Cloudera Docs

Deploying Cloudera Flow Management on FIPS-enabled clusters

FIPS 140-2 compliance is mandatory for many government and regulated industry environments. Cloudera Flow Management (CFM) is compatible supports FIPS-enabled operating systems and cryptographic libraries, but requires additional configuration to ensure successful deployment and runtime operation.

This guide outlines the required steps to deploy CFM on clusters running in FIPS 140-2 mode.

Ensure that the following are in place:

  • CDP Private Cloud Base is installed with FIPS mode enabled
  • Java 11 (FIPS-compliant build)
  • CFM 2.x (for example: 2.1.7)
  • AutoTLS configured (recommended)
  • Access to required cryptographic JARs from SafeLogic/Bouncy Castle
  1. Install the required cryptographic libraries by copyinh the following JAR files into the CFM parcel toolkit directory. 
    cp -a /path/to/ccj/jars/bctls.jar \
      /path/to/ccj/jars/ccj-3.0.2.1.jar \
      /opt/cloudera/parcels/CFM-[***VERSION***]/TOOLKIT/lib/

    Replace [***VERSION***] with the appropriate CFM version.

  2. Configure GCM Cipher support and NiFi Bootstrap settings.

    Modern web browsers (for example, Chrome and Firefox) reject weak TLS cipher suites. By default, Bouncy Castle’s FIPS TLS library does not enable GCM ciphers, which are required for compatibility with these browsers.

    This configuration step enables GCM-based TLS ciphers through Bouncy Castle, avoiding connection issues caused by legacy AES-CBC suites, especially in FIPS environments.

    1. In Cloudera Manager, navigate to NiFi > Configuration > Advanced > NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/bootstrap.conf.xml.
    2. Add the following properties in XML view. 
      <property>
  <name>java.arg.modulepath</name>
  <value>--module-path=/tmp/jars</value>
</property>
<property>
  <name>java.arg.allowgcm</name>
  <value>-Dorg.bouncycastle.jsse.fips.allowGCMCiphers=true</value>
</property>
<property>
  <name>java.arg.truststoretype</name>
  <value>-Djavax.net.ssl.trustStoreType=bcfks</value>
</property>
<property>
  <name>java.arg.truststorepath</name>
  <value>-Djavax.net.ssl.trustStore=/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks</value>
</property>
<property>
  <name>java.arg.truststorepassword</name>
  <value>-Djavax.net.ssl.trustStorePassword=REPLACE_ME</value>
</property>
    3. If NiFi Registry is part of your deployment, apply the same configuration to it.
      Navigate to NiFi Registry > Configuration > Advanced > NiFi Registry Advanced Configuration Snippet (Safety Valve) for staging/bootstrap.conf.xml and add the same properties as defined for NiFi.
    4. If using AutoTLS Use Case 3, you can retrieve the truststore password. 
      sudo -u postgres psql
\c scm
SELECT * FROM CONFIGS WHERE attr LIKE 'truststore_password';
  3. Encrypt NiFi sensitive properties with FIPS algorithm, by editing the nifi.properties file. 
    nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.sensitive.props.key=your_secure_password_here

    • Use either NIFI_PBKDF2_AES_GCM_128 or 256.

    • The password must be at least 12 characters.

  4. Restart Cloudera SCM agent to start and validate the CFM deployment. 
    sudo systemctl stop cloudera-scm-supervisord.service
sudo systemctl restart cloudera-scm-agent
  5. Start the NiFi service from Cloudera Manager.
  6. Validate the deployment.

    After startup, confirm that:

    1. NiFi is running.
    2. No cipher mismatch or keyStore errors are present in the logs.