ARTIFACTORY: How to restore access tokens after resetting the master.key

Subject: How to use existing Access Tokens after resetting the master.key

Affected Versions: Artifactory 7.21.3 and above

Description

While using Artifactory, you may run into an issue where the master.key gets corrupted or is lost. This can cause issues such as:

Not able to connect a node to an HA cluster.
Unusable passwords in Artifactory configuration and Access data as they are encrypted by the master.key.
Failure to start up Artifactory with “Given final block not properly padded” error message.

In such cases, you can follow the steps mentioned in our KB articles to reset the master.key.

However, this process will also reset the token certificate (root.crt) in Artifatory making the existing Access Tokens unusable like below. The root.crt is crucial for Access Tokens as it is used as a public key to verify the token’s signature.

$ curl -u admin:<TOKEN> localhost:8082/artifactory/api/system/ping
{
  "errors" : [ {
    "status" : 401,
    "message" : "Token failed verification: signature"
  } ]
}

In order to maintain the existing tokens, you can take a backup of the root.crt file (located under the $JFROG_HOME/artifactory/var/etc/access/keys/ folder) before resetting the master.key.

$JFROG_HOME/artifactory/var/etc/access/keys# ls
README.md  ca.crt  ca.private.key  private.key  root.crt  trusted

After the master.key has been reset and the new root.crt has been generated, add the backed up root.crt file into the $JFROG_HOME/artifactory/var/etc/access/keys/trusted/ folder. After a while, the copied root.crt will disappear from the “trusted” folder and will be added in the database.

$JFROG_HOME/artifactory/var/etc/access/keys/trusted# ls
README.md  root.crt

After a moment…
$JFROG_HOME/artifactory/var/etc/access/keys/trusted# ls
README.md

Then, you can test to see that the existing tokens work again.

$ curl -u admin:<TOKEN> localhost:8082/artifactory/api/system/ping
OK