Skip to main content

JFrog Artifactory Setup

The Sonatype Repository Firewall for JFrog Artifactory solution protects your development environment from risky open-source components. The plugin uses policies configured in the Firewall server to quarantine unwanted components from being served through your remote repositories.

Note

JFrog Artifactory SaaS is not supported. We do not support the following versions: 7.49.3 |7.49.5 |7.49.8 |7.55.2 |reached "Artifactory end of life" date

Artifactory’s plugin caching

Artifactory will restore its plugin cache over files being copied into the directory when the timestamp of the cache is newer than the files to replace the cached ones.

We recommend to first use the 'touch' command on the plugin files before copying them into the Artifactory's plugin directory to ensure that their timestamp are newer than the files in the cache.

touch <filename>;

Similarly, we recommend avoiding editing files while they are inside the plugins directory. Text editors commonly create temporary files while editing, which may be accessed by Artifactory; leading to corrupted files being stored in the plugin cache.

Artifactory may start to cache files before they are fully unpacked when unzipping files directly into the plugins directory. This results in a partial jar file being stored as the current version, and thus a corrupt install. Unpack the archive to a temporary folder outside of the plugins directory before copying them.

Installation

A running JFrog Artifactory instance will immediately load plugins copied to the plugins directly. Avoid corrupting the installation by first extracting the plugin to a temporary directory before moving them to the plugins directory. This is not an issue when the server is shut down.

  1. Download the latest version of the plugin and extract the contents of the plugin to a temporary folder.

  2. Move the lib directory into ${ARTIFACTORY_HOME}/etc/plugins directory

  3. Move the nexusFirewallForArtifactory.groovy file into ${ARTIFACTORY_HOME}/etc/plugins

  4. The zip file includes an example configuration file for the plugin and all necessary files for the operation of the plugin. The final folder structure should resemble:

    JFrog Artifactory 7.x
    ${ARTIFACTORY_HOME}
   /var
      /etc
         /artifactory
            /plugins
               nexusFirewallForArtifactoryPlugin.groovy
               firewall.properties
               /lib
                  nexus-iq-artifactory-plugin.jar
    JFrog Artifactory 6.x
    ${ARTIFACTORY_HOME}
   /etc
      /plugins
         nexusFirewallForArtifactoryPlugin.groovy
         firewall.properties
         /lib
            nexus-iq-artifactory-plugin.jar

  5. Rename firewall.properties.example to firewall.properties to use as a base for your configuration

  6. Configure which repositories you would like to enable in the firewall.properties file

  7. Restart the JFrogArtifactory server

Considerations

  • The Firewall for JFrog Artifactory plugin processes new components when the plugin was enabled. Previously downloaded components are allowed to prevent existing builds from breaking.

  • When quarantine is disabled, currently quarantined components are released to the repository. These components will not be re-quarantined without first deleting them from the remote repository and requesting them again.

  • When the plugin is installed, removing the firewall.properties will cause any download requests to be denied until the firewall.properties file is restored and JFrog Artifactory is restarted.

  • Commenting out a repository configuration does not disable it. Use the disabled setting instead.

  • Nexus Firewall for Artifactory requires the store artifacts locally advanced setting.

  • Repository Firewall supports the remote repository type. The virtual repository type is indirectly supported when it includes a remote repository.

  • Configure 'local' repositories as 'proprietary' to use for preventing Namespace Confusion attacks.

  • Configured repositories are displayed in Repository Managers under 'Organization and Policies' in the Firewall server.

  • The username must be configured in the Firewall server with the Component Evaluator role. Consider using a service account with user tokens.

High Availability

  1. Install the plugin zip and the firewall.properties in the primary node of your JFrogArtifactory high-availability system

  2. JFrogArtifactory HA will automatically synchronize the plugin and its configuration to the remaining nodes

  3. Update the plugin configuration for JFrog Artifactory HA

Logging

The Sonatype Repository Firewall for JFrog Artifactory plugin ships with logging by default. Additional logs are available for debugging when necessary. Each time a component request is blocked is not logged to prevent excessive log entries.

JFrog Artifactory uses the Logback library for logging. To understand JFrog Artifactory logging and modify logged information, see the JFrog documentation

Add this section to the logback.xml file to increase logging for the plugin:

<logger name="com.sonatype.iq.artifactory">
    <level value="debug"/>
</logger>