Nexus Repository uses Eclipse Jetty as the underlying web application container. An inbound TLS ServerConnector may be enabled via an XML configuration file named jetty-https.xml. The SslContextFactory used by the ServerConnector is configured with password values for the keystore and truststore. The password values can be stored in plain text form, or obfuscated form.
What is Jetty password obfuscation?
Obfuscation is not encryption. Do not believe that if you obfuscate the password values, then your configuration files are more secure than if you use plain text passwords.
Obfuscation merely converts a plain text value into a indiscernible value that is harder to read and will be less likely to be retained by a casual observer.
How do I secure my keystore and truststore passwords in jetty-https.xml?
Follow the standards for security of your particular organization. The minimum standards generally accepted are that the only a very limited set of users can access the Nexus Repository Manager installation and configuration files on disk, especially those which must contain password values.
How do I know if my Jetty store passwords are obfuscated?
Obfuscated password values are denoted by the prefix OBF: . All other passwords are interpreted as plain text as-is.
How do I obfuscate/de-obfuscate the KeyStorePassword, KeyManagerPassword,TrustStorePassword values?
Nexus Repository ships with a Jetty jar file in a sub-directory of <application-directory>/system that includes a special class which can encode and decode passwords. The exact version and location of the jar may change over time, but here are examples invoking it on the command line while inside the <application-directory>:
Obfuscation
> java -cp ./system/org/eclipse/jetty/jetty-util/9.3.7.v20160115/jetty-util-9.3.7.v20160115.jar org.eclipse.jetty.util.security.Password "password"
2017-07-17 18:04:05.849:INFO::main: Logging initialized @118ms password OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v MD5:5f4dcc3b5aa765d61d8327deb882cf99
De-obfuscation
> java -cp ./system/org/eclipse/jetty/jetty-util/9.3.7.v20160115/jetty-util-9.3.7.v20160115.jar org.eclipse.jetty.util.security.Password "OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v"
2017-07-17 18:26:49.994:INFO::main: Logging initialized @124ms password OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v MD5:41730f0ca9b61b63a19ced290e64dd09