Enable TLS Encryption for PostgreSQL

JFrog Installation & Setup Documentation
Content Type
Installation & Setup

To enable Transport Layer Security (TLS) encryption for PostgreSQL, set the sslmode property to verify-full in the JDBC connector URL.

For example, update the $JFROG_HOME/artifactory/var/etc/system.yaml file as follows.

shared:
  database:
    ...
    url: jdbc:postgresql://mypostgress.mydomain.com:5432/artifactory?ssl=true&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=verify-  
    full&sslrootcert=/tmp/server.crt
    ...

Note

The JFrog Artifactory product includes several microservices that require a connection to a database. Some of these microservices are built using Java, while others utilize Go. During startup, Artifactory automatically converts the JDBC URL to a Go URL. However, in some cases, this conversion may not work, and you will need to configure a dedicated URL for the Go-based microservices.

For example, the metadata service is built using Go, so you need to configure the metadata database URL according to Go’s configuration. You can set it up as follows:

metadata:
  database:
    url: "go:user='artifactory' dbname=artifactory host=<DATABASE_HOSTNAME> port=5432 sslmode=verify-full sslrootcert=/PATH/TO/ROOT_CERT sslcert=/PATH/TO/CERT sslkey=/PATH/TO/KEY"

Make sure to replace <DATABASE_HOSTNAME>, /PATH/TO/ROOT_CERT, /PATH/TO/CERT, and /PATH/TO/KEY with the appropriate values for your environment.

Note

If you are using old certificates or have an AWS RDS instance that was created before July 2020, you will not have Subject Alternative Name (SAN) enabled. To resolve this issue, you will need to generate a new certificate with SAN.