ARTIFACTORY: How to enable TLS within the JFrog Platform

Amit Turgeman
2022-05-15 14:00

Left picture:
When terminating SSL traffic at the load balancer, client requests to JFrog Platform Deployment (JPD) will be sent further to the Router or/and Artifactory over insecured HTTP.
Moreover, in this scenario, Artifactory nodes in HA setup will communicate over HTTP, as well as other JFrog products, for example, Xray.

Right picture:
Our main goal in this step-by-step guide is to show how to enable TLS within the JFrog Platform so that the communication between JPDs like Xray and Artifactory and between the load balancer and JPDs will be secured.
User-added imageUser-added image

 User-added image

Using Access as a Certificate Authority

In order to enable TLS within the JFrog Platform, we will follow the steps from: Using Access as a Certificate Authority. In this setup, we will use Access as Certificate Authority to generate self-signed certificates. For the sake of simplicity, our setup will be defined by two Artifactory and one Xray node.

The following configuration files will be updated.

access.config.yaml
system.yaml
Artifactory-nginx.conf
 

Sample setup:

  • 2 Artifactory Platform Deployments 
  • 1 Xray Platform Deployment
  • A load balancer (Nginx in this example)
    • TLS termination over Nginx.

 

Enable TLS in Access 

1. First, we need to ensure that TLS is enabled in JFrog Access.
    Choose one of the Artifactory nodes from your cluster.
2. Set tls: true in access.config.yml, with:
a. $ cd $JFROG_HOME/artifactory/var/etc/access
b. $ mv access.config.latest.yml access.config.import.yml.
c. Add the below snippet to access.config.import.yml.security:
  tls: true
d. Restart the Artifactory node.
e. The ‘tls: true’ setting propagates through all your Artifactory nodes.

Check that it propagates to the other nodes before you continue. To ensure that everything is set as expected, validate in each Artifactory node that access.config.yml has been updated with ‘tls:true’. For Artifactory nodes, the root CA is distributed automatically via the database, and there is no need to copy the Access root CA manually.

3. For every other JFrog Product node, you will need to copy the Access root CA manually.

 
For example, in for  Xray follow the steps below.

  • Copy root.crt from one of your HA Artifactory nodes
    • root.crt located under: $JFROG_HOME/artifactory/var/etc/access/keys
  • Paste root.crt to Xray trusted folder:
    • trusted folder located under : $JFROG_HOME/xray/var/etc/security/keys/trusted
  • Restart Xray

 

Enable TLS in Artifactory

1. Enable TLS in Artifactory by setting artifactory.tomcat.httpsConnector.enabled in the system.yaml file to true.

artifactory:
    tomcat:
        httpsConnector:
            enabled: true

2. After updating system.yaml, restart Artifactory.
3. Make sure to update each Artifactory node system.yaml with this property as there is no automatic propagation of the system.yaml configuration file.

Note:
By default port 8443 will be used in Artifatory for TLS connections. If you want to change it, update artifactory.tomcat.httpsConnector.port: 8443 accordingly. 

User-added image

The below configuration automaticaclly added to Tomcat server.xml after updating Artifactory.tomcat.httpsConnector.enabled and restart of Artifactory.
Server.xml is located in $JFROG_HOME/artifactory/app/artifactory/tomcat/conf <Connector port="8443" protocol="org.jfrog.tomcat.connector.HTTP11NioProtocol" maxThreads="200"  bindOnInit="false" scheme="https" secure="true"
        waitForSSLCertificateFile="/opt/jfrog/artifactory/var/data/router/keys/server.crt"
        waitForSSLCertificateKeyFile="/opt/jfrog/artifactory/var/data/router/keys/server.key" />
 

Artifactory-Nginx configuration

The last configuration file that needs to be updated is the artifactory-nginx.conf.
After generating the Nginx configuration from the UI “Reverse Proxy Settings”, the following needs to be updated:

  • upstream artifactory-direct
    • Modify port: 8081 → 8443

upstream artifactory-direct {
    server $FIRST_NODE_IP:8443;
    server $SECOND_NODE_IP:8443;
}

  • Location
    • Modify proxy_pass: http://artifactory → https://artifactory.
    • Modify location.proxy_pass: http://artifactory-direct/ → https://artifactory-direct/.

    location / {
    proxy_read_timeout  2400s;
    proxy_pass_header   Server;
    proxy_cookie_path   ~*^/.* /;
    proxy_buffer_size 128k;
    proxy_buffers 40 128k;
    proxy_busy_buffers_size 128k;
    proxy_pass          https://artifactory;
    proxy_next_upstream error timeout non_idempotent;
    proxy_next_upstream_tries    1;
    proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
    proxy_set_header    X-Forwarded-Port  $server_port;
    proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_set_header    Host              $http_host;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Strict-Transport-Security always;

        location ~ ^/artifactory/ {
            proxy_pass    https://artifactory-direct;
        }
    }

After those changes make sure to reload Nginx configuration.
 

In conclusion:

In this article we’ve configure TLS within the JFrog Platform.

This means, that all communications to the JFrog Platform are required to use TLS including service-to-service communication within the platform.

This was done by configuring three configuration files: access.config.yml, system.yaml and artifactory-nginx.conf.

We’ve modified the access.config.yml with tls:enabled to enforce secure communications in the JFrog platform. After that we’ve updated the Artifactory system.yaml in orde to open an HTTPS connector in the Tomcat level. Lastly, we’ve updated requests from Nginx to go over HTTPS to Artifactory by modifying the proxy_pass from HTTP → HTTPS.