Configuring NiFi to use GCM ciphers
If you want to implement FIPS mode on your Cloudera Flow Management (CFM) cluster, you should use the bctls-safelogic.jar. This JAR file uses Galois/Counter Mode (GCM) ciphers, which are, by default, not allowed by the NiFi Java process. Learn how you can configure NiFi to use GCM ciphers.
The BouncyCastle TLS (BCTLS) library bctls-safelogic.jar includes an implementation of the TLS protocol that takes precedence over the standard Java implementation when configuring the BouncyCastleJsseProvider as a provider in java.security.
The default configuration of the BCTLS library does not enable GCM-based ciphers, which results in TLS server components attempting to negotiate weak cipher suites based on AES-CBC. Modern web browsers such as Google Chrome and Mozilla Firefox disable weak cipher suites, causing cipher mismatch errors when attempting to connect to a FIPS-enabled deployment of CFM.
Enabling GCM-based ciphers allows clients to negotiate modern TLS cipher suites, avoiding connection issues related to weak algorithms.
org.bouncycastle.jsse.fips.allowGCMCiphers=true Java system
property in the bootstrap.conf configuration file to enable
support for GCM-based ciphers using the BCTLS library:
The client and server don't support a common SSL protocol version or cipher suite
If you are using Cloudera Manager to manage NiFi, add the following parameter to NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/bootstrap.conf.xml.
In Cloudera Manager, go to the NiFi service.
Locate the NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/bootstrap.conf.xml.
You can search for it by typing its name in the Search box.
Add the following property:
Edit the Reason for change field.
Click Save Changes to commit the changes.
Restart the service.