Enable GCM cipher suites

Databricks clusters do not have GCM (Galois/Counter Mode) cipher suites enabled by default.

You must enable GCM cipher suites on your cluster to connect to an external server that requires GCM cipher suites.

Verify required cipher suites

Use the nmap utility to verify which cipher suites are required by the external server.

nmap --script ssl-enum-ciphers -p <port> <hostname>

Note

If nmap is not installed, run sudo apt-get install -y nmap to install it on your cluster.

Create an init script to enable GCM cipher suites

Use the example code to create an init script that enables GCM cipher suites on your cluster.

dbutils.fs.put("/<path-to-init-script>/enable-gcm.sh", """#!/bin/bash
sed -i 's/, GCM//g' /databricks/spark/dbconf/java/extra.security
""",True)
dbutils.fs.put("/<path-to-init-script>/enable-gcm.sh", """#!/bin/bash
sed -i 's/, GCM//g' /databricks/spark/dbconf/java/extra.security
""",true)

Remember the path to the init script. You will need it when configuring your cluster.

Configure cluster with init script

Follow the documentation to configure a cluster-scoped init script.

You must specify the path to the init script.

After configuring the init script, restart the cluster.

Verify that GCM cipher suites are enabled

This example code queries the cluster for all supported cipher suites and then prints the output.

import java.util.Map;
import java.util.TreeMap;
import javax.net.ssl.SSLServerSocketFactory
import javax.net.ssl._
SSLContext.getDefault.getDefaultSSLParameters.getProtocols.foreach(println)
SSLContext.getDefault.getDefaultSSLParameters.getCipherSuites.foreach(println)

If the GCM cipher suites are enabled, you will see the following AES-GCM ciphers listed in the output.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

Connect to the external server

Once you have verified that GCM cipher suites are installed on your cluster, make a connection to the external server.