Quick Enterprise Plus install Example

David Xu
2019-07-08 17:18


A quick guide to create a Enterprise plus



Artifactory and Mission Control: The bare minimum

Going from Enterprise to E+ is functionally a license swap.  As with previous Artifactory Licenses, Artifactory will use the license of the  highest subscription assigned to it.


Documentation can be found here:



To add the license:

  1. Install Mission Control 3.0 or above
    1. Go through installation steps here
    2. Load your E+ artifactory and edge node buckets
    3. Choose a default authentication provider
  2. Add service and assign Licenses
    1. You can add the Services (Artifactory, edge, etc) via the UI
      1. This can also be done via Jfrog CLI for mission control:

jfrog mc s add ARTIFACTORY my-arti –service-url= –service-user=admin –service-password=password –site-name=MC_site


  1. Assign the licenses via Jfrog cli:
    1. jfrog mc s attach-lic my-arti –bucket-id=license-bucket-1
  2. Activate replicator (required for distribution)
    1. https://www.jfrog.com/confluence/display/RTF/Replicator
    2. To enable the Replicator, you need to set the environment variable START_LOCAL_REPLICATOR=true before you start Artifactory (whether it is a fully featured installation or an Edge node).
    3. OR, you can edit $ARTIFACTORY_HOME/bin/artifactory.default to include the line: export START_LOCAL_REPLICATOR=true.
    4. When running with Docker, you could use: docker run … –env REPLICATOR_ENABLED=true…
  3. Restart Artifactory for the changes to take place



Repeat for each service.  Your Artifactories should now be on the E+ license.  You should now be able to leverage the E+ aspects of Artifactory and Mission control (graphs, insight, etc)

Access Federation

The next step is setting up Access Federation. Access federation syncs all security entities between members of a Circle of trust to make sure your groups, user and permissions are valid on all your designated sites.

While it is up to your organization on how many instances to federate and whether it should unidirectional or bidirectional, for initial setup we will create bidirectional Access Federation on all sites.


The First step is to set up a Circle of trust:



All changes should be made on the Primary Node


  1. Go to artifactory instance A and go to ACCESS_HOME/etc/keys
    1. You will find root.crt
  2. Copy root.crt to Artifactory instance B in ACCESS_HOME/etc/keys/trusted
    1. Choose a name that makes logical sense (eg Art-key-A)
  3. Go to artifactory instance B and go to ACCESS_HOME/etc/keys
    1. You will find root.crt
  4. Copy root.crt to Artifactory instance A in ACCESS_HOME/etc/keys/trusted
    1. Choose a name that makes logical sense (eg Art-key-B)


You can now go into the Mission control and manage Access Federation via the UI:



You can choose what you want to sync (groups, users, permission, tokens) between the instances you have listed.  


Xray integration into E+ is straightforward.  Simply:

  1. Add it as a service and assign it to a site (via UI or CLI)
  2. If needed have it assigned to the primary authentication provider


Edge Nodes

Edge nodes are functionally Artifactory servers focused on being read-only distribution endpoints.


Upon being assigned an Edge node key, the Artifactory featureset will be changed to reflect the role of Edge nodes.


Here are the steps to set up an Edge node:

  1. Set up server as per standard artfactory
    1. Edge nodes can be in HA
  2. Add the future edge nodes to Mission control as Edge node services
    1. You should be able to assign a license via UI or CLI
  3. Enable Replicator as per above artifactory E+ instructions.


Edge nodes will need a GPG key to function with Distribution.  We will create and add this later, and the instructions are found here:




Distribution is a new product that allows you to create and track release bundles and determine where you want the package to be sent to.


Check your E+ license email and/or contact your Success rep for a link to download the installer for Distribution.  Installation steps are here:




  1. Create GPG key
    1. Instruction are found here
    2. https://www.jfrog.com/confluence/display/DIST/GPG+Signing
  2. Upload GPG key to Distribution
    1. Use REST API
    2. https://www.jfrog.com/confluence/display/DIST/Distribution+REST+API#DistributionRESTAPI-SetsigningkeyforDistribution
  3. Upload GPG key to Artifactory and edge
    1. This can be done via the UI in Admin?trusted Keys
    2. https://www.jfrog.com/confluence/display/RTF/GPG+Signing
    3. https://www.jfrog.com/confluence/display/RTF/Artifactory+Edge#ArtifactoryEdge-SettingaPGPKey
    4. NOTE: This can be done via UI, however a text editor can cause formatting/encoding issues that render the key unusable.  To avoid this issue, we recommend using console to cat gpg keys and copying the output to the UI.


And that’s it.  You now have set up all the services in E+!  Try creating a creating a release bundle and shipping it to an edge node.




Distribution bounding

Distribution is bound to Mission control’s primary authentication provider.  At this time there is no way to unbind this without performing the following mongo inserts and deletes:


  • mongo -u distribution -p password –authenticationMechanism SCRAM-SHA-1 –authenticationDatabase distribution
  • use distribution
  • show collections
  • db.platformInfo.find()
  • db.platformInfo.remove({})
  • Restart Distribution


Signing Key

Public GPG Signing keys need to exist on both artifactory and Edge nodes otherwise an Signing error can occur.


Another common error is due to a text editors formatting the GPG key which introduces characters when copying and pasting.


The workaround is the cat the keys in the terminal and copying the output



403 in replicator logs

This can occur due to a token being mismatched


A quick test if circle of trust is correctly established is to run through Access Federation setup and see if errors occur


Additionally, check the replicator.yaml file

Delete the token, and restart artifactory/replicator.  Access should populate Replicator with a correct token upon restart.