Skip to main content

Configuring firewalls and network access for the Sonatype IQ Server

Updated

Summary

Nexus IQ Server must be able to resolve and reach https://clm.sonatype.com:443 from the host where it runs. This article explains what that requirement means in practice (including with an HTTP proxy) and lists the common error messages you might see when it is not met.

What IQ Server requires

IQ Server uses our Sonatype Data Services at https://clm.sonatype.com:443 for license validation and vulnerability analysis. The hostname and port are not configurable and are documented as mandatory outbound connectivity in the IQ Server System Requirements and Configuring Outbound Traffic.

On the IQ Server host (or container/pod), all of the following must be true:

  • DNS lookups for clm.sonatype.com succeed.
  • Outbound TCP connections to clm.sonatype.com on port 443 are allowed by firewalls or other network controls.
  • If an HTTP(S) proxy is required, IQ Server is configured to use it and that proxy allows HTTPS CONNECT requests to clm.sonatype.com:443. See Configuring Outbound Traffic.

Typical symptoms and error messages

When these requirements are not met, IQ Server cannot contact Sonatype Data Services and you may see one or more of the following symptoms in the UI or logs:

  • License upload or startup failures with: 
    The hostname for the Sonatype Data Services could not be resolved, please verify the network configuration (DNS) at the site where the Nexus IQ Server is operated
  • DNS resolution errors such as: 
    java.net.UnknownHostException: clm.sonatype.com
  • Connection timeouts such as: 
    org.apache.http.conn.ConnectTimeoutException: Connect to clm.sonatype.com:443 [...] failed: connect timed out

Our firewall and network access article notes that IQ Server “requires HTTP access to the Sonatype Data Services in order to function” and that https://clm.sonatype.com:443 must be reachable, with examples of timeout messages and changing IPs behind clm.sonatype.com. See Configuring firewalls and network access for the Sonatype IQ Server.

Proxy and IP whitelisting considerations

If your organization uses an HTTP(S) proxy, the proxy administrators must explicitly allow the domain names clm.sonatype.com (and, for notification assets, cdn.sonatype.com), not just specific IP addresses. Our firewall/network KB explains that the IPs behind clm.sonatype.com are fronted by AWS CloudFront and change over time, so static IP whitelists can become stale and cause timeouts or connection failures. See Configuring firewalls and network access for the Sonatype IQ Server.

Because of this rotation, we recommend whitelisting the hostnames at the proxy or firewall layer, instead of hard-coding individual IP addresses.

Quick verification steps

Run these checks from the IQ Server host:

  • DNS: nslookup clm.sonatype.com or ping clm.sonatype.com should succeed.
  • Direct HTTPS (no proxy): curl -v -k https://clm.sonatype.com/ping should return HTTP 200 and an alive response, as shown in the firewall/network KB.
  • Via proxy: If a proxy is required, repeat with --proxy to confirm the proxy allows HTTPS CONNECT to clm.sonatype.com:443, following Configuring Outbound Traffic and Configuring firewalls and network access.

If these checks fail, your DNS, firewall, or proxy configuration must be updated so that IQ Server can resolve and reach https://clm.sonatype.com:443 as required.

Related articles