Mutual Transport Layer Security (mTLS) authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. This type of authentication, which is an optional feature for TLS, means that the client also authenticates itself against the server with a client-side certificate, thus providing enhanced security.
Clients can communicate with a JFrog Cloud instance in the following mTLS modes:
Optional Verification: Clients can either use mTLS or not (both types of requests will be accepted by the server). In this case mTLS is not strictly enforced, which can be relevant in a transition phase.
Enforced: Clients must use mTLS to communicate with the server. This includes both client requests sent via API, as well as accessing the JFrog Platform UI via a browser. Using this mode requires an initial setup on the client side (browser, clients), to configure the mTLS client certificate. Setting up the client certificate should be done based on the specific tool's user guide.
mTLS can be used to.communicate with the JFrog Platform, but not with the MyJFrog portal.
The mTLS client certificate (CA) is an added condition and does not replace the need to perform authentication (e.g., via credentials, access token, etc.).
As a best practice, start with the optional mode and then move to the enforced mode.
To minimize the security risk, remember to exchange the CAs in a secured channel.
There is currently no support for CA revocation.
To enable mTLS authentication in JFrog Cloud:
Create an X509 CA in PEM format using open SSL or other methods.
Share the CA with JFrog Support through a secured channel. You will need to communicate to JFrog the maximum verification depth of the CA in the CA chain); the default is 2.
Test the connection using curl/open ssl/browser as shown in the following example.
curl -v -u user:password "https://your-artifactory.jfrog.io/artifactory/" --cert example-cli.crt --key example-cli.key