Overview

TLS connections can be used within the JFrog Pipelines between different nodes and services. By default, TLS is disabled. When TLS is enabled, all communications to JFrog Pipelines are required to use TLS.

This feature is available for Pipelines on-premise versions only.

JFrog Pipelines supports the following scenarios for TLS:

  • TLS is enabled in JFrog Platform with JFrog Access issued CA certificates.
    • Pipelines is configured with a load balancer set up with publicly trusted certificates.
    • Pipelines is configured with a load balancer set up with custom certificates.
  • TLS is enabled in JFrog Platform with users providing a CA certificate and matching private key.
    • Pipelines is configured with a load balancer set up with publicly trusted certificates.
    • Pipelines is configured with a load balancer set up with custom certificates.
  • TLS is disabled in JFrog Platform. Pipelines is configured with a load balancer set up with publicly trusted certificates.
  • TLS is disabled in JFrog Platform with JFrog Access issued CA certificates. Pipelines is configured with a load balancer set up with custom certificates.

  • For HA setup, you need to add the certificate to every node's trusted directory or KeyStore. The Certificates are not propagated between HA nodes automatically.
  • For information about how TLS connections can be used within the JFrog Platform between the different cluster nodes and services, see the section Managing TLS Certificates.

TLS in JFrog Pipelines

This section provides information about enabling TLS in JFrog Pipelines. JFrog Pipelines services will not allow a SSL/TLS connection with an external service without a validation of the trusted CA certificate.

With TLS enabled, every JFrog Pipelines service must trust Access as a Certificate Authority. Access shares the CA certificate with all the Pipelines nodes. However additional services in Pipelines need to trust Access as well. The trust between a Pipelines service and Access is created by copying the ca.crt from the Artifactory server under $JFROG_HOME/artifactory/var/etc/access/keys to any Pipelines service node you would like to set trust with under $JFROG_HOME/<product>/var/etc/security/keys/trusted.

Prerequisites

Enabling TLS in JFrog Pipelines

Perform the following steps to enable TLS in JFrog Pipelines:

  1. Copy the ca.crt file from your Artifactory server, available at $JFROG_HOME/artifactory/var/etc/access/keys.
  2. Run the following command to recursively create relevant directories for Pipelines:
    mkdir -p /opt/jfrog/pipelines/var/etc/security/keys/trusted.
  3. Paste the ca.crt file, copied from $JFROG_HOME/artifactory/var/etc/access/keys, to /opt/jfrog/pipelines/var/etc/security/keys/trusted.

  4. Install Pipelines and ensure that https is used for all the URLs:

    sudo pipelines install \
    --base-url-ui https://<jfrog-url> \
    --base-url https://<jfrog-url> \
    --artifactory-joinkey <join-key> \
    --installer-ip <new-instance-ip> \
    --api-url https://<external-ip>:8082/pipelines/api \
    --www-url https://<external-ip>:30001 \
    --rabbitmq-url amqp://<external-ip>:30200

    For information about installing Pipelines, see Installing Pipelines.

Repeat the above steps on all the nodes where Pipelines is installed.

After all additional nodes have been installed with an identical version of Pipelines, the load balancer must be configured to distribute requests made through a common base URI.

The load balancer can also be set up with custom certificates. In this case, those certificates in the crt format should be loaded to $JFROG_HOME/pipelines/var/etc/security/keys/trusted.

In addition, www-url must be behind the load balancer to ensure that the web-sockets work.

Custom CA Certificate in JFrog Pipelines

This section provides information about loading a custom CA certificate in JFrog Pipelines.

You can provide a custom CA certificate and matching private key, to be used by JFrog Access, for signing the TLS certificates used by all the different JFrog Pipeline nodes.

Prerequisites

Your custom CA certificate must meet the following prerequisites:

  • The private key must use the RSA algorithm.
  • The private key must be at least 1024-bit.
  • The certificate must match the provided private key.
  • The certificate must be valid for the next 7 days at least.
  • The certificate must be marked with a CA basic constraint.
  • SAN should not be set.
  • Key usage extension should be marked CRITICAL.
  • Key usage digitalSignature extension should be enabled.
  • Key usage keyCertSign extension should be enabled.


Loading a Custom CA Certificate in JFrog Pipelines

After ca.crt and ca.private.key are loaded in Access, perform the following steps to create the trust between Access and JFrog Pipelines:

To load a custom CA certificate and matching private key:

  1. Create ca.crt file and place it under $JFROG_HOME/artifactory/var/bootstrap/etc/access/keys.
  2. Restart Artifactory.
  3. Run the following command to recursively create relevant directories for Pipelines:
    mkdir -p /opt/jfrog/pipelines/var/etc/security/keys/trusted.
  4. Paste the ca.crt file, copied from $JFROG_HOME/artifactory/var/etc/access/keys, to /opt/jfrog/pipelines/var/etc/security/keys/trusted.

  5. Install Pipelines and ensure that https is used for all the URLs:

    sudo pipelines install \
    --base-url-ui https://<jfrog-url> \
    --base-url https://<jfrog-url> \
    --artifactory-joinkey <join-key> \
    --installer-ip <new-instance-ip> \
    --api-url https://<external-ip>:8082/pipelines/api \
    --www-url https://<external-ip>:30001 \
    --rabbitmq-url amqp://<external-ip>:30200

    For information about installing Pipelines, see Installing Pipelines.

Repeat the above steps on all the nodes where Pipelines is installed.

After all additional nodes have been installed with an identical version of Pipelines, the load balancer must be configured to distribute requests made through a common base URI.

The load balancer can also be set up with custom certificates. In this case, those certificates in the crt format should be loaded to $JFROG_HOME/pipelines/var/etc/security/keys/trusted.

In addition, www-url must be behind the load balancer to ensure that the web-sockets work.