JFrog Artifactory

Need help with other JFrog products?

JFrog Enterprise+
JFrog Mission Control
JFrog Xray
JFrog Distribution
JFrog Pipelines
JFrog Bintray
JFrog Access
JFrog CLI

Expand all   Collapse all

Versions Compared

Old Version 12

changes.mady.by.user Guru Ramanathaiah

Saved on

compared with

New Version 13

changes.mady.by.user Rami Honig

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

width75%

Overview

For several security features that you want to use over a secure connection (such as LDAPS, Secure Active Directory, or Secure OAuth), you may configure Artifactory to allow a non-trusted self-signed certificate.

...


Panel
titlePage Contents

Table of Contents
maxLevel4
minLevel2

Configuring a Self-Signed Certificate

For outbound Artifactory connections (remote repositories, external authentication servers...) intended for SSL self-signed/internal CA signed certificates URL endpoints, you may use use one of the following ways to establish trusts based on your certificates: 

  • Use the instructions described on Oracle's documentation to import a single/chain of certificates to your JVM's keystore.
  • Point Artifactory to use a custom certificate store. Follow the steps below (thanks to Marc Schoechlin for providing this information):

  1. Download/acquire the certificate(s) of the SSL secured server openssl s_client -connect <secure authentication server IP and port> -showcerts < /dev/null > server.ca.

    Info
    titleExamples

    RED HAT CDN

    openssl s_client -connect cdn.redhat.com:443  -showcerts < /dev/null > server.ca

    LDAP or Active Directory:
    openssl s_client -connect the.ldap.server.net:636 -showcerts < /dev/null > server.ca


    OAuth (Use the Authorization URL). For example, with GitHub:
    openssl s_client -connect github.com:443/login/oauth/authorize -showcerts < /dev/null > server.ca 

  2. Identify the standard cacerts file of your Java installation
  3. Create a custom cacerts file by copying the cacerts file to the Artifactory configuration dir. This may vary depending on the installation and its usually under JAVA_HOME/jre/lib/security.
    Example : cp /usr/lib64/jvm/java-1_6_0-ibm-1.6.0/jre/lib/security/cacerts /etc/opt/jfrog/artifactory/
  4. Import the CA certificate into the customized cacerts file. Note you can store the cacerts in any location as long as you can access it and link it to the JVM on startup.
    keytool -import -alias myca -keystore /etc/opt/jfrog/artifactory/cacerts -trustcacerts -file server.ca
    => Password: changeit
    => Agree to add the certificate
  5. Change permissions for the artifactory user
    chmod 755 /etc/opt/jfrog/artifactory/cacerts
    chown artifactory:users /etc/opt/jfrog/artifactory/cacerts
  6. Modify the defaults of the Artifactory JVM to use the custom cacerts file OR  you could change the startup script to include the cacerts in the JAVA_OPTIONS.
    echo "export JAVA_OPTIONS=\"\$JAVA_OPTIONS -Djavax.net.ssl.trustStore=/etc/opt/jfrog/artifactory/cacerts\"" >> /etc/opt/jfrog/artifactory/default
  7. Restart Artifactory