Reset the Admin Password
Sonatype Nexus Repository 3 includes a default 'admin' Administrator user account. In cases where this password is lost or the account is disabled or removed, the following steps explain how to restore the default admin
user account and set the password to admin123
. We highly recommend logging in to change the password as the default credentials will leave the system unsecured.
Changing the admin account and password requires directly updating the Nexus Repository database so the process depends on the database.
Prerequisites
Backup of the server files and database to avoid unrecoverable errors
As we are making direct changes to the database, write access to the database console is required
Restarting PostgreSQL or shutting down the server for embedded databases is required
Reset Admin User using H2 or PostgreSQL Database
When PostgreSQL or H2 database is used, certain SQL statements may differ slightly due to changes in the DB schema.
When using the H2 database, see "Database Console for H2 Database" to get a console prompt.
Check for the existing admin user select * from security_user where id='admin';
When the
admin
user is found update the user with theadmin123
password. A non-reversible hash of the password is stored in the database instead of the actual password for security.update security_user SET password='$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==', status='active' WHERE id='admin';
When the admin user is not found, we will insert the user into the
security_user
table.insert into security_user (status, id, first_name, last_name, email, password) VALUES ('active', 'admin', 'admin', 'admin', 'admin@example.org', '$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==');
Check for existing admin user role mapping select * from user_role_mapping where user_id = 'admin';
When not set, update the user with the
nx-admin
role.update user_role_mapping set roles='["nx-admin"]' where user_id = 'admin';
You may need to insert the role mapping when nothing is found.
insert into user_role_mapping (user_id, user_lo, source, roles) VALUES ('admin', 'admin', 'default', '["nx-admin"]');
Check authentication realms select * from realm_configuration;
Update the default authentication realms when not set
update realm_configuration SET realm_names = '["NexusAuthenticatingRealm", "NexusAuthorizingRealm"]' where id = 1;
Insert the record when not found
insert into realm_configuration (id, realm_names) values (1, '["NexusAuthenticatingRealm", "NexusAuthorizingRealm"]');
Restart Nexus to ensure the above changes take effect.
Reset Admin User using embedded OrientDB Database
Nexus Repository 3.70.x line is the last release line to support OrientDB.
Shut down the Nexus REpository, and backup the data directory's DB folder.
Access the OrientDB console using these instructions.
Run the following command:
connect plocal:../sonatype-work/nexus3/db/security admin admin
You may need to adjust the path used in the connect statement depending on the location of your Nexus Repository data directory. It should be the path to the "db/security" directory in your data directory. An absolute path may be used.
After the connect command succeeds, check that the admin user exists
select * from user where id = "admin"
If the admin user does exist, issue this command in the console to update the admin user password to admin123 :
update user SET password="$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==" UPSERT WHERE id="admin"
If the admin user does not exist, then issue the following two INSERT commands in the console to insert the admin user with password admin123 and the default roll mapping:
INSERT INTO user (status, id, firstName, lastName, email, password) VALUES ('active', 'admin', 'admin', 'admin', 'changeme@yourcompany.com', '$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==') INSERT INTO user_role_mapping (userId, source, roles) VALUES ('admin', 'default', 'nx-admin')
At this point, the admin user should be able to authenticate if the default security realms are in still in place. Verify you can log in as the admin user using your web browser.
Optional, if the admin user still fails to authenticate: If the default security realms were removed from the active list, the default admin user will still not be able to authenticate, despite resetting the password.
To reset the default security realms, enter this command at the orientdb console prompt:
delete from realm
After this command succeeds and Nexus is restarted, the default security realms will be activated and any custom-activated realms will have been removed.
An admin user will then have to add back in any other security realms they had previously ( such as LDAP) using the Realms UI, to allow other users to authenticate.
Optional, if the admin user is missing the "nx-admin" role:
Check to see what roles the "admin" user has assigned to them:
select * from user_role_mapping where userID = "admin"
If they are missing "nx-admin" use this command at the orientdb console prompt to fix:
update user_role_mapping set roles = ["nx-admin"] where userID = "admin"
Optional, check to see if the admin user is active:
Check to see if the "admin" user is active:
select status from user where id = "admin"
If they are not active, use this to make them active:
update user set status="active" upsert where id="admin"
To end the console session gracefully type "exit".
Start Nexus again using
./bin/nexus start
or your regular service control command.
Database Console for H2 Database
To get a database console prompt when using H2 database, add the following properties to $datadir/etc/nexus.properties
and restart the server.
nexus.h2.httpListenerEnabled=true nexus.h2.httpListenerPort=1234
Restart the Nexus Repository server and visit the port configured in httpListenerPort
in a local web browser. Do not expose this endpoint to external users.
http://localhost:1234
Use the following connection info:
Save Settings: Generic H2 (Embedded) Driver: org.h2.Driver JDBC URL: jdbc:h2:file:nexus username: <LEAVE BLANK> password: <LEAVE BLANK>