Description

ARTIFACTORY: How to resolve “<TARGET> does not trust HOME” error when configuring Access Federation

AuthorFullName__c
Ino Choi
articleNumber
000005860
ft:sourceType
Salesforce
FirstPublishedDate
2023-09-07T19:09:18Z
lastModifiedDate
2023-09-07
VersionNumber
2
Access Federation gives you control over access to all, or any subset of your services from one location by synchronizing all security entities (users, groups, permissions, and access tokens) between the federated services. (For more information, please see Access Federation)

During the setup of Access Federation using either the Star or Mesh topology, you might encounter the following error: the <TARGET> JPD does not have trust in the HOME JPD.

User-added image

Even if you've thoroughly followed the correct procedures to configure the base URL and establish the Circle of Trust, and yet you're still encountering this issue, it's necessary to search deeper into the backend to identify the underlying cause and find a resolution.

To do so, we can examine the logs for relevant errors within both the Access and Mission Control (MC) logs. In this context, we'll analyze error messages in the MC logs and the Access logs on the HOME JPD instance:
2023-08-16T20:49:31.180Z [jfmc ] [INFO ] [5fef86defd850c2f] [.m.f.SetupOperationExecutor:23] [ttp-nio-8080-exec-10] - Running: Check if TARGET trusts HOME
2023-08-16T20:49:36.305Z [jfmc ] [ERROR] [5fef86defd850c2f] [m.f.u.FederationUiResource:175] [ttp-nio-8080-exec-10] - Error when executing Check if TARGET trusts HOME
2023-08-16T20:49:36.305Z [jfmc ] [ERROR] [5fef86defd850c2f] [m.f.u.FederationUiResource:175] [ttp-nio-8080-exec-10] - Error when executing Check if TARGET trusts HOME
org.jfrog.mc.federation.FederationConfigInterruptedException: java.lang.IllegalArgumentException: TARGET does not trust HOME

2023-08-16T20:49:36.289Z [jfac ] [WARN ] [bbfa107cf6f048f0] [rationCommunicationHandler:181] [27.0.0.1-8040-exec-6] - Failed to verify server http://target.art.local/access. Response status: 401

And from the TARGET JPD instance, we can observe the subsequent message within the Access logs:
2023-08-16T20:49:31.308Z [jfac ] [WARN ] [6cf748cea7406a0e] [t.v.TokenNotRevokedVerifier:49] [27.0.0.1-8040-exec-9] - Federation token '005d2c56-08b2-4c21-a616-640a2e5e4890' is considered revoked because expiry >= revocableExpiryThresholdMillis (revocableExpiryThresholdMillis=0, expiry=120000).Set revocable-expiry-threshold above 120

When the HOME instance undertakes validation of the target instance, it generates a token and transmits it to the target instance. By default, this token is set to expire after 120 seconds. However, if the specified expiration period surpasses the value designated in the "revocable-expiry-threshold" property, the received token is marked as revoked, resulting in the verification process failure.

To verify the setting, examine the value of "revocable-expiry-threshold" within the $JFROG_HOME/artifactory/var/etc/access/access.config.latest.yml file:
token:
  revocation:
    revocable-expiry-threshold: 0

As described in the JFrog help page, configuring this property to 0 designates that all tokens can be revoked.