Resetting the Admin Password of Sonatype Nexus 3 Repository
Pavan Bagde
I recently faced a critical situation with a locally hosted Nexus 3 repository running in a Docker container, using the embedded OrientDB. The admin password had been lost. To make things worse, the disk filled up, taking the entire repository offline. We needed access restored fast.
I tried prompting an LLM for help, but most answers were generic or overly drastic, some even suggested reinstalling Nexus, which sounded overkill.
My first instinct was to try resetting the password by editing a config file or injecting a default password hash. But this approach quickly failed as I learned Nexus 3 stores all its configuration data inside the embedded OrientDB, so there’s no flat file on the host that you can edit, good for security.
Thankfully, I found an official Sonatype support article explaining how to reset the admin password by directly editing the embedded database.
The process worked, and I was able to regain access without data loss.
In this post, I’ll walk through the exact steps I followed to reset the admin password in a Dockerized Nexus 3 setup.
1. Shut down nexus docker container and backup the Nexus Data Directory /db.
Location of Nexus Data Directory /db can be found by probing the volume attached to docker container, other option is to grep in as below in log files:
$ zgrep 'karaf.data' sonatype-work/nexus3/log/nexus*
# e.g. output
# 2020-05-06 14:26:55,419-0300 INFO [FelixStartLevel] *SYSTEM org.sonatype.nexus.bootstrap.ConfigurationBuilder - karaf.data='/Users/example/app/nexus-installer-3.23.0-03-mac-archive/sonatype-work/nexus3'
Once you have the location take backup of the nexus data directory then shutdown the nexus docker container.
cd "path to nexus docker-compose.yml"
docker compose down
2. Access the OrientDB console
Caution: Using the console incorrectly can cause irreparable harm to the databases.
OrientDB Console can be accessed using these instructions, below are same for nexus running in docker container:
If you normally run Nexus Repository in a Docker container with something like the following:
docker run -d -p 8081:8081 --name nexus -v /some/dir/nexus-data:/nexus-data sonatype/nexus3
Then you should be able to get access to the shell as follows:
docker run -it -p 8081:8081 --name nexus -v /some/dir/nexus-data:/nexus-data sonatype/nexus3 /bin/bash
Once at a terminal in the container you need to change directory to /nexus-data. This allow .orientdb_history files to be created on the attached volume and let the OrientDB console launch without error.
cd /nexus-data
Lanuch the console using:
java -jar $NEXUS_HOME/lib/support/nexus-orient-console.jar
You should be presented with a command-line interface such as this, ready to accept your commands:
OrientDB console v.2.2.16 www.orientdb.com
Type 'help' to display all the supported commands.
orientdb>
When you are done your commands, type exit to quit the console.
3. Update the Admin user password hash
Once in the OrientDB console run following command:
connect plocal:../sonatype-work/nexus3/db/security admin admin
You may need to adjust the path used in the connect statement depending on the location of your nexus data directory. It should be the path to the “db/security” directory in your data directory. An absolute path may be used.
After the connect command succeeds, check that the admin user exists:
select * from user where id = "admin"
If the admin user does exist, issue this command in the console to update the admin user password to admin123 :
update user SET password="$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==" UPSERT WHERE id="admin"
If the admin user does not exist, then issue the following two INSERT commands in the console to insert the admin user with password admin123 and the default roll mapping:
INSERT INTO user (status, id, firstName, lastName, email, password) VALUES ('active', 'admin', 'admin', 'admin', 'changeme@yourcompany.com', '$shiro1$SHA-512$1024$NE+wqQq/TmjZMvfI7ENh/g==$V4yPw8T64UQ6GfJfxYq2hLsVrBY8D1v+bktfOxGdt4b/9BthpWPNUy/CBk6V9iA0nHpzYzJFWO8v/tZFtES8CA==')
INSERT INTO user_role_mapping (userId, source, roles) VALUES ('admin', 'default', 'nx-admin')
The query language is sql-like , but it is not SQL. See the OrientDB Command Reference.
At this point, exit the shell session in the docker container and bring up the container as usual. The admin user should be able to authenticate if the default security realms are in still in place. Verify you can login as the admin user using your web browser.
Read More
How to reset a forgotten admin password in Sonatype Nexus Repository 3