Configuring Authentication for Protegrity AI Team Edition

Instructions for configuring authentication, certificates, and registry access required to pull AI Team Edition artifacts.

Log into My.Protegrity and obtain the necessary credentials and certificates. This portal hosts all products and features included in your Protegrity contract.

Deploy Using PCR

Use the steps provided here for deploying PPC and the features directly from the PCR.

  1. Log in to the My.Protegrity portal.

  2. Navigate to Product Management > Explore Products > AI Team Edition.

  3. Create an access token to obtain the Username and Secret. Store these credentials carefully, they are required for connecting to https://registry.protegrity.com:9443 and performing registry operations.

    1. Click Access Tokens.

    2. Click Create Access Token.

    3. Click Export To File to save the credentials.

    4. Click I Understand That I Cannot See This Again.

Deploy to Own Registry

Use the steps provided here for pulling the artifacts from PCR and deploying PPC and the features to the organization-hosted registry using standard authentication.

Prerequisites:

  • For ECR: Ensure that the required AWS credentials are available and set.

  • Ensure that the jumpbox has connectivity to the Protegrity Container Registry (PCR) and your container registry.

  • Ensure that the user logged in to the jumpbox is the root user or has sudoer access.

  • Ensure that the following tools are installed:

    • docker or podman: Must be installed and running. If podman is used, identify the podman directory and create a symbolic link to docker using the following commands:
    which podman
ln -s /bin/podman /bin/docker

    • helm: Kubernetes package manager used to pull and manage Helm charts required for deploying Protegrity AI Team Edition components from an OCI‑compliant registry. Helm v3+ must be installed.

    • curl: Command‑line HTTP client used by the pull scripts to interact with OCI Distribution APIs, including making authenticated requests to the Protegrity Container Registry.

    • jq: Lightweight JSON processor used to parse and extract information from the artifacts.json file that defines the set of artifacts to be pulled and pushed.

    • oras: OCI Registry As Storage (ORAS) client used to pull non‑container, generic OCI artifacts from the registry that are not handled by standard container tooling.

    Run the following command to confirm readiness before proceeding:

    docker --version && helm version && oras version && jq --version && curl --version

Steps to configure the certificates:

  1. Log in to the My.Protegrity portal.

  2. Navigate to Product Management > Explore Products > AI Team Edition.

  3. Create an access token to obtain the Username and Secret.

    Note: Store these credentials carefully, they are required for performing registry operations.

    1. Click Access Tokens.

    2. Click Create Access Token.

    3. Click Export To File to save the credentials.

    4. Click I Understand That I Cannot See This Again.

  4. Obtain the artifacts for setting up the AI Team Edition.

    1. From the Product Management > Explore Products > AI Team Edition page of the My.Protegrity portal, click Download Pull Script. A compressed file is downloaded.

    2. Copy the compressed file to an empty directory on the jumpbox.

    3. Extract the compressed file.

      The following files are available:

      • artifacts.json: The list of artifacts that are obtained.
      • pull_all_artifacts.sh: The script to pull the artifacts from the PCR.
      • tag_push_artifacts.sh: The script to tag and push the artifacts to your container registry.

    4. Navigate to the extracted directory. Do not update the contents of the artifacts.json file.

    5. Run the pull script to pull the artifacts to your jumpbox using the following command:

      ./pull_all_artifacts.sh --url https://registry.protegrity.com:9443 --user <username_from_portal> --password <access_key_from_portal> --json artifacts.json

      Ensure that single quotes are used to specify the username and password in the command.

    6. Run the following command to tag and push the artifacts to your container registry.

      Sample command for ECR:

      ./tag_push_artifacts.sh --ecr-uri 123456789012.dkr.ecr.us-east-1.amazonaws.com --region us-east-1 --json artifacts.json

      Sample command for Harbor:

      ./tag_push_artifacts.sh --url https://harbor.example.com --user <your_harbor_username> --password <your_harbor_password> --json artifacts.json

      Ensure that single quotes are used to specify the username and password in the command.

    7. Validate that all the artifacts are successfully pushed to your registry.

Deploy to Own Registry Using mTLS

This section explains how to set up mTLS authentication when using your own container registry. Perform these steps to establish secure, certificate‑based trust and prevent unauthorized access during image pulls and service communication.

Prerequisites:

  • For ECR: Ensure that the required AWS credentials are available and set.

  • Ensure that the jumpbox has connectivity to the Protegrity Container Registry (PCR) and your container registry.

  • Ensure that the user logged in to the jumpbox is the root user or has sudoer access.

  • Ensure that the following tools are installed:

    • docker or podman: Must be installed and running. If podman is used, identify the podman directory and create a symbolic link to docker using the following commands:
    which podman
ln -s /bin/podman /bin/docker

    • helm: Kubernetes package manager used to pull and manage Helm charts required for deploying Protegrity AI Team Edition components from an OCI‑compliant registry. Helm v3+ must be installed.

    • curl: Command‑line HTTP client used by the pull scripts to interact with OCI Distribution APIs, including making authenticated requests to the Protegrity Container Registry.

    • jq: Lightweight JSON processor used to parse and extract information from the artifacts.json file that defines the set of artifacts to be pulled and pushed.

    • oras: OCI Registry As Storage (ORAS) client used to pull non‑container, generic OCI artifacts from the registry that are not handled by standard container tooling.

    Run the following command to confirm readiness before proceeding:

    docker --version && helm version && oras version && jq --version && curl --version

Steps to configure the certificates:

  1. Log in to the My.Protegrity portal.

  2. Navigate to Product Management > Explore Products > AI Team Edition.

  3. Create an access token to obtain the Username and Secret.

    Note: Store these credentials carefully, they are required for performing registry operations.

