Enabling SSL for Nexus 3

author
Talend Documentation Team
EnrichVersion
7.1
EnrichProdName
Talend MDM Platform
Talend Big Data Platform
Talend Data Services Platform
Talend ESB
Talend Data Fabric
Talend Big Data
Talend Data Integration
Talend Data Management Platform
Talend Real-Time Big Data Platform
task
Administration and Monitoring
EnrichPlatform
Talend Administration Center

Enabling SSL for Nexus 3

Talend Administration Center is provided together with Nexus artifact repository. It is used to store software updates, ESB and Data Integration artifacts. This document describes steps to enable SSL for Nexus 3.

Setting up Talend Administration Center as the SSL server

Tomcat 8.5 is shipped with Talend 7.x. In the <installation_path>/tac/apache-tomcat/conf/server.xml file, the default configuration of the SSL part is shown below:
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation. The default
         SSLImplementation will depend on the presence of the APR/native
         library and the useOpenSSL attribute of the
         AprLifecycleListener.
         Either JSSE or OpenSSL style configuration may be used regardless of
         the SSLImplementation selected. JSSE style configuration is used below.
    -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
         This connector uses the APR/native implementation which always uses
         OpenSSL for TLS.
         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
         configuration is used below.
    -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
To set up Talend Administration Center as the SSL server, the correct connector is required. A sample configuration for the Talend Administration Center is:
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true"
               keystoreFile="D:/Talend/7.0.1/SSL/talend.localhost.jks"
               keystorePass="talend"
               clientAuth="false">
        <!--
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
        -->
    </Connector>
This enables Talend Administration Center to act as an SSL secured server. To be able to communicate with Nexus, the Talend Administration Center webapp must also be configured as a client, by editing the <installation_path>\tac\apache-tomcat\bin\setenv.bat file to set the truststore to Nexus’ private key:
set "JAVA_OPTS=%JAVA_OPTS% -Xmx2048m -Dfile.encoding=UTF-8 -Djavax.net.debug=ssl
-Djavax.net.ssl.trustStore=D:/Talend/7.0.1/SSL/talend.localhost.cert.jks 
-Djavax.net.ssl.trustStorePassword=talend"

Setting up Nexus as the SSL server

Nexus 3 is also shipped with Talend 7.x. To set up Nexus as an SSL server:

  1. Copy the keystore file into the <installation_path>/tac/Artifact-Repository-Nexus-3.9.0-01-[OS]/nexus-3.9.0-01/etc/ssl folder.
  2. Edit the <installation_path>/tac/Artifact-Repository-Nexus-3.9.0-01-[OS]/sonatype-work/nexus3/etc/nexus.properties file to add the ssl port and add the reference to the ssl configuration file:
    # Jetty section
    application-port=8081
    application-port-ssl=8441
    application-host=0.0.0.0
    nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
    nexus-context-path=/
  3. Edit the ssl configuration file <installation_path>/tac/Artifact-Repository-Nexus-3.9.0-01-win64/nexus-3.9.0-01/etc/jetty/jetty-https.xml for the certificate and password:
    <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
      <Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
      <Set name="KeyStorePassword">password</Set>
      <Set name="KeyManagerPassword">password</Set>

    The path must just be the name of the keystore file (preceded by a slash) as the file must be in a specific directory.

Start Nexus and you can login to Nexus URL using SSL port.