Skip to main content

Nexus Repository Cloud

A managed Software-as-a-Service (SaaS) offering for Nexus Repository Pro, leveraging the full capabilities of the platform without the complexities of managing the underlying infrastructure. The service delivers the same high performance and extensive features that users have come to expect from Nexus Repository with the added benefits of cloud-based flexibility and operational freedom.

  • Fully Managed Service

    Sonatype handles all aspects of managing your mission critical service. Providing highly available deployments with rolling updates, replicated backups, and automatic failover in case of any issues. Your deployment seamlessly scales with your repository usage as your development needs grow.

  • Reduced Total Cost of Ownership

    Eliminates costs and time associated with server provisioning, security hardening, maintenance upgrades, and performance tuning.

  • Focus on Innovation

    Frees your IT and development teams from managing tools, allowing them to focus on strategic initiatives and building software. Nexus Repository Cloud is always up-to-date, often before the on-prem release. Leverage the latest features before everyone else.

  • Migration Services

    Sonatype's customer success team is available to assist in migrating your on-prem deployment to the cloud for a smooth transition with minimal downtime. Our experts review your deployment to provide guidance through the whole process.

Differences Between Repository Deployments

The functionality of Nexus Repository Cloud is identical to using the self-hosted deployment with these improvements to the experience:

  • Simplified Administration UI

    The administration user interface and REST APIs are simplified as server operations are offloaded from your administration team and managed by Sonatype.

    These include the configuration of the following components: blob storage, local users, security realms, system information, outbound and ssl connections, maintenance tasks and capabilities.

  • Authenticated Access for All Users

    Sonatype uses a flexible authentication and identity management platform providing; secure login, single sign-on (SSO), 2FA, and team management.

    Connect your own identity provider to provide immediate access for your organization or use our full featured IdP to connect to the entire Sonatype platform. User tokens provide the security and flexibility to integrate with any client tooling.

    Allowing anonymous access to your tenant would introduces a critical security risk to your software supply chain. To protect your Nexus Repository Cloud deployment, anonymous access is not available.

  • Connections Across the Public Internet

    Your IdP and notification tooling need to be accessible on the public internet. Nexus Repository Cloud is hosted in SOC 2-compliant environments with encryption at rest and in transit, SSO integration, auditing, and role-based access control. 2FA is enabled by default to add an extra layer of security beyond just passwords, making it significantly harder for unauthorized individuals to access your accounts.

  • Controlled Access to Server Files

    Access to Sonatype's world class support has never been easier. Managing the database, importing and exporting content, upgrading and backing up the service, or seamlessly failing to another region are handled by Sonatype.

    Access to the underlying server files such as logging, file storage, and service configuration are protected and require a support ticket when needed.

  • Integrate with Full REST API Support

    Full REST API support is provided for complete automation and scripting when interacting with your external systems. The legacy OSGI bundling and scripting APIs are completely removed from Nexus Repository Cloud for additional security hardening; as they are no longer needed or supported.

  • Simplified Container Access with Docker Paths

    The Docker client has strict requirements for the path where images are hosted in a registry. The Docker path-based routing support replaces the previous requirement for access using Docker ports and subdomains. The use of docker subdomains and connector ports are not supported in Nexus Repository Cloud.

Connect to the Cloud Tenant

After purchasing a Sonatype Cloud solution, you receive your license and instructions for setting up the tenant.

  1. Create your Nexus Repository Cloud Tenant

    You receive an email with a URL to the service when ready. This URL is unique to your organization and is sensitive information.

    1. Visit https://my.sonatype.com and select Sign In.

      On the login screen, select Register to register your new account with your work email address. Once complete, log into your account.

    2. Choose Organizations from the user menu under your profile name. Select Create Organization.

    3. Name your organization using your official company name and add a logo image.

    4. Provide your your license fingerprint from the welcome email.

    5. Provide a list of email addresses for your Nexus Repository Cloud instance's admin users.

    6. Select the Request button to provision your Nexus Repository Cloud instance.

  2. Designate your support contacts

    Once your license fingerprint validates, select Support Contacts from the side menu and then select the team members to authorize as support contacts.

    You may assign four authorized support contacts.

  3. Provide your Identity Provider details (optional)

    Contact your Sonatype account team to assists in securely connecting your identity provider to your cloud tenant as an authorization realm. They will provide instructions for preparing your identity provider for the remote connection.

    While you may manage users directly in the Nexus Repository, using an external IdP simplifies onboarding new teams and services.

  4. Log into your Cloud Tenant

    After receiving the getting started email, sign in to your tenant to configure your default roles and begin building your pipelines.

