Access Troubleshooting (401 Error)

Subject 

How to resolve the 401 startup error.

Affected Versions

5.4.X – Latest 

Description

Artifactory comes bundled with an "Access" security service since 5.4.X, and this service has slowly been given more functionality in the background. Artifactory uses both a set of credentials to work with this new service. Occasionally this system can experience issues, especially during upgrades, where legacy authentication credentials are incorrectly applied. 

This will cause Artifactory to not start. For HA installations each node will fail to start when shut down. If you encounter the following error in the artifactory.log file, Artifactory is having an a problem authenticating with its bundled Access server:

2017-12-06 00:16:35,244 [art-init] [ERROR] (o.a.w.s.ArtifactoryContextConfigListener:99) – Application could not be initialized: HTTP response status 401:{"errors":[{"code":"UNAUTHORIZED","detail":"Bad credentials","message":"HTTP 401 Unauthorized"}]}
java.lang.reflect.InvocationTargetException: null
[…]
Caused by: java.lang.RuntimeException: Failed to generate service admin token using bootstrap credentials.

Resolution

To solve this you need to reset the access credentials in the database, known as "bootstrapping" the credentials. Note: There was a more efficient solution developed for Artifactory 5.8, please use the relevant instructions only for your version.

Revert the Admin Access credentials for Artifactory 5.5.X – 5.7.X:
1. (Optional) Back up the current database configuration
2. Create a “bootstrap.creds” file in the node’s  $ARTIFACTORY_HOME/access/etc/bootstrap.creds containing:

"admin@<IP_ADDRESS>=password" 

3. change permissions:

chmod 600 bootstrap.creds
chown artifactory:artifactory bootstrap.creds #Only if rest of directory is owned by “artifactory”

4. Edit or create the $ARTIFACTORY_HOME/etc/security/access/keys/access.creds file, which contains: 

“admin=password”
Note: there is a bug in some versions that actually require the manual REMOVAL of the access.creds before the bootstrap will work.

5. In your remote database, you need to remove the admin user from the 'access_users' table:

select * from access_users where username='admin'; //Find user in table first
delete from access_users where username='admin';

6. Restart Artifactory

Revert Admin access for Artifactory 5.8.X and above:
1. (Optional) Back up the current database configuration
2. Create a “bootstrap.creds” file in the node’s  $ARTIFACTORY_HOME/access/etc/bootstrap.creds containing:

"access-admin@<IP_ADDRESS>=password" 

3. change permissions:

chmod 600 bootstrap.creds
chown artifactory:artifactory bootstrap.creds #Only if rest of directory is owned by “artifactory”

4. Restart Artifactory

Please note: If adding the <IP_ADDRESS> in bootstrap.creds gives the 403 error further, you can use '127.0.0.1' instead and give it a try.