Skip to main content

JFrog Artifactory Setup

The Sonatype Repository Firewall for JFrog Artifactory solution protects your development environment from risky open-source components. The plugin uses policies configured in the Firewall server to quarantine unwanted components from being served through your remote repositories.

Supported JFrog Artifactory versions

The Firewall for JFrog Artifactory plugin version 2.4.11+ supports JFrog Artifactory 7.37.13 onwards.

We recommend using 7.55.6 or later due to known issues in older Artifactory versions.

JFrog Artifactory SaaS is not supported. We do not support the following versions: 7.49.3 |7.49.5 |7.49.8 |7.55.2 |reached "JFrog Artifactory end of life" date

Bypassing the JFrog Artifactory Router

We rely on the HTTP reasonPhrase to return a user-readable description of the Repository Firewall error message to the user. Due to changes in JFrog Artifactory’s router architecture, the message has been replaced with Forbidden.

Version 2.4.11+ of the Firewall for JFrog Artifactory plugin includes a Tomcat listener to parse the error message returned by JFrog Artifactory and send it to the client in the HTTP reasonPhrase. The listener included in the installation archive will need to be added to the ${JFROG_HOME}/app/artifactory/tomcat/lib/ directory.

Doing this enables clients such as Maven, NuGet, and npm to display an error directly to the developer. No changes are needed to the clients. See the instructions below for including the Tomcat listener.

JFrog Artifactory’s plugin caching

JFrog Artifactory will restore its plugin cache over files being copied into the directory when the timestamp of the cache is newer than the files to replace the cached ones.

We recommend using the 'touch' command on the plugin files before copying them into the JFrog Artifactory's plugin directory to ensure that their timestamp is newer than the files in the cache.

touch <filename>;

Similarly, we recommend avoiding editing files while they are inside the plugins directory. Text editors commonly create temporary files while editing, which may be accessed by JFrog Artifactory; leading to corrupted files being stored in the plugin cache.

JFrog Artifactory may start to cache files before they are fully unpacked when unzipping files directly into the plugins directory. This results in a partial jar file being stored as the current version, and thus a corrupt install. Unpack the archive to a temporary folder outside of the plugins directory before copying them.

Installation

A running JFrog Artifactory instance will immediately load plugins copied to the plugins directly. Avoid corrupting the installation by extracting the plugin to a temporary directory before moving it to the plugin's directory. This is not an issue when the server is shut down.

  1. Download the latest version of the plugin and extract the contents of the plugin to a temporary folder.

  2. For plugin version 2.4.11 and above, follow the steps for adding the Tomcat listener

    1. Move the nexus-iq-artifactory-tomcat-listener.jar binary into ${ARTIFACTORY_HOME}/app/artifactory/tomcat/lib/ directory

    2. Update the ${JFROG_HOME}/var/etc/system.yaml by adding this parameter

      shared:
          tomcat:
            connector:
              extra: <Listener className="com.sonatype.safevalve.SafeListener" />
    3. Redirect traffic to the path /artifactory to port 8081.

      See jFrog Artifactory instructions to Bypass the Router.

  3. Move the lib directory into ${ARTIFACTORY_HOME}/etc/plugins directory

  4. Move the nexusFirewallForArtifactory.groovy file into ${ARTIFACTORY_HOME}/etc/plugins

  5. The zip file includes an example configuration file for the plugin and all necessary files for the operation of the plugin. The final folder structure should resemble:

    JFrog Artifactory 7.x
    ${ARTIFACTORY_HOME}
       /var
          /etc
             /artifactory
                /plugins
                   nexusFirewallForArtifactoryPlugin.groovy
                   firewall.properties
                   /lib
                      nexus-iq-artifactory-plugin.jar
  6. Rename firewall.properties.example to firewall.properties to use as a base for your configuration

  7. Configure which repositories you would like to enable in the firewall.properties file

  8. Restart the JFrog Artifactory server

Considerations

  • The Firewall for JFrog Artifactory plugin processes new components as of when the plugin was enabled. Previously downloaded components are allowed to prevent existing builds from breaking.

  • When quarantine is disabled, currently quarantined components are released to the repository. These components will not be re-quarantined without first deleting them from the remote repository and requesting them again.

  • When the plugin is installed, removing the firewall.properties will cause any download requests to be denied until the firewall.properties file is restored and JFrog Artifactory is restarted.

  • Commenting out a repository configuration does not disable it. Use the disabled setting instead.

  • Nexus Firewall for Artifactory requires the store artifacts locally advanced setting.

  • Repository Firewall supports the remote repository type. The virtual repository type is indirectly supported when it includes a remote repository.

  • Configure 'local' repositories as 'proprietary' to use for preventing Namespace Confusion attacks.

  • Configured repositories are displayed in Repository Managers under 'Organization and Policies' in the Firewall server.

  • The username must be configured in the Firewall server with the Component Evaluator role. Consider using a service account with user tokens.

High Availability

  1. Install the plugin zip and the firewall.properties in the primary node of your JFrog Artifactory high-availability system

  2. JFrog Artifactory HA will automatically synchronize the plugin and its configuration to the remaining nodes

  3. Update the plugin configuration for JFrog Artifactory HA

Logging

The Sonatype Repository Firewall for JFrog Artifactory plugin ships with logging by default. Additional logs are available for debugging when necessary. Each time a component request is blocked is not logged to prevent excessive log entries.

JFrog Artifactory uses the Logback library for logging. To understand JFrog Artifactory logging and modify logged information, see the JFrog Artifactory documentation

Add this section to the logback.xml file to increase logging for the plugin:

<logger name="com.sonatype.iq.artifactory">
    <level value="debug"/>
</logger>