How to use a custom java truststore (cacerts) in a Artifactory docker container?

Nihal Reddy Chinna Choudhary
2019-03-28 23:05

Summary

In order for Artifactory to be able to connect to any remote URL's or another Artifactory instance that are using self signed certificates, it is necessary to use a custom java truststore (cacerts) that contains the self signed certificates for running the Artifactory docker container

Details

In order for Artifactory to be able to connect to any remote URL's or another Artifactory instance that are using self signed certificates, it is necessary to use a custom java truststore (cacerts) that contains all the self signed certs used in your environment in the Artifactory docker container

If the self signed certificates are not added to the java truststore, then any attempt to connect to a HTTPS URL that uses self signed certificates will fail with the below error.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution

Please note that these steps are for setting a custom java truststore (cacerts) to be used by Artifactory docker container.

Prerequisites:

You need the custom "cacerts" file that contains all the trusted certificates that java includes and also any self signed certificates that are used in your environment. Usually you take the java "cacerts" file and add the self signed certificates to this "cacerts" file.

Steps and details on how to set a custom java truststore (cacerts):

There is an option that allows passing extra configuration files to Artifactory docker container.

https://www.jfrog.com/confluence/display/RTF/Installing+with+Docker#InstallingwithDocker-ExtraConfigurationDirectory

The option that allows passing extra configuration files to Artifactory container will place the file in the /var/opt/jfrog/artifactory/etc folder. When you want Artifactory to use a custom java truststore (cacerts), then it is necessary to set a JAVA_OPTION which will tell Artifactory not to use the default "cacerts" that comes with java and instead use the custom java truststore (cacerts) that we are passing when starting the docker container for the first time.

JAVA_OPTIONS required for providing the custom java truststore (cacerts) for Artifactory container are below:

-Djavax.net.ssl.trustStore

-Djavax.net.ssl.trustStorePassword

Below is an example command that will show how to pass the custom java truststore (cacerts) file when starting the docker container. It will also include the additional java options that will configure Artifactory to use the custom java truststore (cacerts) that we are passing when starting the docker container for the first time.

docker run –name artifactory-pro-custom-cacerts -d -e EXTRA_JAVA_OPTIONS="-Djavax.net.ssl.trustStore=/var/opt/jfrog/artifactory/etc/cacerts -Djavax.net.ssl.trustStorePassword=changeit" -v /local/path/to/cacerts:/artifactory_extra_conf/cacerts -v /var/opt/jfrog/artifactory:/var/opt/jfrog/artifactory -p 8081:8081 docker.bintray.io/jfrog/artifactory-pro:latest