Documentation Nexus IQ Server 1.29

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

Chapter 4. Quick Start Guide - Nexus Firewall

This guide can help you get IQ Server up and running for the purpose of trying out the associated Nexus Firewall functionality before installing it in your development environment. If you have an available Nexus Repository Manager Pro server available, you can expect to spend 15 to 30 minutes for installation and configuration, a bit longer if you don’t.

To dive into Nexus Firewall a bit further, check out the Audit and Quarantine section of the Nexus Repository Chapter.

[Note]

To integrate Nexus Repository Manager with IQ Server you need Nexus Repository Manager Pro and IQ Server installed with the Repository Pro license that also supports Nexus Firewall. If you do not have a license contact us, and we’ll be happy to assist.

Step 1: Installing and Starting IQ Server

Installing the IQ server is really a case of downloading the archived server, picking a location, and unpacking the contents. Since we won’t be focused on mimicking a production experience, most laptop and desktop configurations should run IQ Server with no problem. If you are looking to plan for the future though, be sure to review the server requirements section of the Requirements chapter.

  1. Create an installation directory in your desired location.
  2. Download the latest version of IQ Server to the installation directory.
  3. Extract the tar.gz or .zip file.

Once you’ve extracted the contents, follow the steps below to run IQ Server

  1. Using a command line interface, switch to the nexus-iq-server bundle directory in your installation directory e.g. nexus-iq-server-x.xx.x-xx-bundle.
  2. Run one of the following commands to start IQ Server:

    Linux or Mac: ./demo.sh

    Windows: demo.bat

  3. Open IQ Server in a browser using the default URL: http://localhost:8070
  4. Log in using the default Administrator account:

  5. Install the required product license supplied to you by the Sonatype Support team.

    1. Click Install License.
    2. Navigate to the license file (.lic) and click Open.
    3. Click I Accept to accept the End User License Agreement.
[Note]

IQ Server needs access to an external data service to perform evaluations, which may be blocked in your internal environment. For a workaround, see Running IQ Server Behind a HTTP Proxy Server in the IQ Server documentation.

Step 2: Importing Sample Policies

Policy is at the core of IQ Server’s automation capabilities. This is true for both Nexus Firewall and Nexus Lifecycle. While you can create a completely custom set of policies, importing the Sonatype Sample Policy set set is the quickest way to get started. This set includes multiple policies for triggering violations on security vulnerabilities, licensing issues, architecture issues, and more.

  1. In a separate browser tab or window, download the Sonatype Sample Policy set (.json file) from the IQ Server documentation.
  2. In IQ Server, click the Organization & Policies icon figs/web/clm-server-manage-app-org-icon.png on the IQ Server toolbar.
  3. The Root Organization should be selected in the sidebar. Click the Actions menu and select Import Policies.
  4. In the Import Policies dialog, click Choose File, select the .json file you downloaded, and click Open.
  5. Click the Import button.
figs/web/clm-server-policy-import-dialog.png

Figure 4.1. Import Policy Dialog


Step 3: Configuring Policy Actions

Policy Actions directly affect how IQ Server can automate processes in the available integrations when policy violations are encountered. In the case of Nexus Firewall, you can set an action to warn, which will audit, or simply display any violations. Alternatively you can set the action to Fail, which will quarantine, or block developers from accessing new components entering a repository that also violate the specified policy. To set Policy actions for the Proxy stage:

  1. In IQ Server, click the Organization & Policies icon figs/web/clm-server-manage-app-org-icon.png on the IQ Server toolbar.
  2. Click on the Root Organization in the sidebar, and then click the policies section.
  3. Click on the policy you want to add an action to, and in the Proxy column choose Warn (Audit) or Fail (Quarantine).
  4. Click the Update button.
figs/web/quick-start-policy-actions.png

Figure 4.2. IQ Server Policy Actions


[Note]

When using the Fail action (Quarantine), the repository will need to be configured accordingly. In addition only new components entering the repository can be quarantined. Components with violations that already exist in repository will not be quarantined.

For additional information on what actions can be set and how they can affect automation, be sure to check out the actions section of our chapter on Policy Management.

Step 4: Nexus Repository Manager Configuration

IQ Server for Nexus Repository Manager allows you to integrate IQ Server’s policy management and component intelligence features with proxy repositories in Nexus Repository Manager Pro. In order to do this, first you will need to configure the capabilities that allow for communication between IQ Server and Nexus Repository Manager. In addition, because Nexus Firewall is compatible with both Nexus Repository Manager 2.12.x or higher and 3.2.x or higher, there are specific instructions for each major version.

Configuring Nexus Repository Manager 2.x

There are two steps in order to allow IQ Server to interact with an instance of Nexus Repository Manager, and evaluate repositories. First, you need to configure the IQ Server connection:

  1. In Nexus Repository Manager 2.x, click the IQ Server Connection menu item under Administration.
  2. Enter the URL for your IQ Server installation.
  3. Select an Authentication Method:

    User Authentication: Enter the username and password.

    PKI Authentication: Delegate to the JVM for authentication.

  4. Click Save.

If successfully connected, a list of available applications in IQ Server displays in the Server Connection tab.

figs/web/nexus-clm-config-tab.png

Figure 4.3. IQ Server Connection in Nexus Repository Manager 2.x


[Note]

For this quick start guide, using the default admin credentials is acceptable. However, for a real implementation, you would want to create a unique user for this integration, making sure to review the section on Section 7.5, “Role Management” in the Security Adminstration chapter.

