TLS in JFrog Pipelines
This section provides information about enabling TLS in JFrog Pipelines. JFrog Pipelines services will not allow a SSL/TLS connection with an external service without a validation of the trusted CA certificate.
With TLS enabled, every JFrog Pipelines service must trust Access as a Certificate Authority. Access shares the CA certificate with all the Pipelines nodes. However additional services in Pipelines need to trust Access as well. The trust between a Pipelines service and Access is created by copying the ca.crt from the Artifactory server under $JFROG_HOME/artifactory/var/etc/access/keys to any Pipelines service node you would like to set trust with under $JFROG_HOME/<product>/var/etc/security/keys/trusted.
Prerequisites
- Enable TLS in Artifactory. For more information, see Managing TLS Certificates.
- Restart Artifactory after enabling TLS.
Enabling TLS in JFrog Pipelines
Perform the following steps to enable TLS in JFrog Pipelines:
- Copy the
ca.crt
file from your Artifactory server, available at$JFROG_HOME/artifactory/var/etc/access/keys
. - Run the following command to recursively create relevant directories for Pipelines:
mkdir -p /opt/jfrog/pipelines/var/etc/security/keys/trusted
. - Paste the
ca.crt
file, copied from$JFROG_HOME/artifactory/var/etc/access/keys
, to/opt/jfrog/pipelines/var/etc/security/keys/trusted
. Install Pipelines and ensure that
https
is used for all the URLs:sudo pipelines install \ --base-url-ui https://<jfrog-url> \ --base-url https://<jfrog-url> \ --artifactory-joinkey <join-key> \ --installer-ip <new-instance-ip> \ --api-url https://<external-ip>:8082/pipelines/api \ --www-url https://<external-ip>:30001 \ --rabbitmq-url amqp://<external-ip>:30200
For information about installing Pipelines, see Installing Pipelines.
Repeat the above steps on all the nodes where Pipelines is installed.
After all additional nodes have been installed with an identical version of Pipelines, the load balancer must be configured to distribute requests made through a common base URI.
The load balancer can also be set up with custom certificates. In this case, those certificates in the crt
format should be loaded to $JFROG_HOME/pipelines/var/etc/security/keys/trusted
.
In addition, www-url must be behind the load balancer to ensure that the web-sockets work.
Custom CA Certificate in JFrog Pipelines
This section provides information about loading a custom CA certificate in JFrog Pipelines.
You can provide a custom CA certificate and matching private key, to be used by JFrog Access, for signing the TLS certificates used by all the different JFrog Pipeline nodes.
Prerequisites
- Enable TLS in Artifactory. For more information, see Enabling TLS in JFrog Platform.
- Restart Artifactory after enabling TLS.
Custom CA Prerequisites
Your custom CA certificate must meet the following prerequisites:
- The private key must use the RSA algorithm.
- The private key must be at least 1024-bit.
- The certificate must match the provided private key.
- The certificate must be valid for the next 7 days at least.
- The certificate must be marked with a CA basic constraint.
- SAN should not be set.
- Key usage extension should be marked CRITICAL.
- Key usage
digitalSignature
extension should be enabled. - Key usage
keyCertSign
extension should be enabled.
Loading a Custom CA Certificate in JFrog Pipelines
After ca.crt
and ca.private.key
are loaded in Access, perform the following steps to create the trust between Access and JFrog Pipelines:
To load a custom CA certificate and matching private key:
- Create
ca.crt
file and place it under$JFROG_HOME/artifactory/var/bootstrap/etc/access/keys
. - Restart Artifactory.
- Run the following command to recursively create relevant directories for Pipelines:
mkdir -p /opt/jfrog/pipelines/var/etc/security/keys/trusted
. - Paste the
ca.crt
file, copied from$JFROG_HOME/artifactory/var/etc/access/keys
, to/opt/jfrog/pipelines/var/etc/security/keys/trusted
. Install Pipelines and ensure that
https
is used for all the URLs:sudo pipelines install \ --base-url-ui https://<jfrog-url> \ --base-url https://<jfrog-url> \ --artifactory-joinkey <join-key> \ --installer-ip <new-instance-ip> \ --api-url https://<external-ip>:8082/pipelines/api \ --www-url https://<external-ip>:30001 \ --rabbitmq-url amqp://<external-ip>:30200
For information about installing Pipelines, see Installing Pipelines.
Repeat the above steps on all the nodes where Pipelines is installed.
After all additional nodes have been installed with an identical version of Pipelines, the load balancer must be configured to distribute requests made through a common base URI.
The load balancer can also be set up with custom certificates. In this case, those certificates in the crt
format should be loaded to $JFROG_HOME/pipelines/var/etc/security/keys/trusted
.
In addition, www-url must be behind the load balancer to ensure that the web-sockets work.