Configure Curation for Self-Managed

📘
Note
This page is for self-managed configuration only. JFrog Curation in SaaS is automatically deployed and configured by JFrog.

Configuration Overview

The JFrog Curation service requires the installation and configuration of other JFrog services such as JFrog Catalog. The Curation service is automatically included in your JFrog Xray installation.

The following steps will help you configure and validate the JFrog Curation service in your self-managed JFrog Platform.

Verify that JFrog Artifactory and Xray are installed and meet the minimum version requirements.
Install the JFrog Catalog service.
Check that you are entitled to use the Curation service.
Enable the JFConnect microservice explicitly.

1. Validate Xray and Artifactory Requirements

Xray and Artifactory must be installed and meet the minimal version requirements. If you do not have the required versions installed, please proceed with upgrading these components before continuing.

Subscription Requirements

JFrog Curation is currently available for the following JFrog subscriptions:

Enterprise X
Enterprise +

Minimum Xray Version

The Xray version (that includes Curation) is:

Without a proxy: 3.78.2
Behind a proxy: 3.82.11

It is highly recommended to use the latest version of Xray to ensure the latest Curation version is in use.
To check your Xray version:

curl -u<username>:<password> https://your_env_domain/xray/api/v1/system/version

Example of a valid result:

{
   "xray_version":"3.82.6",
   "xray_revision":"38d6f6d"
}

Minimum Artifactory Version

Make sure the minimal Artifactory version in use is: 7.63.5

To check your JFrog platform version:

curl -u<username>:<password> https://your_env_domain/artifactory/api/system/version

Example of a valid result:

{
    "version" : "7.69.1",
    "revision" : "76901900",
    …
}

2. Install JFrog Catalog Central

Catalog and Curation are interconnected products. Curation relies on Catalog to access data about package vulnerabilities. Without Catalog, Curation cannot function. Whilst Curation is included in the Xray install, Catalog is an independent install that requires its own Database and server.

Prevention at Entry (Curation + Catalog): Before any OSS package is introduced into your development pipeline, Curation consults the Catalog to assess its risk profile. This proactive approach ensures that only vetted and approved packages are allowed entry, minimizing the chance of introducing vulnerabilities or non-compliant components.
Continuous Monitoring (Xray): Once packages are part of your environment, Xray takes over by continuously scanning them for new vulnerabilities or compliance issues that may arise over time. This ensures that your software remains secure and compliant throughout its lifecycle.

In essence, Catalog provides the critical data, Curation acts as the initial filter to block risky components from entering your system, and Xray offers ongoing surveillance to detect and address issues in the components you are already using. This integrated approach fortifies your software supply chain, ensuring robust security and compliance from the outset and throughout the development process.

Install JFrog Catalog using one of the following options:

For server installations, use the Interactive Script.
For Kubernetes installations, use Helm and OpenShift.

3. Check Your JFrog Platform Instance Is Entitled for Curation

Perform the following steps to check that Curation is available in your JFrog Platform environment:

Check the API: https://your.domain/ui/api/v1/jfconnect/entitlements

curl -u<username>:<password> https://your_env_domain/artifactory/ui/api/v1/jfconnect/entitlements

Expected result is an array with entitlements including the Curation one.

Search the response for curation to find the Curation entitlements section:

Example:

{
      "name": "curation",
      "value": 1,
      "expiryDate": "2026-07-20T00:00:00.000Z",
      "productExpiryDate": "2026-07-20T00:00:00.000Z",
      "isTrial": true,
      "customerId": "",
      "blockingQuantity": 1,
      "dependentOnAction": ""
}

If you receive an empty result, see Check JFConnect Service Is Explicitly Enabled.

If you receive entitlement information but do not see the Curation entitlement in the returned data, JFrog may not have assigned it to your instance. Contact your JFrog sales representative or JFrog Support.

Check JFConnect Service Is Explicitly Enabled

The JFConnect microservice acts as the JPD (JFrog Deployment) entitlements service and enables dynamic entitlement allocation for connected products based on account and subscription changes in JFrog’s main entitlements server. For more information on the service, see JFConnect Microservice.

For Curation to work, JFConnect must be running and explicitly enabled in Artifactory's system.yaml. This ensures the Artifactory Connect client runs correctly.

Make sure JFConnect is enabled in your Artifactory system.yaml file.

❗️
Warning
You must enable JFConnect explicitly in your system.yaml, even if JFConnect is already running. This ensures the Artifactory client and the microservice both run correctly.

📘
Note
This setting is explicitly set automatically in Kubernetes environments. For other installation types, add the snippet in this section to your system.yaml.

Enable JFConnect in $JFROG_HOME/artifactory/var/etc/system.yaml at the global level:
```
jfconnect:
  enabled: true
```
JFConnect requires access to https://jes.jfrog.io and https://jcs.jfrog.io.
If you use a corporate proxy, see JFConnect Proxy Configuration. If you are in a fully air-gapped environment, see JFrog Platform in an Air-gapped Environment.
Restart Artifactory and check whether JFConnect is running.

To verify that the JFConnect microservice is running, including the Artifactory client, check this entitlements API: https://your.domain/artifactory/api/curation/repositories
```
curl -u<username>:<password> https://your_env_domain/artifactory/api/curation/repositories
```
This API should return an array of your remote repositories with additional information.
1. If the array is empty, you likely do not have any remote repositories configured.
2. If you receive the response "Curation is not entitled" or a similar message, JFConnect is not running as expected. Make sure your change in system.yaml persisted, restart Artifactory, and confirm the spacing is correct. YAML files are whitespace-dependent, and jfconnect: should be at the root level of the file.

Curation Health Check API

Starting in Xray version 3.86.x, a dedicated Curation health check API is available. This API checks the availability of all components discussed in this page and helps you identify which component is missing.

Use this API to check your Curation health status: https://your.domain/xray/ui/curation/internal/health

curl -u<username>:<password> https://yourdomain.ext/xray/ui/curation/internal/health

This API returns status for the following components:

JF Connect: Checks the JFConnect health-check API. If this check fails, your JFConnect microservice is not running at all. Check the JFConnect service logs and review the JFConnect Troubleshooting Guide.
Entitlements: Checks that Curation is entitled and that the entitlement process is working. If this check fails, the required entitlement was not found in this Platform deployment. See Check Your JFrog Platform Instance Is Entitled for Curation.
Catalog: Checks that Catalog is available and that the Curation service can connect to Catalog. If this check fails, make sure you configured the Catalog service as described in Install JFrog Catalog Central.
RTJFConnectEnablement: Checks that the JFConnect client within Artifactory is working. If this check fails, follow the steps in Check JFConnect Service Is Explicitly Enabled. Specifically, make sure you explicitly set JFConnect to enabled in Artifactory system.yaml.

Expected responses:

Example error messages:

{
  "JFConnect": "JFConnect is disabled! OR JFConnect ping has failed!",
  "Entitlements": "Curation is not entitled!",
  "Catalog": "Catalog is not accessible",
  "RTJFConnectEnablement": "Make sure JFConnect enabled in Artifactory, more details: https://jfrog.com/help/r/jfrog-installation-setup-documentation/jfconnect-microservice OR entitlements cache in Artifactory not up to date, to refresh restart Artifactory"
}

Example ready response:

{
  "JFConnect": "OK",
  "Entitlements": "OK",
  "Catalog": "OK",
  "RTJFConnectEnablement":"OK"
}

If everything returns "OK", your Curation service is ready to go. Otherwise, follow the guide for the service that is not working and add the required configuration.