Installing repo manager on RHEL 8

chad.schrock · May 6, 2021, 2:03pm

Hi,

We are attempting to evaluate the repo manager to see if our organization is going to purchase, but we are having a very difficult time getting it to run on our systems.

(Also, I know very little about Java, so most of this is pretty foreign to me.)

The setup: VM running RHEL 8, in FIPS mode, configured to DISA STIG security hardening benchmarks, nginx reverse proxy in front of Nexus.

What I’m getting when I go to http://localhost/ or http://localhost:8081/ is the black “Nexus Repository Manager” startup page and the “Initializing” gear spinning.

My nexus.log file contains the following:
2021-05-06 09:28:24,301-0400 ERROR [qtp1389665704-58] *UNKNOWN org.sonatype.nexus.extdirect.internal.ExtDirectExceptionHandler - Failed to invoke action method: rapture_Security.getPermissions, java-method: org.sonatype.nexus.rapture.internal.security.SecurityComponent.getPermissions
com.google.inject.ProvisionException: Unable to provision, see the following errors:

Error injecting constructor, java.io.FileNotFoundException: NONE (No such file or directory)
at com.sonatype.nexus.ssl.plugin.internal.TrustStoreImpl.(TrustStoreImpl.java:84)
at / (via modules: org.sonatype.nexus.extender.modules.NexusBundleModule → org.eclipse.sisu.space.SpaceModule)
while locating com.sonatype.nexus.ssl.plugin.internal.TrustStoreImpl
while locating java.lang.Object annotated with *
at org.eclipse.sisu.wire.LocatorWiring
while locating org.sonatype.nexus.ssl.TrustStore
for the 5th parameter of org.sonatype.nexus.ldap.internal.realms.EnterpriseLdapManager.(EnterpriseLdapManager.java:91)
at / (via modules: org.sonatype.nexus.extender.modules.NexusBundleModule → org.eclipse.sisu.space.SpaceModule)
while locating org.sonatype.nexus.ldap.internal.realms.EnterpriseLdapManager
while locating java.lang.Object annotated with *
at org.eclipse.sisu.wire.LocatorWiring
while locating org.sonatype.nexus.ldap.internal.realms.LdapManager
for the 1st parameter of org.sonatype.nexus.ldap.internal.LdapAuthorizationManager.(LdapAuthorizationManager.java:42)
at / (via modules: org.sonatype.nexus.extender.modules.NexusBundleModule → org.eclipse.sisu.space.SpaceModule)
while locating org.sonatype.nexus.ldap.internal.LdapAuthorizationManager
while locating java.lang.Object annotated with *

1 error
at com.google.inject.internal.InternalProvisionException.toProvisionException(InternalProvisionException.java:226)

I did see the post of the one person that had a very similar error and he ended up abandoning a direct install in favor of a container, but a container is not going to work for my use case.

Thanks.

mmartz · May 6, 2021, 2:59pm

Maybe it’s some kind of filesystem/permissions issue? The error doesn’t really make sense to me, which version of nxrm are you installing?

If you’re planning to evaluate for purchase I’d recommend reaching out to our sales team as they should be able to provide additional assistance and/or support

chad.schrock · May 6, 2021, 3:15pm

Hi,

Thank you for your reply. I’m installing nxrm 3.30.1-01. I’ll double-check the permissions though. I assumed that the restrictive permissions after I untarred the archive (0700) were by default.

Thanks.

daniel.babcock · December 26, 2021, 2:34pm

Sorry I am so late to the conversation. I’ve been trying to get Nexus OSS installed on a STIG’d RHEL 8 for a while. For testing purposes, I installed a RHEL 8 VM and Nexus OSS 3.37.1-01, and then STIG’d the server with DISA STIG V1R4, rebooting and testing along the way. I do not have nginx installed as a reverse proxy.
Here is what I have found and I am about 90% STIG’d.

In /etc/fstab, /home must not have noexec: opens V-230302, CAT-II
FIPS mode must be turned off; if on, initialization gear spins forever: opens V-230223, CAT-1

With these open items, Nexus seems to work well, but I have not installed a certificate on the server to enable SSL either yet. I also have not fully configured and enforce fapolicy, so that may, or may not, have an effect on the installation as well. And, not sure how many ISSMs want to open a CAT-1 to install Nexus… But, at least now you know. Perhaps the Nexus team will fix to allow FIPS mode in future releases? Hope this helps someone else.

daniel.babcock · December 26, 2021, 9:27pm

…and, fapolicyd does have an effect on Nexus install… negatively. So,

fapolicyd requires proper config or turned off which opens V-244545, CAT-II.

So there you have it. STIG’d with RHEL 8 V1R4, you must open three (3) checklist items to install Nexus 3. I have followed the STIG for my fstab with exception to /home: All drives except root (/) are nodev. All drives are nosuid except /var (not required) and root (/). All drives are noexec except root (/), /home (V-230302 as indicated above), /boot (not required), and /var (not required).