Enable GCM cipher suites

Enable AES-GCM encryption (GCM cipher suites) for use with SSL connections to other clusters. Resolve javax.net.ssl.SSLHandshakeException error.

Written by xin.wang

Last published at: November 30th, 2022

Databricks clusters using Databricks Runtime 9.1 LTS and below do not have GCM (Galois/Counter Mode) cipher suites enabled by default.

You must enable GCM cipher suites on your cluster to connect to an external server that requires GCM cipher suites.

Delete

Info

This article applies to clusters using Databricks Runtime 7.3 LTS and 9.1 LTS. Databricks Runtime 10.4 LTS and above have GCM cipher suites enabled by default.


Verify required cipher suites

Use the nmap utility to verify which cipher suites are required by the external server.

%sh

nmap --script ssl-enum-ciphers -p <port> <hostname>
Delete

Note

If nmap is not installed, run sudo apt-get install -y nmap to install it on your cluster.

Create an init script to enable GCM cipher suites

Use the example code to create an init script that enables GCM cipher suites on your cluster.

%python

dbutils.fs.put("/<path-to-init-script>/enable-gcm.sh", """#!/bin/bash
sed -i 's/, GCM//g' /databricks/spark/dbconf/java/extra.security
""",True)
%scala

dbutils.fs.put("/<path-to-init-script>/enable-gcm.sh", """#!/bin/bash
sed -i 's/, GCM//g' /databricks/spark/dbconf/java/extra.security
""",true)

Remember the path to the init script. You will need it when configuring your cluster.

Configure cluster with init script

Follow the documentation to configure a cluster-scoped init script.

You must specify the path to the init script.

After configuring the init script, restart the cluster.

Verify that GCM cipher suites are enabled

This example code queries the cluster for all supported cipher suites and then prints the output.

%scala

import java.util.Map;
import java.util.TreeMap;
import javax.net.ssl.SSLServerSocketFactory
import javax.net.ssl._
SSLContext.getDefault.getDefaultSSLParameters.getProtocols.foreach(println)
SSLContext.getDefault.getDefaultSSLParameters.getCipherSuites.foreach(println)

If the GCM cipher suites are enabled, you see the following AES-GCM ciphers listed in the output.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

Connect to the external server

Once you have verified that GCM cipher suites are installed on your cluster, make a connection to the external server.