How to reset a forgotten admin password in Sonatype Nexus Repository 3

Sonatype Nexus Repository 3 includes a default 'admin' Administrator user account.

Versions before 3.17.0 had the default password of this account set to admin123 by default.

New installations of version 3.17.0 or newer do not have a set default password.

The following steps explain how to restore the default admin user account and set its password to "admin123"

Reset Admin User using embedded OrientDB Database

1. Shut down nexus, and backup your <Nexus Data Directory>/db
2. Access the OrientDB console using these instructions.
3. Run the following command:
   

   connect plocal:../sonatype-work/nexus3/db/security admin admin

   You may need to adjust the path used in the connect statement depending on the location of your nexus data directory. It should be the path to the "db/security" directory in your data directory. An absolute path may be used.

4. After the connect command succeeds, check that the admin user exists:

   select * from user where id = "admin"

   If the admin user does exist, issue this command in the console to update the admin user password to admin123 :

   update user SET password="$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==" UPSERT WHERE id="admin"

   If the admin user does not exist,  then issue the following two INSERT commands in the console to insert the admin user with password admin123 and the default roll mapping:

   INSERT INTO user (status, id, firstName, lastName, email, password) VALUES ('active', 'admin', 'admin', 'admin', 'changeme@yourcompany.com', '$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==')

   INSERT INTO user_role_mapping (userId, source, roles) VALUES ('admin', 'default', 'nx-admin')

   The query language is sql-like , but it is not SQL. See the OrientDB Command Reference.   

   At this point, the admin user should be able to authenticate if the default security realms are in still in place. Verify you can login as the admin user using your web browser.

5. Optional, if the admin user still fails to authenticate: If the default security realms were removed from the active list, the default admin user will still not be able to authenticate, despite resetting the password.
   
   To reset the default security realms, enter this command at the orientdb console prompt:

   delete from realm

   After this command succeeds and Nexus is restarted, the default security realms will be activated and any custom activated realms will have been removed.
   
   An admin user will then have to add back in any other security realms they had previously ( such as LDAP) using the Realms UI, to allow other users to authenticate.

6. Optional, if the admin user is missing the "nx-admin" role:

   Check to see what roles the "admin" user has assigned to them:

   select * from user_role_mapping where userID = "admin"

   If they are missing "nx-admin" use this command at the orientdb console prompt to fix:

   update user_role_mapping set roles = ["nx-admin"] where userID = "admin"  

7. Optional, check to see if the admin user is active:

   Check to see if the "admin" user is active:

   select status from user where id = "admin"

   If they are not active, use this to make them active:

   update user set status="active" upsert where id="admin"

8. To end the console session gracefully type "exit".

9. Start Nexus again using ./bin/nexus start or your regular service control command.

Reset Admin User using H2 or PostgreSQL Database

If Postgres is used as the Nexus DB, certain SQL statements may differ slightly due to changes in the DB schema.

1. Check for existing admin user

select * from security_user where id='admin'

Update or insert an active admin user with default password "admin123"

update security_user SET password='$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==', status='active' WHERE id='admin'

or

insert into security_user (status, id, first_name, last_name, email, password) VALUES ('active', 'admin', 'admin', 'admin', 'admin@example.org', '$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==')

2. Check for existing admin user role mapping

select * from user_role_mapping where user_id = 'admin'

Update or insert an admin user role mapping

update user_role_mapping set roles='["nx-admin"]' where user_id = 'admin'

or

insert into user_role_mapping (user_id, user_lo, source, roles) VALUES ('admin', 'admin', 'default', '["nx-admin"]')

3. Check authentication realms

select * from realm_configuration

Update or insert default authentication realms

update realm_configuration SET realm_names = '["NexusAuthenticatingRealm", "NexusAuthorizingRealm"]' where id = 1

or

insert into realm_configuration (id, realm_names) values (1, '["NexusAuthenticatingRealm", "NexusAuthorizingRealm"]')

RESTART NEXUS to ensure the above changes take effect.