Wednesday, February 12, 2014

Enabling https on Sonatype nexus

Here are the list of commands used to enable https on nexus web application. The below described example nexus application is running on Linux OS with the nexus provided jetty web server.
We are using 'keytool' which comes along with JDK for generating keys and certs.

My NEXUS_HOME = /usr/local/nexus

Step 1: Generate obfuscated password hash. This password hash will be used in the next step. You can create different password hashes for storepass and keypass, but in this example I'm using the same password.
      java -cp $NEXUS_HOME/lib/jetty-util-8.1.8.v20121106.jar org.eclipse.jetty.util.security.Password abc123
                abc123
               OBF:1igd1igf1igh1idp1idr1idt
               MD5:e99a18c428cb38d5f260853678922e03

Step 2: Generate keypair and certificate directly into keystore
          keytool -genkeypair -keystore /root/ssl-certificates/nexus-keystore.p12 -storetype PKCS12 -alias nexus -storepass OBF:1igd1igf1igh1idp1idr1idt -keypass OBF:1igd1igf1igh1idp1idr1idt -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -v

Fill in the questions asked like your name, organization, city, state, country, etc. The above generated certificate is valid only for 365 days.

Step 3: Configuring Jetty
Make below mentioned changes to jetty.xml file in $NEXUS_HOME/conf/jetty.xml

<Configure id="Server" class="org.eclipse.jetty.server.Server">
    <Set name="threadPool">
        <New class="org.sonatype.sisu.jetty.thread.InstrumentedQueuedThreadPool"/>
    </Set>
    <Call name="addConnector">
        <Arg>
            <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
              <Set name="host">${application-host}</Set>
              <Set name="port">${application-port}</Set>
              <Set name="confidentialPort">8443</Set>
            </New>
        </Arg>
    </Call>

   <Call name="addConnector">
     <Arg>
       <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
         <Arg>
           <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
             <Set name="keyStore">/usr/local/nexus/certs/nexus-keystore.p12</Set>
             <Set name="keyStorePassword">OBF:1igd1igf1igh1idp1idr1idt</Set>
             <Set name="keyManagerPassword">OBF:1igd1igf1igh1idp1idr1idt</Set>
             <Set name="trustStore">/usr/local/nexus/certs/nexus-keystore.p12</Set>
             <Set name="trustStorePassword">OBF:1igd1igf1igh1idp1idr1idt</Set>
             <Set name="certAlias">nexus</Set>
             <Set name="keyStoreType">PKCS12</Set>
             <Set name="trustStoreType">PKCS12</Set>
           </New>
         </Arg>
         <Set name="port">8443</Set>
         <Set name="maxIdleTime">30000</Set>
        <Set name="host">12.34.567.89</Set>
       </New>
     </Arg>
   </Call>
.
.
</configure>

Step 4: Redirecting http requests to https in web.xml file
Open the $NEXUS_HOME/nexus/WEB-INF/web.xml and make below changes to indicate it needs CONFIDENTIAL or INTEGRAL connections from users.

<web-app>
  ...
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Everything in the webapp</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
</web-app>

The actual changes for redirecting http requests to https is done in Step 3 (<Set name="confidentialPort">8443</Set>) .


Step 5: Restart the nexus instance
Clean up the log file : $NEXUS_HOME/logs/wrapper.log

service nexus restart