Configure mTLS in Artifactory with NGINX

JFrog Installation & Setup Documentation
Content Type
Installation & Setup
ft:sourceType
Paligo

To enable mTLS (Mutual TLS) authentication in Artifactory through NGINX, follow these steps:

Step: 1 - NGINX Changes

  1. Navigate to the main.yml file located at:

    platform/products/ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/defaults/main.yml

  2. To set up a CA certificate, find the parameter mtls_ca_certificate_install in the main.yml file and change its value from false to true.

  3. To create a CA certificate, run the following command:

    openssl req -new -x509 -nodes -days 365 -subj '/CN=my-ca' -keyout ca.key -out ca.crt

    Note

    CA certificates in mTLS verify the authenticity and trustworthiness of client and server certificates, ensuring secure and mutual authentication.

  4. Place the ca.crt and ca.key files into the same directory as your main.yml file.

  5. In the main.yml file, add the following parameters to update the generated certificates:

    mtls_ca_certificate_crt: |
mtls_ca_certificate_key: |

Step: 2 - Arifactory Changes

  1. Navigate to the main.yml file located at:

    platform/products/ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml

    Under the artifactory_access_config_patch section, add the following configuration:

    security:
  authentication:
    mtls:
      enabled: true                  
      extraction-regex: (.*)

  2. In the same main.yml, update the following flags:

    artifactory_nginx_ssl_enabled: true
artifactory_nginx_enabled: false

    For more information, see Set up mTLS Verification and Certificate Termination on the Reverse Proxy.

  3. Follow these steps to validate the client:

    1. Generate a new server key with the following command:

      openssl genrsa -out server.key 2048

    2. Use the server key to create a Certificate Signing Request (CSR) with the following command:

      openssl req -new -key server.key -subj '/CN=localhost' -out server.csr

    3. Use the CA certificates created in Step 1 to generate the server certificate with the following command:

      openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -out server.crt

  4. To test the mTLS setup, use a tool like curl with the following command:

    curl -u <username>:<password> "http://<artifactory-url>/artifactory/api/system/ping" --cert server.crt --key server.key -k

    Replace the placeholders:

    <username>: Your Artifactory username.

    <password>: Your Artifactory password.

    <artifactory-url>: The URL of your Artifactory instance.

    This command should establish a connection using the configured mTLS, ensuring proper communication with Artifactory.