1. download the Nexus from website for free version:
2. Run the Command prompt with administrator privilege .
http://blog.csdn.net/zwc0910/article/details/17349111
http://w26.iteye.com/blog/1547096
failure reason
http://blog.csdn.net/kimylrong/article/details/23280155
3. central repository proxy error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
http://books.sonatype.com/nexus-book/reference//ssl-sect-client-cert.html
tool: http://download.sonatype.com/nexus/import-ssl.jar
4.2.3. Manually Configuring Trust Stores
The Nexus user interface should be sufficient to work with the trust stores and certificates. In older versions of Nexus as well as some use cases, you need to manually configure the trust store.
Sonatype provides an import-ssl tool that can be downloaded fromhttp://download.sonatype.com/nexus/import-ssl.jar. It allows you to import a client certificate in two steps:
- importing the server’s SSL chain and
- importing the client SSL key/certificate pair.
The Java Virtual Machine running Nexus uses the Java Secure Socket Extension (JSSE) to enable secure Internet communication. It uses two certificate stores - truststore andkeystore.
A truststore contains certificates from servers run by other parties with who you expect to communicate, or from Certificate Authorities that you trust to identify other parties. This truststore ships with a number of CA’s out-of-the-box, trusted root certificates.
A keystore contains private keys and the certificates with their corresponding public keys. Typically, they are stored in separate files stored in the default location of${JRE_HOME}/lib/security/cacerts.
Some notes about the location of the keystore and default keystore passwords:
- If you are using the default JSSE keystore locations on either a Linux or OS X platform, you must run the commands below as the root user. You can do this either by changing to the root user (
su -) or by using the sudo command:sudo [command]. - The default password used by Java for the built-in keystores is changeit. If your key-store uses a different password, you’ll need to specify that password as the last parameter on the command lines above.
- If you want to specify your own keystore/truststore file, provide that in place of <keystore_dir> in the examples below.
- If you’re using a password other than changeit for your keystore, you should supply it immediately following the keystore path in the commands below.
- If you specify a keystore location that doesn’t exist, the import-ssl utility will create it on-demand.
Before you begin the process of importing a Server SSL Chain and a client certificate you will need the following:
- Network access to the SSL server you are connecting to,
- An SSL client certificate,
- and a certificate password.
For server certificates you should either import directly into${JRE_HOME}/lib/security/cacerts, or make a copy of the file and import into that.
![[Warning]](http://books.sonatype.com/nexus-book/reference//images/icons/warning.png?x-oss-process=image/resize,w_1400/format,webp){kind=icon}
If you replace the existing truststore rather than adding to it or if you override the truststore location, you will lose all of the trusted CA root certificates of the JRE and no SSL sites will be accessible.
Import the Server SSL Chain
The first command imports the entire self-signed SSL certificate chain for central.sonatype.com into your JSSE keystore:
$ java -jar import-ssl.jar server repo1.maven.org <keystore>
<keystore>=C:\Java\jdk1.8.0_05\jre\lib\security\cacerts
command as below:
java -jar import-ssl.jar server repo1.maven.org C:\Java\jdk1.8.0_05\jre\lib\security\cacerts
Substitute the server name used in the previous listing with the server name to which you are attempting to connect. This particular command will connect to https://repo1.maven.org, retrieve, and import the server’s SSL certificate chain.
Import the Client SSL Key/Certificate Pair
The second command imports your client-side SSL certificate into the JSSE keystore, so Nexus can send it along to the server for authentication:
$ java -jar import-ssl.jar client <your-certificate.p12> \ <your-certificate-password> keystore
When the client command completes, you should see a line containing the keystore path. Please note this, as you will use it in your next configuration step.
