Cloud customer?
Start for Free>
Upgrade in MyJFrog >
What's New in Cloud >





Overview

Some tools use cleartext passwords, which can pose a security risk. The security risk is even greater if you use LDAPor other external authentication, since you expose your SSO password in cleartext and that password is likely to be used for other services.

For example, Maven uses cleartext passwords in thesettings.xmlfile by default.

使用Maven的内置支持加密passwords and generating passwords on the client side does not overcome the security risks for the following reasons:

  1. The login password is decrypted on the client side and ends up as cleartext in memory, and then transmitted over the wire (unless forcing SSL too).
  2. The master password used for decryption is stored in clear text on the file system.
  3. Password encryption is left to the good will of the end-user and there is no way to centrally mandate it.

A unique solution is provided for this problem by generating encrypted passwords for users based on secret keys stored in the system. You can ensure users' shared passwords are never stored or transmitted as clear text.

WebUI Changes implemented in Artifactory 7.38.x and above

Security is now calledAuthentication Providers. All the relevant text and images on this page have been updated to reflect this change.

The security Settings previously found under theSecuritytab have moved toUser Management.

Page Contents

You can set a central policy for using or accepting encrypted passwords in theAdministrationmodule underUser Management | Settingsby setting thePassword Encryption Policyfield.

The behavior according to thePassword Encryption Policysetting is as follows:

Supported
The system can receive requests with encrypted password (default).
Required
The system requires an encrypted password for every authenticated request.
Unsupported
The system rejects requests with encrypted password.

Using Your Secure Password

To secure your password:

  1. Open your profile page (click on your login name on the upper-right corner and select Edit Profile), type-in your password in theCurrent Passwordfield and clickUnlock.
  2. Once your profile is unlocked, click the corresponding icons next to your encrypted password to view it openly or copy it to the clipboard.


Different encryption mechanisms

The encryption mechanisms of the Oracle and IBM JDKs are not identical. Switching from one to another will make your encrypted password obsolete.

IBM JDK Encryption Restrictions

Some of the IBM JRE/JDK are shipped with a restriction on the encryption key size (mostly for countries outside the US); This restriction can be officially removed by downloading unrestricted policy files from IBM and overriding the existing ones:

  1. Register and download the unrestricted JCE policy files from theIBM website.
  2. Select the correct zip that matches your JAVA version.
  3. The downloaded zip file contains 2 jar files -local_policy.jarandUS_export_policy.jar. Backup the existing files in$IBM_JDK_HOME/jre/lib/securityand extract the jars from the zip file to this location
  4. Restart the system.
Copyright © 2023 JFrog Ltd.