Trusting a Self-Signed Certificate or a New CA
You can set up TLS between the JFrog Platform and external services by trusting external service certificates.
JFrog services will not allow a SSL/TLS connection with an external service without a validation of the trusted CA certificate.
For example, you may want to connect to remote repositories, your LDAPS, internal proxy, OAuth server, or other external services over HTTPS.
For that, you may need to trust a certificate (for example, a self signed certificate) that was not signed by a trusted Certificate Authority (CA) and is used by the external service.
To trust a new certificate, you can do one of the following:
- Add the certificate to the application's KeyStore. For example, to add a certificate into the Artifactory KeyStore, you can add it directly to the host's JVM's trusted KeyStore.
- Add the certificate to the
$JFROG_HOME/<product>/var/etc/security/keys/trusteddirectory of every service that needs to trust it.
- If you are trying to connect a database over SSL, place the SSL certificates in the
/etc/ssl/certs/path to load the certificates during the startup by Metadata service.
For HA setup, you need to add the certificate to every node's trusted directory or KeyStore. The Certificates are not propagated between HA nodes automatically.
Downloading a Certificate
To download/acquire the certificate(s) of the SSL secured server, use the following command:
Enabling TLS in the JFrog Platform
By default, TLS in the JFrog Platform is disabled.
When TLS is enabled, all communications to the JFrog Platform are required to use TLS including service-to-service communication within the platform.
In the JFrog Platform, JFrog Access acts as the Certificate Authority (CA) and signs the TLS certificates used by all the different JFrog Platform services.
To enable TLS:
Change the tls entry (under the security section) in the access.config.yaml file.
- With TLS enabled, every JFrog service must trust Access as a Certificate Authority.
Access shares the CA certificate with all the Artifactory nodes. However additional services in the Platform need to trust Access as well.
Create the trust between a service and Access by copying the
ca.crtfrom the Artifactory server under
$JFROG_HOME/artifactory/var/etc/access/keysto any service node you would like to set trust with under
- For Artifactory nodes, the root CA is distributed automatically via the database, and there's no need to manually copy the Access root CA.
For every other JFrog product node, you need to manually copy the Access root CA.
In case you need to trust the JFrog Access CA by an external server, for example a load balancer, you need to load the Access root CA file to the external service key store.
Loading a Custom CA Certificate to Access
You can provide a custom CA certificate and matching private key, to be used by JFrog Access, for signing the TLS certificates used by all the different JFrog Platform nodes.
Custom CA Prerequisites
Your custom CA certificate must meet the following prerequisites:
- The private key must use the RSA algorithm.
- The private key must be at least 1024-bit.
- The certificate must match the provided private key.
- The certificate must be valid for the next 7 days at least.
- The certificate must be marked with a CA basic constraint.
- SAN should not be set.
- Key usage extension should be marked CRITICAL.
- Key usage
digitalSignatureextension should be enabled.
- Key usage
keyCertSignextension should be enabled.
To load a custom CA certificate and matching private key:
ca.private.keyfiles and place them under
- Restart Artifactory.
Regenerating a New Access CA Certificate
In some scenarios you might want to force Access to generate a new CA Certificate.
To force JFrog Access to regenerate the CA certificate and matching private key:
- Create a
reset_ca_keysfile and place it under
- Restart Artifactory.
- If you have already set TLS between Artifactory and other JFrog Platform nodes, copy the new
trusteddirectories on all the JFrog Platform nodes.