Next, add the Audit and/or Quarantine capability for each repository you want to evaluate. To configure Audit and/or Quarantine:

  1. In Nexus Repository Manager, click Capabilities on the Administration menu.
  2. Click the New button on the Capabilities tab. The Create new capability dialog is displayed.
  3. In the Type list, choose IQ: Audit and Quarantine.
  4. Select a specific proxy repository to scan, for example Central.
  5. Click Add.

An audit of the selected repository automatically starts. Nexus Repository Manager contacts IQ Server and evaluates the components within the selected repository against any associated policy.

figs/web/nexus-clm-capabilities.png

Figure 4.4. Nexus Repository Manager Capabilities Tab


[Note]

These features use IQ Server policy management to identify, and if desired, prevent a proxy repository from serving unwanted components. If you have chosen to Audit, policies must also be configured with a fail action. Additional information is available in the Audit and Quarantine section of the Nexus Repository Chapter.

Configuring Nexus Repository Manager 3.x

There are two steps in order to allow IQ Server to interact with an instance of Nexus Repository Manager, and evaluate repositories. First, you need to configure the IQ Server connection:

  1. In Nexus Repository Manager, click the Administration button on the main toolbar.
  2. In the Administration main menu, click Server under IQ Server.
  3. Select Whether to use IQ Server to enable IQ Server.
  4. Enter the IQ Server URL.
  5. Select an Authentication Method:

    User Authentication: Enter the username and password.

    PKI Authentication: Delegate to the JVM for authentication.

  6. Click Verify connection to test if a connection can be established.
figs/web/nexus-clm-config-tab-nxrm3.png

Figure 4.5. IQ Server Connection in Nexus Repository Manager 3.x


[Note]

For this quick start guide, using the default admin credentials is acceptable. However, for a real implementation, you’d want to review the chapter on Security Adminstration, making sure to review Section 7.5, “Role Management”.

Next, add the Audit and/or Quarantine capability for each repository you want to evaluate. To configure Audit and/or Quarantine:

  1. In Nexus Repository Manager 3.x, go to the Administration main menu and click Capabilities under System.
  2. Click the Create capability button.
  3. In the Select Capability Type view, click IQ: Audit and Quarantine.
  4. Select a specific proxy repository to scan, for example Central.
  5. Click Create capability to save the new capability for Audit and Quarantine.

An audit of the selected repository is automatically started. Nexus Repository Manager contacts IQ Server and evaluates the components within the selected repository against any associated policy.

[Note]

These features use IQ Server policy management to identify, and if desired, prevent a proxy repository from serving unwanted components. If you have chosen to Audit, policies must also be configured with a fail action. Additional information is available in the Audit and Quarantine section of the Nexus Repository Chapter.

Step 5: Reviewing Repository Results

Once configured, the evaluation of the repository is automatic and will occur given any repository changes (e.g. adding a new component). Depending on the size (number of components) of the repository you configured, the evaluation could take a minute or so, but in general is very quick.

As you review the results, if you are not continuing on to review Nexus Lifecycle functionality, you can skip ahead to the investigation and remediation section, which provides additional details for drilling deeper into the results and available intelligence. Of course, a much more in-depth review of Nexus Firewall IQ Server can be found in the Nexus Firewall section of the IQ for Nexus chapter.

[Note]

Accessing repository results will differ depending on the version of Nexus Repository Manager you have installed (differences highlighted below).

Reviewing Results in Nexus Repository Manager 2.x

To review results in Nexus Repository Manager 2.x, click Repositories under the Views/Repositories menu. Repository Results are summarized in the IQ Policy Violations column of the Repositories tab.

figs/web/firewall-column.png

Figure 4.6. Nexus Repository Manager Repository Results


To view detailed results, click the open icon in the IQ Policy Violations column of the Repositories tab. IQ Server will open in a new tab showing detailed Repository Results.

figs/web/repo-results.png

Figure 4.7. IQ Server Repository Results


Reviewing Results in Nexus Repository Manager 3.x

In Nexus Repository Manager 3.x, the results of an audit are summarized in the IQ Policy Violations column of the Repositories view as shown in the figure below. Access the Repositories view from the Repository sub menu of the Administration menu.

figs/web/firewall-column-nxrm3.png

Figure 4.8. Nexus Repository Manager 3.x Repository Results


To view detailed results, click the open icon in the IQ Policy Violations column of the Repositories view. IQ Server will open in a new tab showing detailed Repository Results.

figs/web/repo-results.png

Figure 4.9. IQ Server Repository Results


Step 6: Investigating & Remediating Violations

Repository Results allow you to drill down to learn specific details about a violation, including the ability to isolate quarantined components. Click an individual component to open the Component Information Panel (CIP). The CIP displays many details, which are divided into different sections or tabs. To get you started using the CIP, take a look at these sections:

  • Component Info - In the graph, you can move the vertical bar to learn the differences between versions of a component.
  • Policy - You can click the Waive button to force IQ Server to ignore a policy violation.
  • Licenses - You can track your research about a particular license and even override one.
  • Vulnerabilities - You can click Info for a thorough explanation of a component’s vulnerability and a recommended action.
  • Claim Component - You can tell IQ Server to recognize a component even though it was previously identified as unknown.

This is just a small sample of the component information available in the CIP. For a complete discussion of the CIP, see Component Information Panel in the Nexus IQ Server Documentation.

figs/web/repo-results.png

Figure 4.10. Quickstart Repository Results