How to use a custom java truststore (cacerts) in a Artifactory docker container?

Nihal Reddy Chinna Choudhary
2019-03-14 05:49

Summary

In order for Artifactory to be able to connect to any remote URL's or another Artifactory instance that are using self signed certificates, it is necessary to use a custom java truststore (cacerts) that contains the self signed certificates for running the Artifactory docker container

Details

In order for Artifactory to be able to connect to any remote URL's or another Artifactory instance that are using self signed certificates, it is necessary to use a custom java truststore (cacerts) that contains all the self signed certs used in your environment in the Artifactory docker container

If the self signed certificates are not added to the java truststore, then any attempt to connect to a HTTPS URL that uses self signed certificates will fail with the below error.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution

Please note that these steps are for setting a custom java truststore (cacerts) to be used by Artifactory docker container.

Prerequisites:

You need the custom "cacerts" file that contains all the trusted certificates that java includes and also any self signed certificates that are used in your environment. Usually you take the java "cacerts" file and add the self signed certificates to this "cacerts" file.

Steps and details on how to set a custom java truststore (cacerts):

There is an option that allows passing extra configuration files to Artifactory docker container.

https://www.jfrog.com/confluence/display/RTF/Installing+with+Docker#InstallingwithDocker-ExtraConfigurationDirectory

The option that allows passing extra configuration files to Artifactory container will place the file in the /var/opt/jfrog/artifactory/etc folder. When you want Artifactory to use a custom java truststore (cacerts), then it is necessary to set a JAVA_OPTION which will tell Artifactory not to use the default "cacerts" that comes with java and instead use the custom java truststore (cacerts) that we are passing when starting the docker container for the first time.

JAVA_OPTIONS required for providing the custom java truststore (cacerts) for Artifactory container are below:

-Djavax.net.ssl.trustStore

-Djavax.net.ssl.trustStorePassword

Below is an example command that will show how to pass the custom java truststore (cacerts) file when starting the docker container:

docker run –name artifactory-pro-custom-cacerts -d -v /local/path/to/cacerts:/artifactory_extra_conf/cacerts -v /var/opt/jfrog/artifactory:/var/opt/jfrog/artifactory -p 8081:8081 docker.bintray.io/jfrog/artifactory-pro:latest

Once the container has started there is one more step that needs to be done to specify Artifactory to use the custom java truststore (cacerts). Below are the steps to specify the JAVA_OPTIONS for Artifactory to use the custom java truststore (cacerts):

1. docker exec into the Artifactory container that you have just started

2. Navigate to the following folder /opt/jfrog/artifactory/bin and edit the file "artifactory.default". Add the below two JAVA_OPTIONS that specify the location of the custom java truststore (cacerts) and also the default java truststore password. Save the changes and restart the container for this change to take effect.

-Djavax.net.ssl.trustStore=/var/opt/jfrog/artifactory/etc/cacerts

-Djavax.net.ssl.trustStorePassword=changeit