Cloudera Docs

Deploying Cloudera Flow Management on FIPS-enabled clusters

FIPS 140-2 compliance is mandatory for many government and regulated industry environments. Cloudera Flow Management is compatible with FIPS-enabled operating systems and cryptographic libraries but requires specific configuration changes to ensure successful deployment and runtime operation.

This guide provides the required steps and configurations to successfully deploy Cloudera Flow Management on clusters running in FIPS 140-2 mode.

  • Cloudera Base on premises installed with FIPS mode enabled
  • Java 11 (FIPS-compliant build)
  • Cloudera Flow Management 2.x (for example: 2.1.7)
  • AutoTLS configured (recommended)
  • Access to required cryptographic JARs from SafeLogic/Bouncy Castle
  1. Install the required cryptographic JARs by copying the following files into the Cloudera Flow Management parcel's toolkit directory. 
    cp -a /path/to/ccj/jars/bctls.jar \
      /path/to/ccj/jars/ccj-3.0.2.1.jar \
      /opt/cloudera/parcels/CFM-[***VERSION***]/TOOLKIT/lib/

    Replace [***VERSION***] with the appropriate Cloudera Flow Management version string.

  2. Configure GCM Cipher support and NiFi Bootstrap settings.

    Modern web browsers like Chrome or Firefox reject weak TLS cipher suites. By default, Bouncy Castle’s FIPS TLS library does not enable GCM ciphers, which are required for compatibility with secure browsers. This configuration enables modern GCM-based TLS ciphers through Bouncy Castle, avoiding connection issues caused by legacy AES-CBC suites, especially in FIPS environments.

    To enable GCM cipher support and configure bootstrap settings:

    1. Navigate to Cloudera Manager > NiFi > Configuration > Advanced > NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/bootstrap.conf.xml.
    2. Add the following properties in XML view. 
      <property>
  <name>java.arg.modulepath</name>
  <value>--module-path=/tmp/jars</value>
</property>
<property>
  <name>java.arg.allowgcm</name>
  <value>-Dorg.bouncycastle.jsse.fips.allowGCMCiphers=true</value>
</property>
<property>
  <name>java.arg.truststoretype</name>
  <value>-Djavax.net.ssl.trustStoreType=bcfks</value>
</property>
<property>
  <name>java.arg.truststorepath</name>
  <value>-Djavax.net.ssl.trustStore=/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks</value>
</property>
<property>
  <name>java.arg.truststorepassword</name>
  <value>-Djavax.net.ssl.trustStorePassword=REPLACE_ME</value>
</property>
    3. If using AutoTLS Use Case 3, you can retrieve the truststore password. 
      sudo -u postgres psql
\c scm
SELECT * FROM CONFIGS WHERE attr LIKE 'truststore_password';
  3. Encrypt NiFi sensitive properties with FIPS algorithm, by editing the nifi.properties file. 
    nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.sensitive.props.key=your_secure_password_here

    • Use either NIFI_PBKDF2_AES_GCM_128 or 256.

    • The password must be at least 12 characters.

  4. Restart Cloudera SCM agent to start and validate the Cloudera Flow Management deployment. 
    sudo systemctl stop cloudera-scm-supervisord.service
sudo systemctl restart cloudera-scm-agent
  5. Start the NiFi service through Cloudera Manager.
  6. Confirm that NiFi stays running and that no cipher mismatch or keyStore errors are present in the logs.