1. Stop Artifactory
2. Copied access.config.latest.yml to access.config.import.yml as below
3. Enable TLS in the access.config.import.yml by adding the below snippet
The access.config.import.yml file after adding TLS.
4. Create the self-sign certificate using the OpenSSL command below.
The test.cnf file content as below
You may use your own certificate instead of self-sign creating one. However, we have to make sure the certificate must meet the following prerequisites:
5. Copy the created certificate to the router bootstrap directory by renaming them as below.
6. Copy the same certificates to the Artifactory trusted directory.
7. Add tomcat SSL configuration to the system.yaml.
8. Restarted Artifactory. After restarting Artifactory started listening on the HTTPS.
9. Copy the CA of the custom TLS certificate in etc/security/keys/trusted/ of all the JFrog Products nodes installed in the same JPD.
10. If applicable, copy the CA to the load balancer.
For more information, please refer to our wiki page here or contact JFrog Support.
2. Copied access.config.latest.yml to access.config.import.yml as below
$ cd /opt/jfrog/artifactory/var/etc/access $ cp access.config.latest.yml access.config.import.yml
3. Enable TLS in the access.config.import.yml by adding the below snippet
security: tls: true
The access.config.import.yml file after adding TLS.
--- security: tls: true anonymous-access-enabled: false federation: inbound: service-id-mapping: - from: "jfrou@*" to: "jfrou@xxxxxxxxxxxxxxxxxxxxxxxxxx" - from: "jfevt@*" to: "jfevt@xxxxxxxxxxxxxxxxxxxxxxxxxx" - from: "jfint@*" to: "jfint@xxxxxxxxxxxxxxxxxxxxxxxxxx" - from: "jfcon@*" to: "jfcon@xxxxxxxxxxxxxxxxxxxxxxxxxx" - from: "jfmd@*" to: "jfmd@xxxxxxxxxxxxxxxxxxxxxxxxxx" - from: "jfrt@*" to: "jfrt@xxxxxxxxxxxxxxxxxxxxxxxxxx" - from: "jfob@*" to: "jfob@xxxxxxxxxxxxxxxxxxxxxxxxxx" - from: "jffe@*" to: "jffe@000" licenses: - server-name: "xxxxxxxxx" key: <default-lic-data> schema-version: 2
4. Create the self-sign certificate using the OpenSSL command below.
$ openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout cert.key -out cert.crt -config test.cnf -sha25
The test.cnf file content as below
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = 10.10.0.1 [v3_req] #keyUsage = critical, keyCertSign, digitalSignature keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=critical,CA:TRUE,pathlen:1 extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = 10.10.0.1
You may use your own certificate instead of self-sign creating one. However, we have to make sure the certificate must meet the following prerequisites:
- The private key must use the RSA algorithm
- The private key must be at least 1024-bit
- The certificate must match the provided private key
- The certificate's issuer must match the CA certificate subject
- The certificate's subject must match the property shared.node.ip from system.yaml
- The certificate's Subject Alternative Names (SAN) must include the certificate's subject
- Key usage extension should be marked CRITICAL
- Key usage digitalSignature extension should be enabled
- Key usage keyEncipherment extension should be enabled
- Extended key usage tlsWebServerAuthentication should be enabled
- Extended key usage tlsWebClientAuthentication should be enabled
5. Copy the created certificate to the router bootstrap directory by renaming them as below.
$ cp -r cert.crt /opt/jfrog/artifactory/var/bootstrap/router/keys/custom-server.crt $ cp -r cert.key /opt/jfrog/artifactory/var/bootstrap/router/keys/custom-server.key
6. Copy the same certificates to the Artifactory trusted directory.
$ cp -r /opt/jfrog/artifactory/var/bootstrap/router/keys/custom-server.crt /opt/jfrog/artifactory/var/etc/security/keys/trusted/ $ cp -r /opt/jfrog/artifactory/var/bootstrap/router/keys/custom-server.key /opt/jfrog/artifactory/var/etc/security/keys/trusted/
7. Add tomcat SSL configuration to the system.yaml.
$ cd /opt/jfrog/artifactory/var/etc $ vi system.yaml (added below config under artifactory attribute) artifactory: tomcat: httpsConnector: enabled: true #port: 8443
8. Restarted Artifactory. After restarting Artifactory started listening on the HTTPS.
9. Copy the CA of the custom TLS certificate in etc/security/keys/trusted/ of all the JFrog Products nodes installed in the same JPD.
10. If applicable, copy the CA to the load balancer.
For more information, please refer to our wiki page here or contact JFrog Support.