Set the Default Role

As a public cloud deployment, Nexus Repository Cloud does not include anonymous access, so all users must be authenticated through your identity provider configured for your tenant. Once users are authenticated, they are provided a base level of access using the Default Role capability. Manually create a role with with minimum access available to all authenticated users of your tenant.

  1. Add a role to provide the default level of access

    Use the instructions below for adding a new role to your Nexus Repository Cloud tenant. This role is to be used by all users that are available to authenticate through your tenant access. Use the section below for selecting the privileges.

    See Creating Roles

  2. Set the default permissions

    Set the minimum required privileges to access your Nexus Repository Cloud Tenant as required my your organization's security policies. Below are suggested minimum permissions to get started. To upload components, they will need the additional repository-view privileges

    nx-healthcheck-read
nx-search-read

// To access and read all repositories, use the following.
nx-repository-view-*-*-read
nx-repository-view-*-*-browse

// To upload components
nx-repository-view-*-*-add

    See Privileges

  3. Set this role as the Default Role

    Enable the capability to assign the new role as the default role.

    See Default Role

Getting Started

  1. Setting up Repository Firewall

    Repository Firewall provides automatic enforcement of your organization's open source policies while CI builds and developers request them from remote proxies. This protects your organization from open source risk such as malware, license, and security vulnerabilities.

  2. Enable User Tokens

    Client access to your repositories require authentication and user tokens are the recommended way to allow automated systems to securely interact with Nexus Repository Cloud. After enabling the User Tokens and rotation requirements your users may log into the user interface to generate their tokens for using in their client tools and API calls.

    See Enabling User Tokens in Nexus Repository

  3. Setting up your Build Pipeline Environments

    Staging environments consist of a group repository used as a single endpoint for client tools that aggregate remote proxy and internal hosted repositories. These simplify access for development teams while providing full access control of the available repositories to administrators.

    See Staging Concepts

  4. Content Selector

    Content Selectors are filters defining a specific subsets of content within a repository based on the content's path. They are most commonly used to restrict write access to a namespace belonging to a specific team. When designing your access model consider using content selectors for managing namespaces.

    See Content Selectors

  5. Cleanup Policies

    Cleanup policies are crucial in helping to control storage costs by automatically delete old and unused artifacts. Removing clutter keeps the repository lean and fast, ensuring quick searches and responsive build times for developers and CI/CD tools. They help prevent the accidental use of outdated or potentially insecure components by removing them, ensuring developers are more likely to use the correct, approved artifacts.

    See Cleanup Policies

Invite Users to the Cloud Tenant

Administrators may directly invite users to the tenant through the Settings -> Security -> Users view. An email is sent to the user to verify their email address while setting up 2FA access. Once complete, the user is able to login with permissions provided by the Default User role.

nx-cloud-users-invite.png

  1. Select Invite Users and fill out the form providing the email and the name of the user.

  2. A confirmation email is sent to the user to verify their email address.

    nx-cloud-users-email.png

  3. After entering a password, new users will need to follow the instructions to configure 2FA.

    nx-cloud-users-2fa-request.png

Using Client Tools

Development tools such as maven, npm and docker fetch dependencies directly from public servers on the internet. While this works for small projects, it introduces inefficiencies and risks to project stability and build reliability. Configuring your client tools to use your Nexus Repository Cloud Tenant is a fundamental step in modern software development that provides significant advantages in speed, reliability, and security.

  1. Locate the Configuration File

    Find the correct configuration file for your specific tool. This file is where you define which repository the tool should use to download packages and dependencies.

  2. Point the Client to Your Nexus Repository

    Add or modify the setting that specifies the repository URL. The goal is to replace the default public repository (like Maven Central, npmjs.org, or PyPI) with the URL of proxy repository configured in your Nexus Repository tenant.

    See Formats

  3. Configure Your Credentials

    Provide your access token generated from the Nexus Repository UI. Your user token is a unique, randomly generated key used to authenticate with API calls and to configure clients.

    See User Token and User Token REST API

Administrator Roles

In the identity management platform, the Sonatype Platform - Administrator is assigned to the primary user associated with the purchased license. This role is automatically mapped to the in-built read-only nx-admin role in Nexus Repository Cloud and cannot be modified.

The nx-admin role may be granted to other users directly, or via another role mapping when desired.

Usage Limits

Nexus Repository Cloud operates on a usage-based licensing model designed to offer predictable and fair pricing.

  • Consumption

    Defined as the sum of Egress and Storage. Nexus Repository Cloud reports historical usage reporting to help price Cloud opportunities.

    • Egress: This refers to the total size, in gigabytes, of all components downloaded from the Nexus Repository Cloud environment per month.

    • Storage: This refers to the total size, in gigabytes, of all components stored in the repository's blob stores managed by Nexus Repository Cloud.

    See Usage Metrics