2

I'd like my Archiva instance to be safely secured by my SSL certificate. Available documentation seems not to mention this topic at all, which struck me very odd.

I know that Archiva is backed up by Jetty (which of course supports SSL), but when you start reading about setting up SSL with Jetty you immediately run into questions like: where do I find jetty-ssl.xml (which seems to be absent in Archiva's default installation)? Where/how do I start?

I also know that I could add an Apache proxy in front of Archiva, but I don't necessarily want to do this. I don't want one server be dependent on another.

Kalle Richter
  • 8,008
  • 26
  • 77
  • 177
ŁukaszBachman
  • 33,595
  • 11
  • 64
  • 74

2 Answers2

1

Getting jetty-ssl.xml. Apache archiva (v2.2.4) uses jetty 8.1.14. You can download the 8.1.x from jetty's previous versions and extract the jetty-ssl.xml file from the /etc folder into the archiva config folder (<archiva home>/conf).

Configuring jetty-ssl.xml. See the answers of this question to get more details on updating the file (i.e. port, keystore path, keystore passwork and if private key is encryted, keymanager password). To obfuscate your password, you can use archiva internal libraries (example using archiva v2.2.3):

java -cp <archiva home>/lib/jetty-util-8.1.14.v20131031.jar org.eclipse.jetty.util.security.Password "{PASSWORD}"

Updating wrapper.conf. Modify Archiva's wrapper configuration (located at <archiva home>/conf/wrapper.conf) and add the followin entry in the Application parameters section

wrapper.app.parameter.3=%ARCHIVA_BASE%/conf/jetty-ssl.xml

restart archiva service to take new configuration

Troubleshooting. Look at the wrapper log (localted at <archiva home>/log) for errors. You can increase the log level to INFO for more details. If everything is correct you should see an entry like this (I'm using port 8444):

INFO:oejs.AbstractConnector:Started SslSelectChannelConnector@0.0.0.0:8444
Miguel Bautista
  • 556
  • 5
  • 5
0

You can add jetty-ssl.xml in the same place as jetty.xml. IMHO the easiest solution is probably to have an httpd instance handling ssl and proxying to Archiva in http. As it it will be easy to upgrade etc...

Olivier Lamy
  • 2,280
  • 1
  • 14
  • 12
  • 1
    I think so too, but lack of any official tutorial / documentation about this struck me odd. Unfortunately I can't accept this as an answer unless you show how to do it. – ŁukaszBachman Oct 21 '15 at 07:28
  • In case somebody comes across this old question, one of the tests for our archiva image is to ensure that a TLS proxy works. You can use that test as a working example, see [here](https://github.com/xetus-oss/docker-archiva/blob/master/docker-compose.nginx-https.yaml) – Terence Jun 24 '20 at 14:46