Skip to main content

Reset the Admin Password

Sonatype Nexus Repository 3 includes a default 'admin' Administrator user account. In cases where this password is lost or the account is disabled or removed, the following steps explain how to restore the default admin user account and set the password to admin123. We highly recommend logging in to change the password as the default credentials will leave the system unsecured.

Changing the admin account and password requires directly updating the Nexus Repository database so the process depends on the database.

Prerequisites

  • Backup of the server files and database to avoid unrecoverable errors

  • As we are making direct changes to the database, write access to the database console is required

  • Restarting PostgreSQL or shutting down the server for embedded databases is required

Reset Admin User using H2 or PostgreSQL Database

When PostgreSQL or H2 database is used, certain SQL statements may differ slightly due to changes in the DB schema. 

When using the H2 database, see "Database Console for H2 Database" to get a console prompt.

  1. Check for the existing admin user
    select * from security_user where id='admin';

    When the admin user is found update the user with the admin123 password. A non-reversible hash of the password is stored in the database instead of the actual password for security.

    update security_user SET password='$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==', status='active' WHERE id='admin';

    When the admin user is not found, we will insert the user into the security_user table.

    insert into security_user (status, id, first_name, last_name, email, password) VALUES ('active', 'admin', 'admin', 'admin', 'admin@example.org', '$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==');
  2. Check for existing admin user role mapping
    select * from user_role_mapping where user_id = 'admin';

    When not set, update the user with the nx-admin role.

    update user_role_mapping set roles='["nx-admin"]' where user_id = 'admin';

    You may need to insert the role mapping when nothing is found.

    insert into user_role_mapping (user_id, user_lo, source, roles) VALUES ('admin', 'admin', 'default', '["nx-admin"]');
  3. Check authentication realms
    select * from realm_configuration;

    Update the default authentication realms when not set

    update realm_configuration SET realm_names = '["NexusAuthenticatingRealm", "NexusAuthorizingRealm"]' where id = 1;

    Insert the record when not found

    insert into realm_configuration (id, realm_names) values (1, '["NexusAuthenticatingRealm", "NexusAuthorizingRealm"]');
  4. Restart Nexus to ensure the above changes take effect.

Reset Admin User using embedded OrientDB Database

Nexus Repository 3.70.x line is the last release line to support OrientDB.

  1. Shut down the Nexus REpository, and backup the data directory's DB folder.

  2. Access the OrientDB console using these instructions.

  3. Run the following command:

    connect plocal:../sonatype-work/nexus3/db/security admin admin

    You may need to adjust the path used in the connect statement depending on the location of your Nexus Repository data directory. It should be the path to the "db/security" directory in your data directory. An absolute path may be used.

  4. After the connect command succeeds, check that the admin user exists

    select * from user where id = "admin"

    If the admin user does exist, issue this command in the console to update the admin user password to admin123 :

    update user SET password="$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==" UPSERT WHERE id="admin"

    If the admin user does not exist,  then issue the following two INSERT commands in the console to insert the admin user with password admin123 and the default roll mapping:

    INSERT INTO user (status, id, firstName, lastName, email, password) VALUES ('active', 'admin', 'admin', 'admin', 'changeme@yourcompany.com', '$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==')
    INSERT INTO user_role_mapping (userId, source, roles) VALUES ('admin', 'default', 'nx-admin')

    At this point, the admin user should be able to authenticate if the default security realms are in still in place. Verify you can log in as the admin user using your web browser.

  5. Optional, if the admin user still fails to authenticate: If the default security realms were removed from the active list, the default admin user will still not be able to authenticate, despite resetting the password.

    To reset the default security realms, enter this command at the orientdb console prompt:

    delete from realm

    After this command succeeds and Nexus is restarted, the default security realms will be activated and any custom-activated realms will have been removed.

    An admin user will then have to add back in any other security realms they had previously ( such as LDAP) using the Realms UI, to allow other users to authenticate.

  6. Optional, if the admin user is missing the "nx-admin" role:

    Check to see what roles the "admin" user has assigned to them:

    select * from user_role_mapping where userID = "admin"

    If they are missing "nx-admin" use this command at the orientdb console prompt to fix:

    update user_role_mapping set roles = ["nx-admin"] where userID = "admin" 
  7. Optional, check to see if the admin user is active:

    Check to see if the "admin" user is active:

    select status from user where id = "admin"

    If they are not active, use this to make them active:

    update user set status="active" upsert where id="admin"
  8. To end the console session gracefully type "exit".

  9. Start Nexus again using ./bin/nexus start or your regular service control command.

Database Console for H2 Database

To get a database console prompt when using H2 database, add the following properties to $datadir/etc/nexus.properties and restart the server.

nexus.h2.httpListenerEnabled=true
nexus.h2.httpListenerPort=1234

Restart the Nexus Repository server and visit the port configured in httpListenerPort in a local web browser. Do not expose this endpoint to external users.

http://localhost:1234

Use the following connection info:

Save Settings: Generic H2 (Embedded)
Driver: org.h2.Driver
JDBC URL: jdbc:h2:file:nexus
username: <LEAVE BLANK>
password: <LEAVE BLANK>