Enabling SSL for Nexus 3
Talend Administration Center is provided together with
Nexus artifact repository. It is used to store software updates, ESB and Data Integration
artifacts. This document describes steps to enable SSL for Nexus 3.
Setting up Talend Administration Center as the SSL server
Tomcat 8.5 is shipped with Talend 7.x.
In the <installation_path>/tac/apache-tomcat/conf/server.xml file,
the default configuration of the SSL part is shown below:
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
To
set up Talend Administration Center as the SSL server, the
correct connector is required. A sample configuration for the Talend Administration Center
is: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
keystoreFile="D:/Talend/7.0.1/SSL/talend.localhost.jks"
keystorePass="talend"
clientAuth="false">
<!--
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
-->
</Connector>
This
enables Talend Administration Center to act as an SSL secured
server. To be able to communicate with Nexus, the Talend Administration Center webapp must also be configured as a
client, by editing the
<installation_path>\tac\apache-tomcat\bin\setenv.bat file to set
the truststore to Nexus’ private
key:set "JAVA_OPTS=%JAVA_OPTS% -Xmx2048m -Dfile.encoding=UTF-8 -Djavax.net.debug=ssl
-Djavax.net.ssl.trustStore=D:/Talend/7.0.1/SSL/talend.localhost.cert.jks
-Djavax.net.ssl.trustStorePassword=talend"
Setting up Nexus as the SSL server
Nexus 3 is also shipped with Talend 7.x. To set up Nexus as an SSL server:
- Copy the keystore file into the
<installation_path>/tac/Artifact-Repository-Nexus-3.9.0-01-[OS]/nexus-3.9.0-01/etc/ssl
folder. - Edit the
<installation_path>/tac/Artifact-Repository-Nexus-3.9.0-01-[OS]/sonatype-work/nexus3/etc/nexus.properties
file to add the ssl port and add the reference to the ssl configuration
file:
# Jetty section application-port=8081 application-port-ssl=8441 application-host=0.0.0.0 nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml nexus-context-path=/
- Edit the ssl configuration file
<installation_path>/tac/Artifact-Repository-Nexus-3.9.0-01-win64/nexus-3.9.0-01/etc/jetty/jetty-https.xml
for the certificate and
password:
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set> <Set name="KeyStorePassword">password</Set> <Set name="KeyManagerPassword">password</Set>
The path must just be the name of the keystore file (preceded by a slash) as the file must be in a specific directory.
Start Nexus and you can login to Nexus URL using SSL port.