Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-17396

Artifactory is not allowing to connect to S3 bucket when using the FIPS endpoint URL

          Details

          • Type: New Feature
          • Status: Open
          • Priority: High
          • Resolution: Unresolved
          • Affects Version/s: 5.10.4, 6.0.1, 6.3.0
          • Fix Version/s: None
          • Component/s: Filestore
          • Labels:
            None

            Description

            Artifactory is not allowing to connect to S3 bucket when using the FIPS endpoint URL. FIPS is a US government standard that specifies the security requirements for cryptographic modules that protect sensitive information. https://aws.amazon.com/compliance/fips/

             

            We need to support the FIPS endpoint URL as this is used by Government agencies who have to follow security requirements set by US government.

             

            Steps to Reproduce:

            1.Use a S3 bucket for your Artifactory instance

            2.when specifying the endpoint URL in binarystore.xml please use FIPS url "s3-fips.us-west-1.amazonaws.com". The region in url will change depending on where your s3 bucket exists.

            3.When starting Artifactory it will be successful, but you will see the below warning:

            2018-08-24 11:57:49,056 [art-init] [INFO ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:464) - Connecting to S3 endpoint: 's3-fips.us-west-1.amazonaws.com'

            2018-08-24 11:57:49,325 [art-init] [WARN ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:365) - Failed to check if bucket exist, bucket artifactory-test-arturo. Request Error: s3-fips.us-west-1.amazonaws.com: unknown error

            4.If you try to specify the AWS signature version 4 in the binarystore.xml, then the startup of Artifactory fails when using FIPS endpoint url. Here is that parameter 

            <s3AwsVersion>AWS4-HMAC-SHA256</s3AwsVersion>

             

            There are two issues here:

            1.When using FIPS url without the signature version 4 although the Artifactory startup is successful you see the below warning which is not expected: 

            2018-08-24 11:57:49,056 [art-init] [INFO ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:464) - Connecting to S3 endpoint: 's3-fips.us-west-1.amazonaws.com'

            2018-08-24 11:57:49,325 [art-init] [WARN ] (o.a.a.f.t.j.s.S3JetS3tBinaryProvider:365) - Failed to check if bucket exist, bucket artifactory-test-arturo. Request Error: s3-fips.us-west-1.amazonaws.com: unknown error

            2. The more serious issue is the one where if you specify the AWS signature version 4 in binarystore.xml then the startup of Artifactory fails.

             

            Workaround if you are using AWS signature version 4 in binarystore.xml is to remove the parameter from binarystore.xml that specifies the signature version:

            <s3AwsVersion>AWS4-HMAC-SHA256</s3AwsVersion>

             

             

             

              Attachments

                Activity

                  People

                  • Assignee:
                    Unassigned
                    Reporter:
                    nihalc@jfrog.com Nihal Reddy Chinna Choudhary
                  • Votes:
                    4 Vote for this issue
                    Watchers:
                    5 Start watching this issue

                    Dates

                    • Created:
                      Updated: