Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-17396

Artifactory is not allowing to connect to S3 bucket when using the FIPS endpoint URL

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: 5.10.4, 6.0.1, 6.3.0
    • Fix Version/s: None
    • Component/s: Filestore
    • Labels:
      None

      Description

      Artifactory is not allowing to connect to S3 bucket when using the FIPS endpoint URL. FIPS is a US government standard that specifies the security requirements for cryptographic modules that protect sensitive information. https://aws.amazon.com/compliance/fips/

       

      We need to support the FIPS endpoint URL as this is used by Government agencies who have to follow security requirements set by US government.

       

      Steps to Reproduce:

      1.Use a S3 bucket for your Artifactory instance

      2.when specifying the endpoint URL in binarystore.xml please use FIPS url "s3-fips.us-west-1.amazonaws.com". The region in url will change depending on where your s3 bucket exists.

      3.When starting Artifactory it will be successful, but you will see the below warning:

      2018-08-24 11:57:49,056 [art-init] [INFO ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:464) - Connecting to S3 endpoint: 's3-fips.us-west-1.amazonaws.com'

      2018-08-24 11:57:49,325 [art-init] [WARN ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:365) - Failed to check if bucket exist, bucket artifactory-test-arturo. Request Error: s3-fips.us-west-1.amazonaws.com: unknown error

      4.If you try to specify the AWS signature version 4 in the binarystore.xml, then the startup of Artifactory fails when using FIPS endpoint url. Here is that parameter 

      <s3AwsVersion>AWS4-HMAC-SHA256</s3AwsVersion>

       

      There are two issues here:

      1.When using FIPS url without the signature version 4 although the Artifactory startup is successful you see the below warning which is not expected: 

      2018-08-24 11:57:49,056 [art-init] [INFO ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:464) - Connecting to S3 endpoint: 's3-fips.us-west-1.amazonaws.com'

      2018-08-24 11:57:49,325 [art-init] [WARN ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:365) - Failed to check if bucket exist, bucket artifactory-test-arturo. Request Error: s3-fips.us-west-1.amazonaws.com: unknown error

      2. The more serious issue is the one where if you specify the AWS signature version 4 in binarystore.xml then the startup of Artifactory fails.

       

      Workaround if you are using AWS signature version 4 in binarystore.xml is to remove the parameter from binarystore.xml that specifies the signature version:

      <s3AwsVersion>AWS4-HMAC-SHA256</s3AwsVersion>

       

       

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            nihalc@jfrog.com Nihal Reddy Chinna Choudhary
            Votes:
            4 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated: