The steps required for setting the TLS are as follows..
The way to enable a secure cookie is by enabling TLS on access. When you have HTTPS, JDP will then block insecure access to the application (HTTP) and will adds the secure flag to all JDP cookies. |
By default, TLS in the JFrog Platform is disabled. When TLS is enabled, all communications to the JFrog Platform are required to use TLS including service-to-service communication within the platform. In the JFrog Platform, Access acts as the CA and signs the TLS certificates used by all the different JFrog Platform services.
Any options you need to set in the TLS certificate will require you to enable TLS (see below). |
To enable TLS, set the tls entry (under the security section) in the Access YAML Configuration file to 'true
' and rename it to access.config.import.yaml
.
security: tls: true |
|
artifactory.tomcat.httpsConnector.enabled
in the system.yaml
file to true.When providing your own custom TLS certificate, you will need to provide the matching private key. The certificate will be used by ports 8081 (Artifactory) and 8082 (the Platform router).
By default the JFrog Platform (from Artifactory 7.x and above) requires two public ports. You will need to ensure that both ports are using the same certificate.
If you have not started the application for the first time, you will need to create the /router/keys/ folder manually. |
Copy the certificate and key files to the bootstrap/router/keys/custom-server.crt
and bootstrap/router/keys/custom-server.key
.
custom-server.key
is the private key filecustom-server.crt
is the cert file
The files should be named exactly according to their names above. |
Copy the CA of the custom TLS certificate in etc/security/keys/trusted/
.
artifactory.tomcat.httpsConnector.enabled
to true (in the system.yaml
file).etc/security/keys/trusted/
of all the JFrog Products nodes installed in the same JPD.Your custom certificate must meet the following prerequisites:
Your custom CA certificate must meet the following prerequisites:
|
If TLS has not been enabled, you will not be required to take any steps, TLS will not be enabled on the router, nor on Artifactory. |
Option 3: Providing a Custom CA Certificate to Access
You can provide a custom CA certificate and matching private key, to be used by Access, for signing the TLS certificates used by all the different JFrog Platform nodes.
Your custom CA certificate must meet the prerequisites described in Option 2 above. |
To load a custom CA certificate and matching private key:
ca.crt
and ca.private.key
files and place them under $JFROG_HOME/artifactory/var/bootstrap/etc/access/keys
.In some scenarios you might want to force Access to generate a new CA Certificate. To force JFrog Access to regenerate the CA certificate and matching private key, do the following.
reset_ca_keys
file and place it under $JFROG_HOME/artifactory/var/bootstrap/etc/access/keys
.ca.crt
to the trusted
directories on all the JFrog Platform nodes.