Details
-
Type:
Improvement
-
Status: New
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 3.27.0, 3.28.0
-
Fix Version/s: None
-
Labels:
-
Notability:4
Description
PKI client side certificates usage is becoming more widespread. Examples in use include
- NXRM to IQ Server PKI auth
- NXRM yum proxy repos to Redhat remotes
- NXRM Docker proxy repos to Redhat remotes
Meanwhile, cloud deployments of NXRM are also increasing the complexity of automating updates to PKI certs that NXRM uses from the keystore currently specified by way of system properties: Updates of PKI certs require an NXRM restart and PKI entitlement certs for remote resources can change frequently, requiring some sort of home grown automated process to deploy new certs NXRM can use and then restarting NXRM, requiring downtime. Examples:
- https://help.sonatype.com/repomanager3/formats/yum-repositories/proxying-rhel-yum-repositories
- NEXUS-24420
Expected
Add a REST API and UI for managing client side certs used for outbound PKI Auth ( for repos and even IQ server ). Design it such that NXRM restarts will not be required for the changes to take effect and the certificates will be persisted inside NXRM surviving upgrades. Imagining an interface similar to the existing SSL Certifcates UI.
Attachments
Issue Links
- is related to
-
NEXUS-24420 add support for specifying which private key entry to use per proxy repository outbound PKI auth
-
- New
-