Saturday, August 20, 2016

Nexus – HTTPS Configuration

Since we use nexus as a part of warehouse for our organization that contains all our building blocks and software, it is very important to secure the access to nexus. Nexus is normally access over HTTP. If we do the communications over normal http, this traffic can be intercepted with any network sniffer and credentials can be read. Using Secure Socket Layer (SSL) communication with the repository manager is an important security feature and a recommended best practice. 

In this article we will see how we can configure nexus over HTTPS.

1. add the ssl port to the nexus.properties file
application-port-ssl=9443
application-port-ssl=9091

2. We need to create a Key store file for configuring the nexus with ssl. We need to have a password for creating the keystore. The same password needs to be used in the configuration file too. If we use the plain text password in configuration file it may lead to a security breach. So we Obfuscate password.

Password can be Obfuscated using,

[root@puppet lib]# java -cp NEXUS_HOME/lib/jetty-util-8.1.16.v20140903.jar org.eclipse.jetty.util.security.Password changeit changeit
OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
MD5:b91cd1a54781790beaa2baf741fa6789

jetty-util-8.1.16.v20140903.jar - NEXUS_HOME/lib contains the jetty-util jar. Use thejar based on the version. I have the jetty-util-8.1.16.v20140903.jar in the nexus iam using.

3. Now once we have the password obfuscated we now create the keystore using the same password as above “changeit”.

keytool -genkey -noprompt -keystore NEXUS_HOME/conf/keystore.jks -alias nexus-alias -keyalg RSA -keypass changeit -storepass changeit -dname "CN=master.apple.com, OU=ID, O=artl, L=jags, S=macnhala, C=GB" 

Now the keystore file is stored in NEXUS_HOME/conf location.

4. Now make the changes to the jetty-https.xml configuration for the addConnector section as,

<Set name="keyStore"> NEXUS_HOME/conf/keystore.jks</Set>
<Set name="trustStore"> NEXUS_HOME/conf/keystore.jks</Set>
<Set name="keyStorePassword">1vn21ugu1saj1v9i1v941sar1ugw1vo0</Set>
<Set name="keyManagerPassword">1vn21ugu1saj1v9i1v941sar1ugw1vo0</Set>
<Set name="trustStorePassword">1vn21ugu1saj1v9i1v941sar1ugw1vo0</Set>

For the Store password, we change the value with Obfuscated password.

5. Don’t make any changes to the jetty-http-redirect-to-https.xml file. This file is used to redirect http to https automatically. Whenever we access the nexus URL with http it automatically directs to https.

6. Make the last changes to the NEXUS_HOME/bin/jsw/conf/wrapper.conf file with below contents as,

wrapper.app.parameter.3= NEXUS_HOME/conf/jetty-https.xml
wrapper.app.parameter.4= NEXUS_HOME/conf/jetty-http-redirect-to-https.xml


7. Start the nexus application using NEXUS_HOME/bin/nexus restart

8. Access the application using http://localhost:9091/nexus which will automatically redirect to https://localhost:9443/nexus


More to Come, Happy learning J

No comments :

Post a Comment