Using Artifactory 6.x ?
JFrog Artifactory 6.x User Guide
Still using Artifactory 4.x ?
JFrog Artifactory 4.x User Guide
Have a question? Want to report an issue? Contact JFrog support
Some tools use cleartext passwords, which can pose a security risk. The security risk is even greater if you use LDAP or other external authentication, since you expose your SSO password in cleartext and that password is likely to be used for other services, not just Artifactory.
For example, Maven uses cleartext passwords in the
settings.xml file by default.
Using Maven's built-in support for encrypted passwords and generating passwords on the client side does not overcome the security risks for the following reasons:
Artifactory provides a unique solution to this problem by generating encrypted passwords for users based on secret keys stored in Artifactory. You can ensure users' shared passwords are never stored or transmitted as clear text.
You can set a central policy for using or accepting encrypted passwords in the Admin module under Security | General by setting the Password Encryption Policy field.
The behavior according to the Password Encryption Policy setting is as follows:
|Artifactory can receive requests with encrypted password (default).|
|Artifactory requires an encrypted password for every authenticated request.|
|Artifactory will reject requests with encrypted password.|
To secure your password:
Different encryption mechanisms
The encryption mechanisms of the Oracle and IBM JDKs are not identical. Switching from one to another will make your encrypted password obsolete
IBM JDK Encryption Restrictions
Some of the IBM JRE/JDK are shipped with a restriction on the encryption key size (mostly for countries outside the US); This restriction can be officially removed by downloading unrestricted policy files from IBM and overriding the existing ones:
US_export_policy.jar. Backup the existing files in
$IBM_JDK_HOME/jre/lib/securityand extract the jars from the zip file to this location