Sonatype Nexus SSO

Page content

Nexus Repository OSS is an artifact repository with universal support for popular formats.

Install Nexus

cd /opt
wget https://download.sonatype.com/nexus/3/latest-unix.tar.gz
tar xvf latest-unix.tar.gz -C /opt
ln -s /opt/nexus-3.16.1-02/ /opt/nexus

adduser -s /bin/false nexus
chown -R nexus:nexus /opt/nexus
chown -R nexus:nexus /opt/sonatype-work/

echo 'run_as_user="nexus"' > /opt/nexus/bin/nexus.rc

nano /opt/nexus/bin/nexus
INSTALL4J_JAVA_HOME_OVERRIDE=/usr/lib/jvm/jre-1.8.0

Create sistemd serice for Nexus

echo '[Unit]
Description=nexus service
After=network.target

[Service]
Type=forking
LimitNOFILE=65536
ExecStart=/opt/nexus/bin/nexus start
ExecStop=/opt/nexus/bin/nexus stop
User=nexus
Restart=on-abort

[Install]
WantedBy=multi-user.target' > /etc/systemd/system/nexus.service

Start Nexus

sudo systemctl daemon-reload
sudo systemctl enable nexus.service
sudo systemctl start nexus.service

tailf /opt/sonatype-work/nexus3/log/nexus.log
### To check, point your browser to http://localhost:8081. Default username is admin with password admin123.

Install Keycloak authentication plugin

NEXUS_PLUGINS=/opt/nexus/system
KEYCLOAK_PLUGIN_VERSION=0.3.3-SNAPSHOT
cd /opt
mkdir -p ${NEXUS_PLUGINS}/org/github/flytreeleft/nexus3-keycloak-plugin/${KEYCLOAK_PLUGIN_VERSION}/
cd ${NEXUS_PLUGINS}/org/github/flytreeleft/nexus3-keycloak-plugin/${KEYCLOAK_PLUGIN_VERSION}/
wget https://github.com/flytreeleft/nexus3-keycloak-plugin/releases/download/${KEYCLOAK_PLUGIN_VERSION}/nexus3-keycloak-plugin-${KEYCLOAK_PLUGIN_VERSION}.jar
chmod 644 ${NEXUS_PLUGINS}/org/github/flytreeleft/nexus3-keycloak-plugin/${KEYCLOAK_PLUGIN_VERSION}/nexus3-keycloak-plugin-${KEYCLOAK_PLUGIN_VERSION}.jar
echo "mvn\\:org.github.flytreeleft/nexus3-keycloak-plugin/${KEYCLOAK_PLUGIN_VERSION} = 200" >> /opt/nexus/etc/karaf/startup.properties

Login to your Keycloak, and navigate relm > client Example image

Configurate Service Account Roles Example image

Configurate User Roles Example image

nano /opt/nexus/etc/keycloak.json
{
  "realm": "mydomain",
  "auth-server-url": "http://nexus.mydomain.intra:8080/auth",
  "ssl-required": "external",
  "resource": "web",
  "credentials": {
    "secret": "41e39b6b-e23a-4fb1-be21-d30c02941ffc"
  },
  "confidential-port": 0
}

systemct restart nexus

After login to nexus you can navigate to the realm administration. Activate the Keycloak Authentication Realm plugin by dragging it to the right hand side. Example image

Mapp the Keycloak roles to nexus Example image

Go to server administration > system > capabilities > add
type: Ruth auth
HTTP Header: X-Proxy-REMOTE-USER
Example image

yum install mod_auth_openidc httpd mod_ssl -y
nano /etc/httpd/conf.d/nexus-site.conf
ProxyRequests Off
ProxyPreserveHost On

<VirtualHost *:80>
    ServerName nexus.mydomain.intra
     Redirect permanent / https://nexus.mydomain.intra
    ErrorLog /var/log/httpd/error.log
    CustomLog /var/log/httpd/access.log common
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@example.com
    ServerName nexus.mydomain.intra
    ServerAlias www.nexus.mydomain.intra
    DirectoryIndex index.html index.php

    SSLEngine on
    SSLCertificateFile /etc/httpd/ssl/domain.pem
    SSLCertificateKeyFile /etc/httpd/ssl/domain.pem
    SSLCertificateChainFile /etc/httpd/ssl/domain.pem

    AllowEncodedSlashes NoDecode
    AllowEncodedSlashes On
    RequestHeader set X-Forwarded-Proto "https"

    # keycloak
    OIDCProviderMetadataURL https://nexus.mydomain.intra:8443/auth/realms/mydomain/.well-known/openid-configuration
    OIDCSSLValidateServer Off
    OIDCClientID web
    OIDCClientSecret 41e39b6b-e23a-4fb1-be21-d30c02941ffc
    OIDCRedirectURI https://nexus.mydomain.intra/redirect_uri
    OIDCCryptoPassphrase passphrase
    OIDCJWKSRefreshInterval 3600
    OIDCScope "openid email profile"
    # maps the prefered_username claim to the REMOTE_USER environment variable
    OIDCRemoteUserClaim preferred_username

    <Location />
      AuthType openid-connect
      Require valid-user
      RequestHeader set "X-Proxy-REMOTE-USER" %{REMOTE_USER}s
      ProxyPass http://localhost:8081/ nocanon
      ProxyPassReverse http://localhost:8081/
    </Location>

    ErrorLog /var/log/httpd/error.log
    CustomLog /var/log/httpd/access.log common
</VirtualHost>

# secure neus server
nano /opt/nexus/etc/nexus-default.properties
application-host=127.0.0.1
comments powered by Disqus