Repository Management with Nexus

21.3. Configuring Nexus to Serve SSL

Providing access to the Nexus user interface and content via https only is a recommended best practice for any deployment.

The recommended approach to implementation is to proxy Nexus behind a server that is configured to serve content via SSL and leave Nexus configured for http. The advantage of this approach is that Nexus can easily be upgraded and there is no need to work with the JVM truststore. In addition you can use the expertise of your system administrators and the preferred server for achieving the proxying, which in most cases will already be in place for other systems.

Common choices are servers like Apache httpd, nginx, Eclipse Jetty or even dedicated hardware appliances. All of them can easily be configured to serve SSL content and there is a large amount of reference material available for configuring these servers to serve secure content. For example Apache httpd would be configured to use mod_ssl.

Alternatively the Jetty instance that is part of the default Nexus install can be configured to serve SSL content directly, and if you would like to avoid the extra work of putting a web server like Apache httpd in front of Nexus, this section shows you how to do that.

Tip

Keep in mind that you will have to redo some of these configurations each time you upgrade Nexus, since they are modifications to the embedded Jetty instance located in $NEXUS_HOME.

To configure Nexus to serve SSL directly to clients, you need to perform the following steps:

  • add the file jetty-https.xml to the Jetty startup configuration in wrapper.conf as detailed in ???.
  • set the port to be used by defining application-port-ssl in nexus.properties
  • configure the Java keystore and update the configuration in jetty-https.xml. The default configuration points to the keystore within Nexus, which is managed by the SSL feature documented in Section 21.2.1, “SSL Certificate Management”. Alternatively you can point to an external keystore.

If desired you can configure automatic redirection from HTTP to HTTPS with the by adding usage of jetty-http-redirect-to-https.xml as additional app parameters in wrapper.conf.

21.3.1. Configure the Java Keystore

Follow the instructions on the How to configure SSL page on the Jetty Wiki to setup the appropriate keys and certificates in a form that Jetty can use.

The jetty-util jar and the main Jetty jar can be found in $NEXUS_HOME/lib. The command line used to import an OpenSSL key+cert in PKCS12 format is:

$ keytool -importkeystore -srckeystore <your-certificate.p12> -srcstoretype PKCS12 -destkeystore <keystore> -deststoretype JKS

The command line used to generate an obfuscated password hash is:

$ java -cp jetty-util-8.1.11.v20130520.jar org.eclipse.jetty.util.security.Password <your-password>

Note that the version number on the jetty-util jar file (here shown as "8.1.11.v20130520") may be different in your version of Nexus.

The OBF line that is the out of the command above will be used in the jetty.xml three times. You’ll need to run the previous command three times to generate the obfuscated hash-codes for three passwords:

  • The Key Password
  • The Trust Store Password
  • The Key Store Password