Configuring NiFi to use GCM ciphers

If you want to implement FIPS mode on your Cloudera Flow Management (CFM) cluster, you should use the bctls-safelogic.jar. This JAR file uses Galois/Counter Mode (GCM) ciphers, which are, by default, not allowed by the NiFi Java process. Learn how you can configure NiFi to use GCM ciphers.

The BouncyCastle TLS (BCTLS) library bctls-safelogic.jar includes an implementation of the TLS protocol that takes precedence over the standard Java implementation when configuring the BouncyCastleJsseProvider as a provider in

The default configuration of the BCTLS library does not enable GCM-based ciphers, which results in TLS server components attempting to negotiate weak cipher suites based on AES-CBC. Modern web browsers such as Google Chrome and Mozilla Firefox disable weak cipher suites, causing cipher mismatch errors when attempting to connect to a FIPS-enabled deployment of CFM.

Enabling GCM-based ciphers allows clients to negotiate modern TLS cipher suites, avoiding connection issues related to weak algorithms.

Set the org.bouncycastle.jsse.fips.allowGCMCiphers=true Java system property in the bootstrap.conf configuration file to enable support for GCM-based ciphers using the BCTLS library:


If it is not configured properly, the following error message is displayed:
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite

If you are using Cloudera Manager to manage NiFi, add the following parameter to NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/bootstrap.conf.xml.

  1. In Cloudera Manager, go to the NiFi service.

  2. Select Configuration > Advanced Configuration Snippets.

  3. Locate the NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/bootstrap.conf.xml.

    You can search for it by typing its name in the Search box.

  4. Add the following property:

    Name: java.arg.allowgcm

    Value: -Dorg.bouncycastle.jsse.fips.allowGCMCiphers=true

  5. Edit the Reason for change field.

  6. Click Save Changes to commit the changes.

  7. Restart the service.