Install JFrog Advanced Security on your Self-Hosted Environment without Helm

Tip

You are in Step 2, of the JFrog Advanced Security installation. For previous and next steps, refer to Installing JFrog Advanced Security.

JAS requires a Kubernetes cluster for running its workloads. To overcome this limitation, JAS installation includes a streamlined solution that leverages the lightweight K3s distribution to create a Kubernetes cluster using virtual machines for those users not using a Kubernetes cluster.

Configure JAS for Self-Signed non-Helm Installation

Note

Starting from Xray version 3.105 and above, no additional self-signed certificate configuration is required for JAS. It will automatically inherit the settings from Xray if necessary.

Copy the ca certificate in pem base64 format to the $XRAY_HOME/var/etc/security/trusted folder.

Update the Xray system.yaml file with the following information. For more information, see Xray System YAML.

executionService: 
  platformCertificatePath: "/path/to/certificate.pem"

Configure JAS in an Air-gapped Non-Helm Environment

You need to do certain configurations to make sure that JAS works without any issues in an air-gapped environment. After these configurations, you can proceed with the installation.

Port Configuration

Ensure that you open the following ports before you proceed.

Between Xray and k3s master VM - 6443,10250
Between k3s VMs - Refer the k3s documentation
Between k3s VMs and Artifactory - 8082

Artifactory Configuration

Run the following steps to configure Artifactory.

Set the following values in the Artifactory System YAML file and restart Artifactory.
```
jfconnect:
    airgap:
        enabled: true
```
Generate an admin-scoped token.
For more information, see Create an Admin Scoped Token.Create an Admin Scoped Token
Use the token obtained in the previous step to generate an offline request token with the JFConnect Start Register API. Ensure this is done in the air-gapped JPD environment.
Example Request:
```
curl -H 'Authorization: Bearer <TOKEN>' -X GET
'http://<JFROG_PLATFORM_URL>:8082/jfconnect/api/v1/offline/start_register
```
This API returns an offline request token.
Example Response:
```
{
    "offline_request_token": <offline_request_token>
}
```
Execute the Post Offline Request Token to JFrog Entitlements Service API by including the offline request token received in the previous step in the request body. Make sure to run this from a machine with Internet access.
Example Request:
```
curl -v -L 'https://jes.jfrog.io/api/v1/offline_register' \
-H 'Content-Type: application/json' \
--data '{
    "offline_request_token": "<offline_request_token>"
}' > entitlements.json
```
When executing the previous command, ensure that the entitlements JSON you receive from the JES matches the intended checksum, as you will save the response body to a file.
In addition, the response header also contains an offline_response_token that you need to provide to the air-gapped JPD.
Execute the JFConnect Offline Register API using the offline response token and the entitlements JSON file on the machine that hosts the air-gapped JFrog Platform installation. Make sure both the token and file are correctly provided during the execution.
Example Request:
```
curl -L -H 'Authorization: Bearer <TOKEN>' -X POST 
'http://<JFROG_PLATFORM_URL>:8082/jfconnect/api/v1/offline/register' \
--form 'entitlements=@entitlements.json;type=application/json' \
--form 'offline_response_token=""' 
```

Xray Configuration

You need to do the Xray configuration in the Xray node or just the first node if you use an HA setup.

Install Docker in the air-gapped Xray node so that you can run the Ansible playbook to set up the k3s infrastructure.

Run the following commands from a machine that has Internet access.

docker pull releases-docker.jfrog.io/ansible/ansible:2.15.0
docker save releases-docker.jfrog.io/ansible/ansible:2.15.0 | gzip > ansible.tar

Copy ansible.tarvfile to the Xray machine.
Run the following command in the Xray machine.
```
docker load < ansible.tar
```
Make the following changes to the Xray System YAML and restart the Xray service.
```
server:
    dbSync:
        version3:
            enabled: true
```

k3s Node Configuration

Configure k3s node VMs. We recommend that you use three VMs - 1 as master and 2 as workers.

Create the VMs for k3s.

