How to Resolve the 401 Startup Error

Disha Meswania
2021-09-13 10:08

Relevant versions: This information pertains to Artifactory versions 5.4.x and above

Artifactory comes bundled with an Access security service, whose functionalities continue to evolve. Artifactory uses a set of credentials to work with this service. Occasionally, this system can experience issues, especially during upgrades where legacy authentication credentials are incorrectly applied. Should this occur, Artifactory will fail to start.

For HA installations, each node will fail to start after shutdown. If you encounter the following error in your artifactory.log file, it means Artifactory is having a problem authenticating with its bundled Access server:

2017-12-06 00:16:35,244 [art-init] [ERROR] (o.a.w.s.ArtifactoryContextConfigListener:99) - Application could not be initialized: HTTP response status 401:{"errors":[{"code":"UNAUTHORIZED","detail":"Bad credentials","message":"HTTP 401 Unauthorized"}]}
java.lang.reflect.InvocationTargetException: null
[...]
Caused by: java.lang.RuntimeException: Failed to generate service admin token using bootstrap credentials.

Resolution

To solve this problem, you’ll need to reset your Access credentials in the database (a process known as bootstrapping). Note: There was a more efficient solution developed for Artifactory 5.8, please use the relevant instructions only for your version.

Revert the Access Admin credentials in Artifactory 7.X:

These steps are very similar to the earlier 6.X steps, the paths have been updated to reflect the new 7.X installation directories. 

1. Create a "bootstrap.creds" file in the primary node's $JFROG_HOME/etc/access folder (Usually /var/opt/jfrog/artifactory/etc/access/):

access-admin@*=password

2. Update the Linux permissions to be exactly 600, and owned by the right Linux user:

chown artifactory:artifactory bootstrap.creds

chmod 600 bootstrap.creds

3. Restart Artifactory

Revert Admin access for Artifactory 5.8.X – 6.X:
1. (Optional) Back up the current database configuration
2. Create a “bootstrap.creds” file in the node’s  $ARTIFACTORY_HOME/access/etc/bootstrap.creds containing:

"access-admin@<IP_ADDRESS>=password" 

3. change permissions:

chmod 600 bootstrap.creds
chown artifactory:artifactory bootstrap.creds #Only if rest of directory is owned by “artifactory”

4. Restart Artifactory

Note: If adding the <IP_ADDRESS> in bootstrap.creds returns a 403 error, you can try to use 127.0.0.1 instead.

Revert the Admin Access credentials for Artifactory 5.5.X – 5.7.X:
1. (Optional) Back up the current database configuration
2. Create a “bootstrap.creds” file in the node’s  $ARTIFACTORY_HOME/access/etc/bootstrap.creds containing:

"admin@<IP_ADDRESS>=password" 

3. change permissions:

chmod 600 bootstrap.creds
chown artifactory:artifactory bootstrap.creds #Only if rest of directory is owned by “artifactory”

4. Edit or create the $ARTIFACTORY_HOME/etc/security/access/keys/access.creds file, which contains: 

“admin=password”
Note: there is a bug in some versions that actually require the manual REMOVAL of the access.creds before the bootstrap will work.

5. In your remote database, you need to remove the admin user from the 'access_users' table:

select * from access_users where username='admin'; //Find user in table first
delete from access_users where username='admin';

6. Restart Artifactory
 

7.X Note: "Basic" API Access no longer works

Since a security update in Artifactory 7.12, the Access API endpoint no longer accepts basic "access-admin:password" authentication. Instead, you need to generate an Admin Token via the Artifactory UI. This note is for users who need to use the Access REST API with the access-admin account.

Go to Admin -> Identity and Access -> Access Tokens:

User-added image

Then you use the token to make REST API calls against /access:

curl -H "Authorization: Bearer eyJ[… Token …]A" http://localhost:8081/access/api/v1/system/ping

OK