    1. Click Access Tokens.

    2. Click Create Access Token.

    3. Click Export To File to save the credentials.

    4. Click I Understand That I Cannot See This Again.

  4. Generate a CSR file for registering the jumpbox with the Protegrity Container Registry.

    1. Open a terminal or command prompt.

    2. Generate a private key.

      openssl genrsa -out private.key 2048

    3. Create the CSR using the private key.

      openssl req -new -key private.key -out request.csr

    4. Specify the following details for the certificate:

      • Country (C): Two-letter code (for example, US)
      • State/Province (ST)
      • City/Locality (L)
      • Organization (O): Legal company name
      • Organizational Unit (OU): Department (optional)
      • Common Name (CN): Domain (for example, www.example.com)
      • Email Address: Email address

    5. View the CSR file.

      cat request.csr

  5. Create the client certificate to connect to the registry. This step is required only when your security policies mandates mutual TLS (mTLS) for a two-way certificate verification between your environment and the Protegrity Container Registry.

    1. Click Client Certificates.

    2. Click Create Client Certificate.

    3. Click Browse to upload your CSR. Refer to the previous step if you do not have a CSR.

    4. Click Create Client Certificate to generate the client certificate.

    5. From the Client Certificate tab, click Download Client Certificate from the Actions column to download a compressed file with the certificates.

  6. Copy or upload the certificates to the jumpbox.

    Warning: Ensure that the same filenames and extensions are used that are provided in the following steps.

    1. Ensure to login to the jumpbox as the root user.

    2. Navigate to the /etc/docker/ directory. For podman, navigate to /etc/containers/.

    3. Create the certs.d directory.

    4. Open the certs.d directory.

    5. Create the registry.protegrity.com directory.

    6. Copy the compressed file with the certificate to the /etc/docker/certs.d/registry.protegrity.com directory. For podman, navigate to /etc/containers/certs.d/registry.protegrity.com.

    7. Extract the compressed file.

      The extracted file contains the following certificates:

      • protegrityteameditioncontainerregistry_protegrity-usa-inc.crt
      • TrustedRoot.crt
      • DigiCertCA.crt

    8. Navigate to the extracted directory.

    9. Concatenate the contents of TrustedRoot.crt and DigiCertCA.crt to a new file called ca.crt.

      cat TrustedRoot.crt DigiCertCA.crt  > ca.crt

    10. Rename the client certificate file.

    ```
mv protegrityteameditioncontainerregistry_protegrity-usa-inc.crt client.cert
```

    1. Copy the client and CA certificates to /etc/docker/certs.d/registry.protegrity.com. For podman, copy the certificates to /etc/containers/certs.d/registry.protegrity.com.

    2. Copy the client.key that was generated to the /etc/docker/certs.d/registry.protegrity.com directory. If the /certs.d/registry.protegrity.com directory does not exist, then create the directories. For podman, use the /etc/containers/certs.d/registry.protegrity.com directory.

    3. Copy the Docker registry’s CA certificate to the system’s trusted CA store to establish SSL/TLS trust for that registry. A sample command for RHEL 10.1 is provided here:

    For docker:
```
sudo cp /etc/docker/certs.d/registry.protegrity.com/ca.crt /etc/pki/ca-trust/source/anchors/
```

For podman:
```
sudo cp /etc/containers/certs.d/registry.protegrity.com/ca.crt /etc/pki/ca-trust/source/anchors/
```
    1. Rebuild the system’s trusted CA bundle. A sample command for RHEL 10.1 is provided here.
    ```
update-ca-trust
```

    1. Restart the container service.

      For docker:

      service docker restart

      For podman:

      service podman restart

  7. Obtain the artifacts for setting up the AI Team Edition.

    1. From the Product Management > Explore Products > AI Team Edition page of the My.Protegrity portal, click Download Pull Script. A compressed file is downloaded.

    2. Copy the compressed file to an empty directory on the jumpbox.

    3. Extract the compressed file.

      The following files are available:

      • artifacts.json: The list of artifacts that are obtained.
      • pull_all_artifacts.sh: The script to pull the artifacts from the PCR.
      • tag_push_artifacts.sh: The script to tag and push the artifacts to your container registry.

    4. Navigate to the extracted directory. Do not update the contents of the artifacts.json file.

    5. Run the pull script to pull the artifacts to your jumpbox using the following command:

      For docker:

      ./pull_all_artifacts.sh --url https://registry.protegrity.com --user <username_from_portal> --password <access_key_from_portal> --json artifacts.json --cert-file /etc/docker/certs.d/registry.protegrity.com/client.cert --key-file /etc/docker/certs.d/registry.protegrity.com/client.key

      For podman:

      ./pull_all_artifacts.sh --url https://registry.protegrity.com --user <username_from_portal> --password <access_key_from_portal> --json artifacts.json --cert-file /etc/containers/certs.d/registry.protegrity.com/client.cert --key-file /etc/containers/certs.d/registry.protegrity.com/client.key

      mTLS uses a client certificate and the port 443 to connect to the Protegrity Container Registry. Also, ensure that the certificate files are named as ca.crt, client.cert, and client.key. Ensure that single quotes are used to specify the username and password in the command.

    6. Run the following command to tag and push the artifacts to your container registry.

      Sample command for ECR:

      ./tag_push_artifacts.sh --ecr-uri 123456789012.dkr.ecr.us-east-1.amazonaws.com --region us-east-1 --json artifacts.json

      Sample command for Harbor:

      ./tag_push_artifacts.sh --url https://harbor.example.com --user <your_harbor_username> --password <your_harbor_password> --json artifacts.json

      Ensure that single quotes are used to specify the username and password in the command.

    7. Validate that all the artifacts are successfully pushed to your registry.


Last modified : April 13, 2026