By default, the Access service comes with the password specified in the previous section, and can only be operated by REST API calls made from the same physical server on which the service resides (localhost). Using the credentials file, you can change the administrator password and let REST API calls be made from another server.
To prepare the credentials file:
Create a file called
In case you are running an Artifactory HA cluster, make sure to do the changes on the primary node. After the last step, perform a rolling restart to the cluster (restart each node starting from the master node).
Populate the file with the following content:
- <ipaddress>: the IP address of the server from which you want to make REST API calls to the Access service (to restrict this to be only from the same server, use localhost or 127.0.0.1). You can use wildcards to specify a range of IPs, for example,
- password: the password to be used for the access-admin user
You can create the file with multiple lines to create multiple Access Administrators
$ARTIFACTORY_HOME/access/etcon the server where the Access service resides
You now need to assign 600 Linux permissions (Owner read & write) to the file:
$ chmod 600 bootstrap.creds
The permission assigned must be exactly 600. Neither a more permissive, nor a more restrictive permission setting will work
Restart the Access service by restarting the corresponding Artifactory instance.
To change the default password for the access-admin user, simply follow the steps described in Preparing the Credentials File while populating the
bootstrap.creds file with either of:
access-admin@localhost=<new-password> or firstname.lastname@example.org=<new-password>
Artifactory may use the Access administrator user and password to communicate with the Access service and perform different functions. When configuring access federation, if you synchronize the Access administrator user from a source Access service to a target Access service which has a different Access administrator password, the target Artifactory service will not be able to communicate with its Access service. Therefore, if you change the default password on either the source or target Access services, make sure to exclude the Access administrator user from access federation.
As a best practice, we recommend excluding the Access administrator user from access federation.
As described, most of the parameters governing the behavior of Access are configured through a YAML configuration file found in the $
ACCESS_HOME/etc folder. For details, please refer to YAML Configuration File.
The Access service uses the Logback Framework to manage logging. Activity is logged according to type in three different log files which can be found under the
The following log files are available:
|This is the main Access service log file containing data on the Access server activity|
|The HTTP traffic information for requests coming in. Most of these are from Artifactory|
|Auditing of the actions performed by the service. Currently only successful actions are recorded (e.g. token was created, token was refreshed or revoked)|
Since the Access service runs under the same Tomcat as Artifactory, its logs (catalina.out. localhost etc.) contain entries for both Artifactory and Access.
Logging for the Access service is configured in the