Skip to main content

JFrog Artifactory Setup

The Sonatype Repository Firewall for JFrog Artifactory solution protects your development environment from risky open-source components. The plugin uses policies configured in the Firewall server to quarantine unwanted components from being served through your remote repositories.

Note

JFrog Artifactory SaaS is not supported. We do not support the following versions: 7.49.3 |7.49.5 |7.49.8 |7.55.2 |reached "Artifactory end of life" date

Artifactory’s plugin caching

JFrog Artifactory uses a plugin's timestamp against an internal cache when determine which plugin files to load. When updating the plugin or firewall.properties file, the timestamp needs to be updated as well. On Linux systems, this can be accomplished using the touch command.

touch <filename>;

Installation

A running JFrog Artifactory instance will immediately load plugins copied to the plugins directly. Avoid corrupting the installation by first extracting the plugin to a temporary directory before moving them to the plugins directory. This is not an issue when the server is shut down.

  1. Download the latest version of the plugin and extract the contents of the plugin to a temporary folder.

  2. Move the lib directory into ${ARTIFACTORY_HOME}/etc/plugins directory

  3. Move the nexusFirewallForArtifactory.groovy file into ${ARTIFACTORY_HOME}/etc/plugins

  4. The zip file includes an example configuration file for the plugin and all necessary files for the operation of the plugin. The final folder structure should resemble:

    JFrog Artifactory 7.x
    ${ARTIFACTORY_HOME}
   /var
      /etc
         /artifactory
            /plugins
               nexusFirewallForArtifactoryPlugin.groovy
               firewall.properties
               /lib
                  nexus-iq-artifactory-plugin.jar
    JFrog Artifactory 6.x
    ${ARTIFACTORY_HOME}
   /etc
      /plugins
         nexusFirewallForArtifactoryPlugin.groovy
         firewall.properties
         /lib
            nexus-iq-artifactory-plugin.jar

  5. Rename firewall.properties.example to firewall.properties to use as a base for your configuration

  6. Configure which repositories you would like to enable in the firewall.properties file

  7. Restart the JFrogArtifactory server

Considerations

  • The Firewall for JFrog Artifactory plugin processes new components when the plugin was enabled. Previously downloaded components are allowed to prevent existing builds from breaking.

  • When quarantine is disabled, currently quarantined components are released to the repository. These components will not be re-quarantined without first deleting them from the remote repository and requesting them again.

  • When the plugin is installed, removing the firewall.properties will cause any download requests to be denied until the firewall.properties file is restored and JFrog Artifactory is restarted.

  • Commenting out a repository configuration does not disable it. Use the disabled setting instead.

  • Nexus Firewall for Artifactory requires the store artifacts locally advanced setting.

  • Repository Firewall supports the remote repository type. The virtual repository type is indirectly supported when it includes a remote repository.

  • Configure 'local' repositories as 'proprietary' to use for preventing Namespace Confusion attacks.

  • Configured repositories are displayed in Repository Managers under 'Organization and Policies' in the Firewall server.

  • The username must be configured in the Firewall server with the Component Evaluator role. Consider using a service account with user tokens.

High Availability

  1. Install the plugin zip and the firewall.properties in the primary node of your JFrogArtifactory high-availability system

  2. JFrogArtifactory HA will automatically synchronize the plugin and its configuration to the remaining nodes

  3. Update the plugin configuration for JFrog Artifactory HA

Logging

The Sonatype Repository Firewall for JFrog Artifactory plugin ships with logging by default. Additional logs are available for debugging when necessary. Each time a component request is blocked is not logged to prevent excessive log entries.

JFrog Artifactory uses the Logback library for logging. To understand JFrog Artifactory logging and modify logged information, see the JFrog documentation

Add this section to the logback.xml file to increase logging for the plugin:

<logger name="com.sonatype.iq.artifactory">
    <level value="debug"/>
</logger>