Saturday, August 20, 2016

Nexus – HTTPS Configuration

Since we use nexus as a part of warehouse for our organization that contains all our building blocks and software, it is very important to secure the access to nexus. Nexus is normally access over HTTP. If we do the communications over normal http, this traffic can be intercepted with any network sniffer and credentials can be read. Using Secure Socket Layer (SSL) communication with the repository manager is an important security feature and a recommended best practice. 

In this article we will see how we can configure nexus over HTTPS.

1. add the ssl port to the file

2. We need to create a Key store file for configuring the nexus with ssl. We need to have a password for creating the keystore. The same password needs to be used in the configuration file too. If we use the plain text password in configuration file it may lead to a security breach. So we Obfuscate password.

Password can be Obfuscated using,

[root@puppet lib]# java -cp NEXUS_HOME/lib/jetty-util-8.1.16.v20140903.jar changeit changeit

jetty-util-8.1.16.v20140903.jar - NEXUS_HOME/lib contains the jetty-util jar. Use thejar based on the version. I have the jetty-util-8.1.16.v20140903.jar in the nexus iam using.

3. Now once we have the password obfuscated we now create the keystore using the same password as above “changeit”.

keytool -genkey -noprompt -keystore NEXUS_HOME/conf/keystore.jks -alias nexus-alias -keyalg RSA -keypass changeit -storepass changeit -dname ", OU=ID, O=artl, L=jags, S=macnhala, C=GB" 

Now the keystore file is stored in NEXUS_HOME/conf location.

4. Now make the changes to the jetty-https.xml configuration for the addConnector section as,

<Set name="keyStore"> NEXUS_HOME/conf/keystore.jks</Set>
<Set name="trustStore"> NEXUS_HOME/conf/keystore.jks</Set>
<Set name="keyStorePassword">1vn21ugu1saj1v9i1v941sar1ugw1vo0</Set>
<Set name="keyManagerPassword">1vn21ugu1saj1v9i1v941sar1ugw1vo0</Set>
<Set name="trustStorePassword">1vn21ugu1saj1v9i1v941sar1ugw1vo0</Set>

For the Store password, we change the value with Obfuscated password.

5. Don’t make any changes to the jetty-http-redirect-to-https.xml file. This file is used to redirect http to https automatically. Whenever we access the nexus URL with http it automatically directs to https.

6. Make the last changes to the NEXUS_HOME/bin/jsw/conf/wrapper.conf file with below contents as, NEXUS_HOME/conf/jetty-https.xml NEXUS_HOME/conf/jetty-http-redirect-to-https.xml

7. Start the nexus application using NEXUS_HOME/bin/nexus restart

8. Access the application using http://localhost:9091/nexus which will automatically redirect to https://localhost:9443/nexus

More to Come, Happy learning J

1 comment :

  1. I'm impressed, I must say. Seldom do I encounter a
    blog that's both educative and entertaining, and let me
    tell you, you have hit the nail on the head. The problem is something
    which not enough people are speaking intelligently about.
    Now i'm very happy that I stumbled across this in my
    hunt for something relating to this.