ARTIFACTORY: Configuring the Artifactory with FIPS mode enabled

ARTIFACTORY: Configuring the Artifactory with FIPS mode enabled
Products
Frog_Artifactory
Content Type
Installation_Setup
AuthorFullName__c
Muniraju M K
articleNumber
000006689
FirstPublishedDate
2025-11-17T13:00:06Z
lastModifiedDate
2025-11-17
VersionNumber
1
Introduction 

FIPS 140-2 compliant cryptography — a U.S. government standard for secure encryption modules.
When FIPS mode is enabled, Artifactory ensures that all cryptographic operations (encryption, hashing, SSL/TLS, etc.) use FIPS-validated algorithms and libraries (for example, compliant versions of Bouncy Castle or OpenSSL).
This mode is mainly required for organizations that must adhere to federal security standards, such as government agencies, defense contractors, or companies following FedRAMP, DoD, or similar compliance frameworks.

Artifactory uses JFrog’s FIPS-compliant security module, which leverages FIPS-approved cryptographic providers.

When you enable FIPS mode, Artifactory:
  1. Uses only FIPS-validated cryptographic algorithms (AES, SHA-256, RSA, etc.).
  2. Blocks non-FIPS-compliant algorithms or libraries.
  3. Runs in a stricter security configuration.

Supported Operating Systems:
The following operating systems, OS distributions and product distribution formats are supported
  • Linux x64
    • Standalone (tar.gz)
    • RPM
      • RedHat 8,9
    • DEB
      • Debian 10,11
      • Ubuntu 20,22
    • Docker compose
    • Amazon Linux 2023

Resolution 

Enabling FIPS mode on VM’s

On RHEL 8 or 9
fips-mode-setup –-enable
Reboot

CHECK 1 - Verify FIPS enabled
fips-mode-setup –-check
FIPS mode is enabled.

CHECK 2 - Verify FIPS enabled 
cat /proc/sys/crypto/fips_enabled
1

​​update-crypto-policies --show
FIPS

Note:
 
Enabling FIPS mode on vm, fips will be enabled in docker containers automatically.


Download the following dependency and extract it to the folder `openssl` under root directory:
wget https://releases.jfrog.io/artifactory/installers/openssl-fips/openssl-fips/3.0.9/openssl-fips-3.0.9-amd64.tar.gz

- Edit `/opt/jfrog/artifactory/app/frontend/bin/nodejs.cnf` and ensure the `fipsmodule.cnf` path (`/root/openssl/ssl/fipsmodule.cnf`) is correctly mentioned in the `.include` line.

To start Artifactory with fips enabled in native installations make sure the system.yaml is provided with the below values:

fips:
    mode: "strict"
shared:
    env:
        OPENSSL_CONF: /opt/jfrog/artifactory/app/frontend/bin/nodejs.cnf
        OPENSSL_MODULES: /usr/lib64/ossl-modules

Please note that add the environment variables OPENSSL_CONF and OPENSSL_MODULES at the end of the system.yaml file.
Please ensure that you update the correct path for the OSSL modules that we downloaded the dependency earlier. When starting Artifactory, use the default password for FIPS mode: "jfrogpassword@123".