Download the following k3s resources from a machine that was Internet access.

k3s binaries (k3s version - 1.29.7+k3s1)

wget https://releases.jfrog.io/artifactory/run/k3s/1.29.7/k3s

k3s airgapped images

wget https://releases.jfrog.io/artifactory/run/k3s/1.29.7/k3s-airgap-images-amd64.tar.gz

Copy k3s binary to /usr/local/bin in the k3s VM and make it executable.
```
sudo cp k3s /usr/local/bin
sudo  chmod +x /usr/local/bin/k3s
```

Copy k3s images to /var/lib/rancher/k3s/agent/images/ in the k3s VM.

sudo mkdir -p /var/lib/rancher/k3s/agent/images/
sudo cp k3s-airgap-images-amd64.tar.gz /var/lib/rancher/k3s/agent/images/

Install JAS in an Air-gapped Non-Helm Environment

Ensure that you complete the prerequisites and complete the configuration for an air-gapped environment.

Download and extract the Xray installer if required.
Run configureJas.sh from the extracted Xray installer directory and provide the necessary inputs as directed.
- RPM - You can find the file in the following location, jfrog-xray-<version>-rpm/configureJas.sh .
- Deb - You can find the file in the following location, jfrog-xray-<version>-deb/configureJas.sh.
- Linux Archive - You can find the file in the following location, jfrog-xray-<version>-linux/xray/app/bin/configureJas.sh
  User Account for Linux Archive Installation
  Use the same user account to install Xray when you run configureJas.sh.
  Xray user used to run the script must have sudo permission to install Ansible from the official upstream package manager. If the user cannot have sudo permission, install Ansible before running this script.
- Docker Compose - You can find the file in the following location, jfrog-xray-<version>-compose/configureJas.sh
Enter the information required by the script.
When the installation is successful, you can find the kube_config.yaml file under /opt/jfrog/xray/var/etc in Deb/RPM installation, <xray installation directory>/var/etc in Linux Archive installation, and /root/.jfrog/xray/var/etc for Docker Compose installation.
The installation also updates the Xray System YAML file with the entries for JAS.
Note
If you install the k3s cluster on the same machine as Xray (for testing and not for production), and use the Docker Compose installation, update the IP in kube_config.yaml to match the IP of the machine. This ensures that Xray can access the k3s cluster from within the container.
Restart the Xray service to enabled JAS.

HA Installation

Copy kube_config.yaml from the first node to the additional nodes under the same path.
You can find kube_config.yaml file under /opt/jfrog/xray/var/etc in Deb/RPM installation, <xray installation directory>/var/etc in Linux Archive installation, and /root/.jfrog/xray/var/etc for Docker Compose installation.
Run configureJas.sh .
Choose the option to use the existing kube_config.yaml file.
Restart the Xray service after the installation is complete.

Load Exposure and Contextual Analysis Images

You must load exposure and contextual analysis images to all k3s VMs.

Note

When you download an image, ensure that it is of the same architecture as the k3s machine.

Download images on a machine that has Internet connection.

docker pull --platform=linux/amd64 releases-docker.jfrog.io/jfrog/xray-jas-exposures:<XRAY_VERSION>
docker pull --platform=linux/amd64 releases-docker.jfrog.io/jfrog/xray-jas-contextual-analysis:<XRAY_VERSION>

Save the images as tar files.

docker save releases-docker.jfrog.io/jfrog/xray-jas-exposures:<XRAY_VERSION> > jas_exposure.tar
docker save releases-docker.jfrog.io/jfrog/xray-jas-contextual-analysis:<XRAY_VERSION> > jas_contextual_analysis.tar

Copy the tar files to all k3s nodes and load with the following commands.

k3s ctr images import jas_exposure.tar
k3s ctr images import jas_contextual_analysis.tar

Tip

Configure JAS for Self-Signed non-Helm Installation

Note

Configure JAS in an Air-gapped Non-Helm Environment

Port Configuration

Artifactory Configuration

Xray Configuration

k3s Node Configuration

Install JAS in an Air-gapped Non-Helm Environment

User Account for Linux Archive Installation

Note

HA Installation

Load Exposure and Contextual Analysis Images

Note