To do so, set up the kerberos server and follow the below steps:
1. Create keytab file for Artifactory user on KDC server:
$ ktutil ktutil: add_entry -password -p artifactory@test.ca -k 1 -e aes256-cts-hmac-sha1-96 ktutil: wkt artifactory.keytab ktutil: exit
2. Copy artifactory.keytab to the location readable by Artifactory. In this example, I will use /var/opt/jfrog/artifactory/etc/artifactory.keytab. Change ownership of file to artifactory user.
3. log in as artifactory user: su -s /bin/bash artifactory
4. Run: kinit artifactory
5. Add below java parameters as seen here:
- Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=/var/opt/jfrog/artifactory/jaas.conf -Dsun.security.jgss.native=true
6. Configure Artifactory:
- For 6.x in $ARTIFACTORY_HOME/etc/db.properties:
"jdbc:postgresql://pg.test.ca:5432/artifactory?gssEncMode=require&loggerLevel=TRACE&loggerFile=/var/opt/jfrog/artifactory/pgjdbc-trace.log"
- For 7.x in $JFROG_HOME/var/etc/system.yaml (Versions 7.39.x and above):
shared:
database:
type: postgresql
driver: org.postgresql.Driver
url: "jdbc:postgresql://pg.test.ca:5432/artifactory?gssEncMode=disable&loggerLevel=TRACE&loggerFile=/var/opt/jfrog/artifactory/log/pgjdbc-trace.log"
username: artifactory
password: password
kerberosAuth: true Note: In 7.x for the system.yaml URL, having “gssEncMode=require” will cause a “oversize GSSAPI packet sent by the client (16444 > 16380)" error and prevent startup.
7. Create
/var/opt/jfrog/artifactory/jaas.conf owned by artifactory user:
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
renewTGT=true
debug=true
useKeyTab=true
keyTab="/var/opt/jfrog/artifactory/etc/artifactory.keytab"
principal="artifactory@TEST.CA";
};