To establish a "Circle of Trust" between JFrog services, you will need to exchange the public token certificate between the services.
Services that are within the circle of trust have complete admin privileges on each other. To exchange the certificates, you need to copy a service’s root certificate to another service’s$JFROG_HOME/artifactory/var/etc/access/keys/trusted
folder.
The service's root certificate can be acquired in the following ways:
found under
$JFROG_HOME/artifactory/var/etc/access/keys/root.crt
(requires physical access to the server)by calling the Get Root Certificate REST API
Note
The root.crt
will disappear from the target's trusted folder and will be placed in the Artifactory database.
Trust can be created between multiple services: you need to make sure that all participating instances in the circle of trust are equipped with the relevant public keys (root certificate). Note that a trust can be unidirectional or bidirectional. The service watches a directory of trusted public keys and reloads the keys when it needs to verify a token
Renaming the source service’s certificate
Since trust can be created between multiple services, you should rename each source service’s certificate with a meaningful name. For example, if one service named “us-east” should be trusted by another service named “us-west”, then$JFROG_HOME/artifactory/var/etc/access/keys/root.crt
from us-east
, should be copied to$JFROG_HOME/artifactory/var/etc/access/keys/trusted/us-east.crt
on us-west.
Use the same Artifactory userid and groupid
Make sure you give the same Artifactoryuserid
andgroupid
to the root certificate in the trusted folder ($ARTIFACTORY_HOME/access/etc/keys/trusted/*
) by comparing to the other files from the previous folder ($ARTIFACTORY_HOME/access/etc/keys/
).