Steps to enable TLS with customer certificate:

ARTIFACTORY: How to enable TLS within the JFrog Platform using custom certificates

AuthorFullName__c
Prajyot Pawase
articleNumber
000005734
ft:sourceType
Salesforce
FirstPublishedDate
2023-05-21T11:28:01Z
lastModifiedDate
2023-05-21
VersionNumber
1
1. Stop Artifactory

2. Copied access.config.latest.yml to access.config.import.yml as below
$ cd /opt/jfrog/artifactory/var/etc/access
$ cp access.config.latest.yml access.config.import.yml

3. Enable TLS in the access.config.import.yml by adding the below snippet
security:
  tls: true

The access.config.import.yml file after adding TLS.
---
security:
  tls: true
  anonymous-access-enabled: false
federation:
  inbound:
    service-id-mapping:
    - from: "jfrou@*"
      to: "jfrou@xxxxxxxxxxxxxxxxxxxxxxxxxx"
    - from: "jfevt@*"
      to: "jfevt@xxxxxxxxxxxxxxxxxxxxxxxxxx"
    - from: "jfint@*"
      to: "jfint@xxxxxxxxxxxxxxxxxxxxxxxxxx"
    - from: "jfcon@*"
      to: "jfcon@xxxxxxxxxxxxxxxxxxxxxxxxxx"
    - from: "jfmd@*"
      to: "jfmd@xxxxxxxxxxxxxxxxxxxxxxxxxx"
    - from: "jfrt@*"
      to: "jfrt@xxxxxxxxxxxxxxxxxxxxxxxxxx"
    - from: "jfob@*"
      to: "jfob@xxxxxxxxxxxxxxxxxxxxxxxxxx"
    - from: "jffe@*"
      to: "jffe@000"
licenses:
- server-name: "xxxxxxxxx"
  key: <default-lic-data>
schema-version: 2

4. Create the self-sign certificate using the OpenSSL command below.
$ openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout cert.key -out cert.crt -config test.cnf -sha25

The test.cnf file content as below
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 10.10.0.1
[v3_req]
#keyUsage = critical, keyCertSign, digitalSignature
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:TRUE,pathlen:1
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 10.10.0.1

You may use your own certificate instead of self-sign creating one. However, we have to make sure the certificate must meet the following prerequisites:
  • The private key must use the RSA algorithm
  • The private key must be at least 1024-bit
  • The certificate must match the provided private key
  • The certificate's issuer must match the CA certificate subject
  • The certificate's subject must match the property shared.node.ip from system.yaml
  • The certificate's Subject Alternative Names (SAN) must include the certificate's subject 
  • Key usage extension should be marked CRITICAL
  • Key usage digitalSignature extension should be enabled
  • Key usage keyEncipherment extension should be enabled
  • Extended key usage tlsWebServerAuthentication should be enabled
  • Extended key usage tlsWebClientAuthentication should be enabled

5. Copy the created certificate to the router bootstrap directory by renaming them as below.
$ cp -r cert.crt /opt/jfrog/artifactory/var/bootstrap/router/keys/custom-server.crt
$ cp -r cert.key /opt/jfrog/artifactory/var/bootstrap/router/keys/custom-server.key

6. Copy the same certificates to the Artifactory trusted directory.
$ cp -r /opt/jfrog/artifactory/var/bootstrap/router/keys/custom-server.crt /opt/jfrog/artifactory/var/etc/security/keys/trusted/
$ cp -r /opt/jfrog/artifactory/var/bootstrap/router/keys/custom-server.key /opt/jfrog/artifactory/var/etc/security/keys/trusted/

7. Add tomcat SSL configuration to the system.yaml.
$ cd /opt/jfrog/artifactory/var/etc
$ vi system.yaml (added below config under artifactory attribute)
artifactory:
    tomcat:
        httpsConnector:
            enabled: true
            #port: 8443

8. Restarted Artifactory. After restarting Artifactory started listening on the HTTPS.

9. Copy the CA of the custom TLS certificate in etc/security/keys/trusted/ of all the JFrog Products nodes installed in the same JPD.

10. If applicable, copy the CA to the load balancer.

For more information, please refer to our wiki page here or contact JFrog Support.