To establish a "Circle of Trust" between JFrog services, you will need to exchange the public token certificate between the services.
Services that are within the circle of trust have complete admin privileges on each other. To exchange the certificates, you need to copy a service’s root certificate to another service’s$JFROG_HOME/artifactory/var/etc/access/keys/trustedfolder.
The service's root certificate can be acquired in the following ways:
found under
$JFROG_HOME/artifactory/var/etc/access/keys/root.crt(requires physical access to the server)by calling the Get Root Certificate REST API
Note
The root.crt will disappear from the target's trusted folder and will be placed in the Artifactory database.
To establish a circle of trust in a Helm installation, see Add circle of trust certificates to a Helm installation.
Trust can be created between multiple services: you need to make sure that all participating instances in the circle of trust are equipped with the relevant public keys (root certificate). Note that a trust can be unidirectional or bidirectional. The service watches a directory of trusted public keys and reloads the keys when it needs to verify a token
Renaming the source service’s certificate
Since trust can be created between multiple services, you should rename each source service’s certificate with a meaningful name. For example, if one service named “us-east” should be trusted by another service named “us-west”, then $JFROG_HOME/artifactory/var/etc/access/keys/root.crt from us-east, should be copied to$JFROG_HOME/artifactory/var/etc/access/keys/trusted/us-east.crton us-west.
Use the same Artifactory userid and groupid
Make sure you give the same Artifactoryuseridandgroupidto the root certificate in the trusted folder ($ARTIFACTORY_HOME/access/etc/keys/trusted/*) by comparing to the other files from the previous folder ($ARTIFACTORY_HOME/access/etc/keys/).