... Writing keystore: /System/Library/Frameworks/JavaVM.framework/\ Versions/1.6.0/Home/lib/security/jssecacerts
If you want to make a new keystore into which to import your keys, use the keytool that ships with your Java installation to create an empty keystore:
keytool -genkey -alias foo -keystore keystore keytool -delete -alias foo -keystore keystore
![[Tip]](http://books.sonatype.com/nexus-book/reference//images/icons/tip.png?x-oss-process=image/resize,w_1400/format,webp){kind=icon}
Make sure to use the keytool commands for your Java version used to run Nexus. The documentation for keytool is available online forJava 6 as well as Java 7.
Configuring Nexus Startup
Once both sets of SSL certificates are imported to your keystore and/or truststore, you can modify the wrapper.conf file located in $NEXUS_HOME/bin/jsw/conf/ to inject the JSSE system properties necessary to use these certificates, as seen below adapting the iterator number (10, 11.. ) to start at the last used value, which depends on the rest of your configuration.
wrapper.java.additional.10=-Djavax.net.ssl.keyStore=<keystore> wrapper.java.additional.11=-Djavax.net.ssl.keyStorePassword=<keystore_password> wrapper.java.additional.12=-Djavax.net.ssl.trustStore=<truststore> wrapper.java.additional.13=-Djavax.net.ssl.trustStorePassword=<truststore_password>
Once you have configured the Nexus startup option shown above, restart Nexus and attempt to proxy a remote repository which requires an SSL client certificate. Nexus will use the keystore location and keystore password to configure the SSL interaction to accept the server’s SSL certificate and send the appropriate client SSL certificate using the manual configuration you have completed with the import-ssl tool.
<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- | This is the configuration file for Maven. It can be specified at two levels: | | 1. User Level. This settings.xml file provides configuration for a single user, | and is normally provided in ${user.home}/.m2/settings.xml. | | NOTE: This location can be overridden with the CLI option: | | -s /path/to/user/settings.xml | | 2. Global Level. This settings.xml file provides configuration for all Maven | users on a machine (assuming they're all using the same Maven | installation). It's normally provided in | ${maven.home}/conf/settings.xml. | | NOTE: This location can be overridden with the CLI option: | | -gs /path/to/global/settings.xml | | The sections in this sample file are intended to give you a running start at | getting the most out of your Maven installation. Where appropriate, the default | values (values used when the setting is not specified) are provided. | |--> <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd"> <!-- localRepository | The path to the local repository maven will use to store artifacts. | | Default: ${user.home}/.m2/repository <localRepository>/path/to/local/repo</localRepository> --> <localRepository>C:\Users\alter\.m2\repository</localRepository> <pluginGroups> <pluginGroup>org.mortbay.jetty</pluginGroup> <pluginGroup>org.codehaus.cargo</pluginGroup> </pluginGroups> <proxies> </proxies> <servers> <server> <id>releases</id> <username>deployment</username> <password>deployment123</password> </server> <server> <id>snapshots</id> <username>deployment</username> <password>deployment123</password> </server> </servers> <mirrors> <mirror> <id>nexus</id> <mirrorOf>*</mirrorOf> <url>http://localhost:8081/nexus/content/groups/public/</url> </mirror> </mirrors> <profiles> <profile> <id>nexus</id> <repositories> <repository> <id>central</id> <url>http://localhost:8081/nexus/content/groups/public/</url> <releases><enabled>true</enabled></releases> <snapshots><enabled>true</enabled></snapshots> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>central</id> <url>http://localhost:8081/nexus/content/groups/public/</url> <releases><enabled>true</enabled></releases> <snapshots><enabled>true</enabled></snapshots> </pluginRepository> </pluginRepositories> </profile> </profiles> <activeProfiles> <activeProfile>nexus</activeProfile> </activeProfiles> </settings> </settings> <!-- id should be the same as above server id--> <!-- <distributionManagement> <repository> <id>releases</id> <name>Internal Releases</name> <url>http://localhost:8081/nexus/content/repositories/releases</url> </repository> <snapshotRepository> <id>snapshots</id> <name>Internal Snapshots</name> <url>http://localhost:8081/nexus/content/repositories/snapshots</url> </snapshotRepository> </distributionManagement> -->
