Configuring NiFi to use GCM ciphers

If you implement FIPS mode on your CFM cluster, you have to use the bctls-safelogic.jar, which uses Galois/Counter Mode (GCM) ciphers. These ciphers are not allowed by the NiFi Java process by default. Learn how you can configure Apache NiFi to use the GCM ciphers.

The Bouncy Castle TLS library bctls-safelogic.jar includes an implementation of the TLS protocol that takes precedence over the standard Java implementation when configuring the BouncyCastleJsseProvider as a provider in java.security. The default configuration of the BCTLS library does not enable GCM-based ciphers, which results in TLS server components attempting to negotiate weak cipher suites based on AES-CBC. Modern web browsers such as Google Chrome and Mozilla Firefox disable weak cipher suites, resulting in cipher mismatch errors when attempting to connect to a FIPS-enabled deployment of CFM.

Follow these steps to configure NiFi to use GCM ciphers:

Set the following Java System property to enable support for GCM-based ciphers using the Bouncy Castle TLS library: org.bouncycastle.jsse.fips.allowGCMCiphers=true

You can specify this setting in the bootstrap.conf configuration using the following setting: java.arg.allowgcm=-Dorg.bouncycastle.jsse.fips.allowGCMCiphers=true

Enabling GCM-based ciphers allows clients to negotiate modern TLS cipher suites, avoiding connection issues related to weak algorithms.