Overview

JFrog join.key feature establishes trust between the JFrog services based on the AES-128 bit symmetric encryption. This feature is an alternative to the basic authentication trust method.

This feature is an alternative to basic authentication trust, whereby services are required to share an admin’s Username-Password pair as a common secret. The join.key is used internally for creating trust between microservices of the same service, for example between Artifactory and Access.

Once trust is established (meaning the join.key is shared between all the different services), the services can continue using the standard token-based authentication for communication. This is accomplished by having each service create the tokens used for the inter-service communication and signing those tokens with the join.key.

If the join.key is not identical on the trusted services, communication between services fails.

 

 


Managing the join.key

By Default, a join.key is automatically generated and stored in the Access database during Access startup.

The join.key is then automatically copied by Access to Artifactory over the file system and is re-provisioned every time the services are restarted.
Access shares the join.key with Artifactory by copying it to the following location:

$ARTIFACTORY_HOME/etc/security/join.key

Upgrading to Artifactory 6.8 automatically initiates and generates the join.key mechanism.

Creating Your Own join.key

Instead of using the auto-generated join.key, you can create your own and use it for the pairing process:

  1. Create an AES-128 bit key and paste it in a file.

  2. Save the file as join.key.

  3. Copy the file to the following location on Access.

    $ACCESS_HOME/etc/keys/join.key

Access will then use the provided join.key instead of the auto-generated one, save it to its database, and share it with Artifactory. 

Managing join.keys in HA

There should only be one join.key per HA cluster since the Access database is shared across all nodes of an HA cluster.

In case a join key is provided and not generated by the system, it can be provided to a single cluster node as it will be propagated to all nodes of the cluster by the system.