Details
-
Type:
New Feature
-
Status: Open
-
Priority:
High
-
Resolution: Unresolved
-
Affects Version/s: 5.10.4, 6.0.1, 6.3.0
-
Fix Version/s: None
-
Component/s: Filestore
-
Labels:None
Description
Artifactory is not allowing to connect to S3 bucket when using the FIPS endpoint URL. FIPS is a US government standard that specifies the security requirements for cryptographic modules that protect sensitive information. https://aws.amazon.com/compliance/fips/
We need to support the FIPS endpoint URL as this is used by Government agencies who have to follow security requirements set by US government.
Steps to Reproduce:
1.Use a S3 bucket for your Artifactory instance
2.when specifying the endpoint URL in binarystore.xml please use FIPS url "s3-fips.us-west-1.amazonaws.com". The region in url will change depending on where your s3 bucket exists.
3.When starting Artifactory it will be successful, but you will see the below warning:
2018-08-24 11:57:49,056 [art-init] [INFO ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:464) - Connecting to S3 endpoint: 's3-fips.us-west-1.amazonaws.com'
2018-08-24 11:57:49,325 [art-init] [WARN ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:365) - Failed to check if bucket exist, bucket artifactory-test-arturo. Request Error: s3-fips.us-west-1.amazonaws.com: unknown error
4.If you try to specify the AWS signature version 4 in the binarystore.xml, then the startup of Artifactory fails when using FIPS endpoint url. Here is that parameter
<s3AwsVersion>AWS4-HMAC-SHA256</s3AwsVersion>
There are two issues here:
1.When using FIPS url without the signature version 4 although the Artifactory startup is successful you see the below warning which is not expected:
2018-08-24 11:57:49,056 [art-init] [INFO ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:464) - Connecting to S3 endpoint: 's3-fips.us-west-1.amazonaws.com'
2018-08-24 11:57:49,325 [art-init] [WARN ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:365) - Failed to check if bucket exist, bucket artifactory-test-arturo. Request Error: s3-fips.us-west-1.amazonaws.com: unknown error
2. The more serious issue is the one where if you specify the AWS signature version 4 in binarystore.xml then the startup of Artifactory fails.
Workaround if you are using AWS signature version 4 in binarystore.xml is to remove the parameter from binarystore.xml that specifies the signature version:
<s3AwsVersion>AWS4-HMAC-SHA256</s3AwsVersion>