Proxying RHEL Yum Repositories
Red Hat Enterprise Linux (RHEL) is subscription-based and communicates with remote Yum repositories over HTTPS. In order to set up a proxy in Nexus Repository for this scenario, Nexus Repository must trust the remote certificate and also authenticate when requesting packages from the remote server. The following subsections illustrate how to properly configure Nexus Repository for SSL communication with RHEL remote Yum repositories.
- You have a RHEL subscription (See the RHEL site for details).
- You have downloaded SSL certificates for your Red Hat subscription.
- You have imported your certificates onto your RHEL instance/machine using the subscription-manager command-line tool that comes with RHEL.
- Ensure you have the Java keytool installed on your RHEL instance/machine. The Java keytool is part of the JDK; you can install JDK 8 to obtain it.
Proxying Yum Repositories on RHEL
For this illustration, we are making use of a RHEL7 docker image (i.e., registry.redhat.io/rhel7:latest). The latest vesion was 7.7 at the time of writing.
On your RHEL instance, confirm that you have your certificate and associated private key files in your
/etc/pki/entitlementdirectory. If you've imported your RHEL subscription certfificate, the RHEL subscription-manager command-line utility puts the certificate and associated private key files in the aforementioned directory by default.
In your RHEL terminal, run the command below (you should specify your RHEL entitlement certificate and key as appropriate).
openssl pkcs12 -export -in /etc/pki/entitlement/4616881636184323465.pem -inkey /etc/pki/entitlement/4616881636184323465-key.pem -name certificate_and_key -out certificate_and_key.p12 -passout pass:password
In your RHEL terminal, run the command below. After running the command, you should have a file called
keystore.p12in your current directory.
keytool -importkeystore -srckeystore certificate_and_key.p12 -srcstoretype PKCS12 -srcstorepass password -deststorepass password -destkeystore keystore.p12 -deststoretype PKCS12
If you have an existing key store file (i.e., not trust store), then you need to import the contents of the
keystore.p12file created in step 3 above into your existing key store file.
On your Nexus server, do the following:
Make a backup of your existing key store file.
Run the commands below:
keytool -importkeystore -srckeystore existing_keystore.p12 -srcstoretype PKCS12 -srcstorepass existing_keystore_password -deststorepass password -destkeystore new_combined_keystore.p12 -deststoretype PKCS12 keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass password -deststorepass password -destkeystore new_combined_keystore.p12 -deststoretype PKCS12
On your RHEL server, create a
/etc/yum.repos.ddirectory similar to the following:
[nexus] name = Nexus Repository enabled = 1 gpgcheck = 1 baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/os ui_repoid_vars = releasever basearch gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release priority=1
If you have set
gpgcheckto 1 (i.e., enabled), you'll want to provide the location of the
gpgkey, replacing the value we've shown in the example above.
On your Nexus server, put the following Java system properties in your
$app-dir/bin/nexus.vmoptionsfile or if the properties already exist in that file, update to reference the new key store. You'll need to make the
keystore.p12 or new_combined_keystore.p12file created above accessible to Nexus Repository on the machine running it.
-Djavax.net.ssl.keyStore=<path to keystore file> -Djavax.net.ssl.keyStorePassword=<keystore password specified earlier for the keytool command>
- After making changes to
$app-dir/bin/nexus.vmoptionsor the keystore it references, you must restart Nexus Repository so that it can pick up the change.
In Nexus Repository web UI, set up your yum proxy repository. (Also see Repository Management for information on setting up a repository.)
Click on the View Certificate button; when the Certificate Details pop-up displays, select Add certificate to trust store.
If you install a package with yum, you should should see in the RHEL terminal that it's downloading packages from the
Proxying Yum Repositories on RHEL 8+ with an AWS example
AWS RHEL 8 EC2 instance on which Yum will be proxied:
AWS Amazon Linux EC2 instance running Nexus Repository:
- Follow the instructions in the Proxying Yum Repositories on RHEL section with the following exceptions since the EC2 instance is running RHEL8.
/etc/yum.repos.ddirectory should be similar to the following:
[nexus_baseos] name = Nexus Repository Baseos enabled = 1 gpgcheck = 1 baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/baseos/os ui_repoid_vars = releasever basearch gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release priority=1 [nexus_appstream] name = Nexus RHEL x86_64 AppStream Proxy (RPMs) enabled = 1 gpgcheck = 1 baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/appstream/os ui_repoid_vars = releasever basearch gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release priority=1
If you have
gpgcheckset to "1" (i.e., enabled), provide the location of the
gpgkeyby replacing the value we've shown in the example above.
- In the Nexus Repository web UI, when you set up your yum proxy repository as specified in the Proxying Yum Repositories on RHEL section, you should instead specify the remote URL as
If you install packages with yum (e.g.,
sudo yum install httpd -y), you should see in the terminal that it's downloading packages from the 'nexus_baseos' and 'nexus_appstream' repositories set up eariler.