1 - Saved and enabled the service