Five Steps to Securing Your Use of Nexus

Matthew Barker

Matthew Barker

Most companies are extremely concerned about loss of IP (intellectual property) and for good reason.  Allowing outsiders to monitor your companies downloads of OSS binary components would give them some very valuable insight into your companies application development operations even to the point of knowing when your next release is due out and what new features may have been added.

So it just makes good security sense to utilize SSL for Nexus connections to public repositories and also for connections from Nexus clients accessing any of the repositories served by Nexus – whether they be a proxy, hosted, or group repositories.

Both of these security features are only available in the Pro version of Nexus, one of the many benefits of “going pro”!

Secure Access to the Central Repository

Nexus Pro comes configured out-of-the-box with secure access to the Central Repository and if upgrading from Nexus OSS, the upgrade process will reconfigure this access to:

https://secure.central.sonatype.com/maven2/

Use of a Secure Proxy Server

The recommended approach is to proxy Nexus behind a server that is configured to serve content via SSL and leave Nexus configured for http; but if you don’t already have such a server set up or don’t want the expense of a second server, an alternate approach is to configure the Jetty server that comes with Nexus to serve SSL content directly; this is detailed in the following five steps.

Step One:  Jetty Startup Configuration

Add the file jetty-https.xml to the Jetty startup configuration in $NEXUS_HOME/bin/jsw/conf/wrapper.conf (addition in red):

wrapper.app.parameter.1=./conf/jetty.xml
wrapper.app.parameter.2=./conf/jetty-requestlog.xml
wrapper.app.parameter.3=./conf/jetty-https.xml

Note, use the next available parameter number, it may not always be 3.

Step Two:  Nexus Properties SSL Port Configuration

You need to define the SSL port that you want to use for SSL connections to your Nexus Pro server.  Simply add the following line to the nexus.properties file found in your $NEXUS_HOME/conf folder.  Port 8443 is used by convention, but any available port number larger than 1024 will suffice.  It is important you leave the original “application-port” setting in the nexus.properties file, we will cover how to disable the non-SSL connection in the last step.

application-port-ssl=8443

Step Three:  Create a Keystore File with a Self-Signed Certificate

There are other ways of doing this but I recommend the use of the keytool utility that comes shipped with Oracle’s Java.  If you need an authority signed certificate, see instructions here: Oracle Java keytool (and this is highly recommended).

Type the keytool command all on one line:

keytool -genkey -alias <myAlias> -keyalg RSA -keypass <passwd> -storepass <passwd> -keystore keystore.jks

You must type your server name in response to keytool’s first prompt, in which it asks for first and last names. For testing purposes, this can be localhost.  Use a strong password for -keypass and -storepass (same one). Server alias can by anything you choose but if you use further keytool commands, you must use the same alias.

 

Now create a folder under $NEXUS_HOME/conf named ssl and move the generated keystore.jks file to this folder.

Next you need to configure the $NEXUS_HOME/conf /jetty-https.xml file with the results of our keystore generation.    Here is example entries based on a fake password “changeit”, changes are highlighted.   You will want to turn off read access to this file for everyone except your administrator as it does contain plain text passwords; although Nexus does support obfuscated passwords.  Needed changes are in red.

<Call name="addConnector">
  <Arg>
    <New id="HTTPSConnector" class="...">
      <Arg>
        <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
          <Set name="keyStore">./conf/ssl/keystore.jks</Set>
          <Set name="trustStore">./conf/ssl/keystore.jks</Set>
          <Set name="keyStorePassword">changeit</Set>
          <Set name="keyManagerPassword">changeit</Set>
          <Set name="trustStorePassword">changeit</Set>
        </New>

Step Four:  Disable Non-Secure Access to Nexus Pro

The fourth step is to disable the non-secure access to Nexus.   You simply remove the http connector section found in the $NEXUS_HOME/conf/jetty.xml file.

<Call name="addConnector">
  <Arg>
    <New id="HTTPConnector"
    .... more lines ...
</Call>

Step Five:  Configure Automatic Redirection from HTTP to HTTPS

You can optionally configure automatic redirection from HTTP to HTTPS with the by adding usage of jetty-http-redirect-to-https.xml as additional app parameters in wrapper.conf as well as update the Base URL in your Nexus server configuration.

Last Words

Be sure and test your work by trying to connect to Nexus via “https://<server>:8443/nexus”, your browser will complain about a non-signed certificate (unless you obtained a signed one) and allow you to access Nexus via https.   And try accessing Nexus via http and make sure that is not available or that it redirects.

If you have made it this far, you have come a long way in protecting the valuable IP of your company!

Matthew Barker, Sonatype Technical Director, West Coast
— Email: mbarker@sonatype.com
— LinkedIn: Matthew Barker
— Twitter: matthewabq

 

 

The following two tabs change content below.

Matthew Barker

Latest posts by Matthew Barker (see all)

Authors

Related posts

*

Top