Show TOC

Modifying the Configuration File of the Apache Web ServerLocate this document in the navigation structure

Use

The Apache Web server has a central configuration file called httpd.conf that contains all configuration information. To configure the Apache Web server for SSL, modify this configuration file.

Then enter the following information into httpd.conf:

  • Certificate of the Web Server

    Enter the path to the files that contain the private key of the Web server, the server certificate, and the root certificate of the CA.

  • Owner and Issuer of the Client Certificate (TREX Java Client)

    Enter the owner and issuer of the certificate that belongs to the Java client. The Web server can authenticate the Java client using this information.

Prerequisites

You have made the following files available:

  • The private key of the Web server (serveru.key)

  • The server certificate of the Web server that the certification authority (CA) issued (serveru.crt)

  • The CA root certificate in the form CERTIFICATE_AUTHORITY.crt (ca.crt)

    Note

    Below, the root certificate of your CA is referred to as ca.crt. Enter the valid root certificate of your CA in all places where ca.crt appears.

Storage Locations for Certificates and Keys

The files are stored in the following directories.

Certificate/Key

Directory

serveru.key

<TREX_DIR>/Apache/conf/ssl.key

serveru.crt

ca.crt

<TREX_DIR>/Apache/conf/ssl.crt

serveru.csr

<TREX_DIR>/Apache/conf/ssl.csr

  • You have provided the certificates for the Java client (see Providing the Certificates for the Java Client). The information about the subject name ( DN; owner ) and issuer name (issuerDN; issuer) of the certificate that belongs to the Java client can be obtained from the SAP NetWeaverAdministrator. You then enter the owner and issuer into the httpd.conf configuration file.

Procedure

Opening the httpd.conf Configuration File

  1. Log on with the user that you used to install TREX.

  2. Stop TREX.

  3. Go to the TREX installation directory and then into the configuration directory of the Web server:

    cd <TREX_DIR>/Apache/conf

  4. Open the configuration file httpd.conf and enter the information specified in the following sections. Save the configuration file and close the text editor.

    Caution

    Make a backup copy of the httpd.conf configuration file in case you decide in the future that you no longer want to run the Apache Web server over a secure connection.

  5. Restart TREX.

Entering the Certificate of the Web Server

  1. In the httpd.conf configuration file, search for the instruction SSLCACertificateFile. Enter the path to the file that contains the root certificate of your CA (ca.crt).

    Example

    SSLCACertificateFile conf/ssl.crt/ca.crt

  2. Search for the instruction SSLCertificateFile Enter the path to the file that contains the server certificate of your CA (serveru.crt).

    Example

    SSLCertificateFile conf/ssl.crt/serveru.crt

  3. Search for the instruction SSLCertificateKeyFile Enter the path to the file that contains the private key of your web server (serveru.key).

    Example

    SSLCertificateKeyFile conf/ssl.key/serveru.key

    Note

    You may need to reset the out-comments of previous entries in the httpd.conf configuration file to allow the settings to come into effect. You do this by deleting the comment signs (#) from each relevant line.

Entering the Owner and Issuer of the Client Certificate (TREX Java Client)

  1. You can get the data that you need to enter for the subject name (DN; owner) and issuer name (IssuerDN; issuer) of the client certificate from SAP NetWeaver Administrator.

    1. Start SAP NetWeaver Administrator.

    2. Go to Start of the navigation path Configuration Management Next navigation step Security Management Next navigation step Key Storage End of the navigation path.

      The Content: Key Storage Views area displays the keystores and certificates that have already been created.

    3. Use the filter function to search for TREXKeyStore and select the entry TREXKeyStore.

    4. The Entries: Keystore Entries window displays the parameters of the TREX keystore.

      The following information about the subject name (DN; owner) and issuer name (IssuerDN; issuer) are displayed in SAP NetWeaver Administrator:

      Subject name: CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=mycountry, EMAIL=myaccount@mydomain

      Issuer name: CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMAIL=caaccount@cacompany.com

  2. Select the entries for subject name (DN; owner) and issuer name (IssuerDN; issuer) and enter this information in the Apache configuration file httpd.conf.

  3. In the configuration file httpd.conf, search for the line with the second instruction SSLRequire, which is within the tags <Location /TREX> and </Location>. The httpd.conf configuration file is delivered in the following form by default:

    
<Location /TREX>
        SetHandler trex-handler
#   usage of SSLRequire:
#   standard apache example:
#   SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#   SAP EP example
#       SSLRequire      (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=p54896 client/Email=andreas.mustermann@sap.com" and \%{SSL_CLIENT_I_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=CA TREX/Email=andreas.mustermann@sap.com" )
</Location>
    Note

    Make sure that you use the backslash (\) to divide lines that are too long.

  4. The instruction SSLRequire is commented out by default. To activate it, remove the comment sign (#) from the line SSLRequire.

  5. Enter the subject name ( DN; owner) and issuer name ( IssuerDN; issuer) of the client certificate as follows: SSLRequire (%{SSL_CLIENT_S_DN} eq "< Owner[DN]>" and %{SSL_CLIENT_I_DN} eq "< Issuer [IssuerDN]>")

    Example

    (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=SAP AG/OU=TREX/CN=TREX Java Client/Email=my.account@sap.com" and %{SSL_CLIENT_I_DN} eq"/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=CA Company/OU=Certificate Center/CN=My Certificate Authority/Email=ca.account@ca-company.com" )

    Caution

    Note that you have to enter the owner and issuer in two different places in httpd.conf. There is a <Location /trex> tag (TREX in lowercase) and a <Location /TREX> tag (TREX in uppercase).

Result

You have now configured the Apache Web server for secure communication using SSL. You should now change the start mode of the Apache Web server.