Search


Cloud customer?
Upgrade in MyJFrog >


Working with an older version?

JFrog Artifactory 6.x
JFrog Xray 2.x
JFrog Mission Control 3.x
JFrog Distribution 1.x
JFrog Enterprise+ (Pre-Platform Release)




Overview

TLS connections can be used within the JFrog Platform between the different cluster nodes and services, or by JFrog services for communicating with remote sites.

This guide describes how to do both.

Page Contents


Trusting a Self-Signed Certificate or a New CA

You can set up TLS between the JFrog Platform and external services by trusting external service certificates. 

JFrog Artifactory uses its JVM's trusted key store when verifying the Certificate Authority (CA) of an SSL/TLS certificate that a remote site is configured with.
Artifactory will not allow a SSL/TLS connection with a remote site unless the remote site meets all of the JVM's security requirements, including validation of the trusted CA certificate.

You may need to trust an additional CA when the remote site's SSL/TLS certificate is signed by a CA is not already included in the JVM's trusted key store.
For example, you may need to trust a self signed certificate not signed by a trusted Certificate Authority which is used by your LDAPS, internal proxy, Oauth server, or remote repositories. 

To install custom and/or self-signed certificates on any other JFrog Platform service, copy the certificates into the $JFROG_HOME/<product>/var/etc/security/keys/trusted directory of every service that needs to trust it.

Downloading a Certificate

To download/acquire the certificate(s) of the SSL secured server, use the following command:

openssl s_client -connect <secure authentication server IP and port> -showcerts < /dev/null > server.crt

Examples

RED HAT CDN
openssl s_client -connect cdn.redhat.com:443 -showcerts < /dev/null > server.crt
LDAP or Active Directory
openssl s_client -connect the.ldap.server.net:636 -showcerts < /dev/null > server.crt
OAuth (Use the Authorization URL). For example, with GitHub
openssl s_client -connect github.com:443 -showcerts < /dev/null > server.crt



Enabling TLS in the JFrog Platform

By default, TLS in the JFrog Platform is disabled. 

When TLS is enabled, all communications to the JFrog Platform are required to use TLS including service-to-service communication within the platform.
In the JFrog Platform, JFrog Access acts as the Certificate Authority (CA) and signs the TLS certificates used by all the different JFrog Platform services.

To enable TLS:

  1. Change the tls entry (under the security section) in the access.config.yaml file.

    security:
      tls: true
  2. With TLS enabled, every JFrog service must trust Access as a Certificate Authority.
    Access shares the CA certificate with all the Artifactory nodes. However additional services in the Platform need to trust Access as well.
    Create the trust between a service and Access by copying the ca.crt from the Artifactory server under $JFROG_HOME/artifactory/var/etc/access/keys to any service node you would like to set trust with under $JFROG_HOME/<product>/var/etc/security/keys/trusted.

  • For Artifactory nodes, the root CA is distributed automatically via the database, and there's no need to manually copy the Access root CA.
    For every other JFrog product node, you need to manually copy the Access root CA.
  • In case you need to trust the JFrog Access CA by an external server, for example a load balancer, you need to load the Access root CA file to the external service key store.

Loading a Custom CA Certificate to Access

You can provide a custom CA certificate and matching private key, to be used by JFrog Access, for signing the TLS certificates used by all the different JFrog Platform nodes.

Custom CA Prerequisites

Your custom CA certificate must meet the following prerequisites:

  • The private key must use the RSA algorithm.
  • The private key must be at least 1024-bit.
  • The certificate must match the provided private key.
  • The certificate must be valid for the next 7 days at least.
  • The certificate must be marked with a CA basic constraint.
  • SAN should not be set.
  • Key usage extension should be marked CRITICAL.
  • Key usage digitalSignature extension should be enabled.
  • Key usage keyCertSign extension should be enabled.

To load a custom CA certificate and matching private key:

  1. Create ca.crt and ca.private.key files and place them under $JFROG_HOME/artifactory/var/bootstrap/etc/access/keys.
  2. Restart Artifactory.

Regenerating a New Access CA Certificate

In some scenarios you might want to force Access to generate a new CA Certificate.

To force JFrog Access to regenerate the CA certificate and matching private key:

  1. Create a reset_ca_keys file and place it under $JFROG_HOME/artifactory/var/bootstrap/etc/access/keys.
  2. Restart Artifactory.
  3. If you have already set TLS between Artifactory and other JFrog Platform nodes, copy the new ca.crt to the trusted directories on all the JFrog Platform nodes. 
  • No labels
Copyright © 2020 JFrog Ltd.