Configuring NiFi to use GCM ciphers

The BouncyCastle TLS (BCTLS) library bctls-safelogic.jar includes an implementation of the TLS protocol that takes precedence over the standard Java implementation when configuring the BouncyCastleJsseProvider as a provider in java.security.

The default configuration of the BCTLS library does not enable GCM-based ciphers, which results in TLS server components attempting to negotiate weak cipher suites based on AES-CBC. Modern web browsers such as Google Chrome and Mozilla Firefox disable weak cipher suites, causing cipher mismatch errors when attempting to connect to a FIPS-enabled deployment of CFM.

Enabling GCM-based ciphers allows clients to negotiate modern TLS cipher suites, avoiding connection issues related to weak algorithms.

Set the org.bouncycastle.jsse.fips.allowGCMCiphers=true Java system property in the bootstrap.conf configuration file to enable support for GCM-based ciphers using the BCTLS library:

java.arg.allowgcm=-Dorg.bouncycastle.jsse.fips.allowGCMCiphers=true

ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite

If you are using Cloudera Manager to manage NiFi, add the following parameter to NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/bootstrap.conf.xml.

1. In Cloudera Manager, go to the NiFi service.

2. Select Configuration > Advanced Configuration Snippets.

3. Locate the NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/bootstrap.conf.xml.

   You can search for it by typing its name in the Search box.

4. Add the following property:

   Name: java.arg.allowgcm

   Value: -Dorg.bouncycastle.jsse.fips.allowGCMCiphers=true

5. Edit the Reason for change field.

6. Click Save Changes to commit the changes.

7. Restart the service.