ARTIFACTORY: How to restore access tokens after resetting the master.key
2023-01-22 11:06
Subject:How to use existing Access Tokens after resetting the master.key
Affected Versions:Artifactory 7.21.3 and above
Description
While using Artifactory, you may run into an issue where the master.key gets corrupted or is lost. This can cause issues such as:
- Not able to connect a node to an HA cluster.
- Unusable passwords in Artifactory configuration and Access data as they are encrypted by the master.key.
- Failure to start up Artifactory with “Given final block not properly padded” error message.
In such cases, you can follow the steps mentioned in our KB articles to reset the master.key.
- How to recover the master.key
- How to resolve the “Given final block not properly padded. Such issues can arise if a bad key is used during decryption” error
However, this process will also reset the token certificate (root.crt) in Artifatory making the existing Access Tokens unusable like below. The root.crt is crucial for Access Tokens as it is used as a public key to verify the token’s signature.$ curl -u admin:
{
"errors" : [ {
"status" : 401,
"message" : "Token failed verification: signature"
} ]
}
In order to maintain the existing tokens, you can take a backup of the root.crt file (located under the $JFROG_HOME/artifactory/var/etc/access/keys/ folder) before resetting the master.key.$JFROG_HOME/artifactory/var/etc/access/keys# ls
README.md ca.crt ca.private.key private.key root.crt trusted
After the master.key has been reset and the new root.crt has been generated, add the backed up root.crt file into the $JFROG_HOME/artifactory/var/etc/access/keys/trusted/ folder. After a while, the copied root.crt will disappear from the “trusted” folder and will be added in the database.$JFROG_HOME/artifactory/var/etc/access/keys/trusted# ls
README.md root.crt
After a moment…
$JFROG_HOME/artifactory/var/etc/access/keys/trusted# ls
README.md
Then, you can test to see that the existing tokens work again.$ curl -u admin:
OK
