TLS Encryption for PostgreSQL
Enable TLS for PostgreSQL in JFrog Artifactory by setting sslmode=verify-full in the JDBC URL and configuring a separate Go URL for the metadata service.
To enable Transport Layer Security (TLS) encryption for PostgreSQL, set the sslmode property to verify-full in the JDBC connector URL.
For example, update the $JFROG_HOME/artifactory/var/etc/system.yaml file as follows.
shared:
database:
...
url: jdbc:postgresql://mypostgress.mydomain.com:5432/artifactory?ssl=true&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=verify-
full&sslrootcert=/tmp/server.crt
...JFrog Artifactory includes several microservices that require a database connection. Some are built using Java and others using Go. During startup, Artifactory automatically converts the JDBC URL to a Go URL. In some cases this conversion may not work, and you must configure a dedicated URL for the Go-based microservices.
Go-Based Microservices
For example, the metadata service is built using Go, so configure the metadata database URL according to Go’s configuration as follows:
metadata:
database:
url: "go:user='artifactory' dbname=artifactory host=<DATABASE_HOSTNAME> port=5432 sslmode=verify-full sslrootcert=/PATH/TO/ROOT_CERT sslcert=/PATH/TO/CERT sslkey=/PATH/TO/KEY"Replace <DATABASE_HOSTNAME>, /PATH/TO/ROOT_CERT, /PATH/TO/CERT, and /PATH/TO/KEY with the appropriate values for your environment.
Note
If you are using old certificates or have an AWS RDS instance created before July 2020, Subject Alternative Name (SAN) is not enabled. To resolve this issue, generate a new certificate with SAN.
Updated 24 days ago