Modifying the Configuration File of the Apache Web Server 

Use

The Apache Web server has a central configuration file httpd.conf that contains all configuration information. To configure the Apache Web server for SSL, modify this configuration file.

Then enter the following information into httpd.conf:

·        Certificate of the Web Server

Enter the path to the files that contain the private key of the Web server, the server certificate, and the root certificate of the CA.

·        Owner and Issuer of the Client Certificate (TREX Java Client)

The owner and issuer of the certificate that belongs to the Java client. The Web server can authenticate the Java client using this information.

Prerequisites

You have made the following files available:

·        The private key of the Web server (serveru.key)

·        The server certificate of the Web server that the certification authority (CA) issued (serveru.crt)

·        The CA root certificate in the form CERTIFICATE_AUTHORITY.crt (ca.crt)

Below, the root certificate of your CA is referred to as ca.crt. Enter the valid root certificate of your CA in all places where ca.crt appears.

Storage Locations for Certificates and Keys

The files are stored in the following directories.

Certificate/Key	Directory
serveru.key	<TREX_DIR>/Apache/conf/ssl.key
serveru.crt ca.crt	<TREX_DIR>/Apache/conf/ssl.crt
serveru.csr	<TREX_DIR>/Apache/conf/ssl.csr

·        You have provided the certificates for the Java client (see Providing the Certificates for the Java Client). The information on the owner (DN) and issuer (issuerDN) of the certificate that belongs to the Java client can be obtained from the J2EE Visual Administrator. You then enter the owner and issuer into the configuration file httpd.conf.

 

Opening the Configuration File httpd.conf

...

       1.      Log on with the user that you used to install TREX.

       2.      Stop TREX.

       3.      Go to the TREX installation directory and then into the configuration directory of the Web server.

cd <TREX_DIR>/Apache/conf

       4.      Open the configuration file httpd.conf and enter the information specified in the sections below. Save the configuration file and close the text editor.

Make a backup copy of the configuration file httpd.conf in case you decide in the future that you no longer want to run the Apache Web server over a secure connection.

       5.      Restart TREX.

Certificate of the Web Server

...

       1.      Search for the instruction SSLCACertificateFile in the configuration file httpd.conf. Enter the path to the file that contains the root certificate of your CA (ca.crt).

SSLCACertificateFile conf/ssl.crt/ca.crt

       2.      Search for the instruction SSLCertificateFile. Enter the path to the file that contains the server certificate of your CA (serveru.crt).

SSLCertificateFile conf/ssl.crt/serveru.crt

       3.      Search for the instruction SSLCertificateKeyFileEnter the path to the file that contains the private key of your CA (serveru.key).

SSLCertificateKeyFile conf/ssl.key/serveru.key

You may have to remove the comment signs from some entries in the configuration file httpd.conf so that the settings become valid. You do this by deleting the comment signs (#) from each relevant line.

 

Owner and Issuer of the Client Certificate (TREX Java Client)

...

       1.      The information to be entered on the owner (DN) and issuer (issuerDN) of the client certificate can be obtained from the SAP J2EE Visual Administrator.

       2.      To do this, start the visual administrator in the SAP J2EE Engine.

       3.      In the left-hand window of the visual administrator, choose the Cluster tab.

       4.      Expand the node of the server on which the SAP J2EE Engine is running.

       5.      Expand the Services node.

       6.      Choose the entry Key Storage under Services.

       7.      In the Views window of the Runtime tab, choose the entry TREXKeyStore.

       8.      In the Entries window, choose sslkey.

       9.      The parameters of the private key sslkey appear in the right-hand window.

The following information on the owner (DN) and issuer (IssuerDN) is displayed in the J2EE visual administrator:

Owner [DN]: CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=mycountry, EMAIL=myaccount@mydomain

Issuer [IssuerDN]: CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMAIL=caaccount@cacompany.com

   10.      Copy the specifications for the owner [DN] and issuer [issuerDN] and enter the information into the Apache configuration file httpd.conf.

   11.      In the configuration file httpd.conf, search for the line with the second instruction SSLRequire, which is within the tags <Location /TREX> and </Location>. The configuration file httpd.conf is delivered in the following form by default:

<Location /TREX>

        SetHandler trex-handler

#   usage of SSLRequire:

#   standard apache example:

#   SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#   SAP Portal example

#       SSLRequire      (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=p54896 client/Email=andreas.mustermann@sap.com" and \%{SSL_CLIENT_I_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=CA TREX/Email=andreas.mustermann@sap.com" )

</Location>

Make sure that you use the backslash (\) to divide lines that are too long.

   12.      The instruction SSLRequire is commented out by default. To activate it, remove the comment sign (#) from the line SSLRequire.

   13.      Enter the owner [DN] and issuer [IssuerDN] of the client certificate there in the following form: SSLRequire (%{SSL_CLIENT_S_DN} eq "<Owner [DN]>" and %{SSL_CLIENT_I_DN} eq "<Issuer[IssuerDN]>")

(%{SSL_CLIENT_S_DN} eq "/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=SAP AG/OU=TREX/CN=TREX Java Client/Email=my.account@sap.com" and %{SSL_CLIENT_I_DN} eq "/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=CA Company/OU=Certificate Center/CN=My Certificate Authority/Email=ca.account@ca-company.com" )

 

Note that you have to enter the owner and issuer in two different places in the configuration file httpd.conf. There is a tag <Location /trex> (TREX lowercase) and a tag <Location /TREX> (TREX uppercase).

Result

You have now configured the Apache Web server for secure communication using SSL. You should now change the start mode of the Apache Web server.