Authenticating the TREX Java
Client 
Use
If the Java client sends a request to the Web server during routine operation, it also transmits the public information for its certificate. The Web server uses this information to authenticate the Java client.
The prerequisite for this is that you enter the information from the client certificate into the TREXcert.ini configuration file. The Web server compares the information transmitted with the information in the configuration file, and only forwards requests from clients that it recognizes. If the Web server receives a request from a client that it does not recognize, it sends the request back.
You can enter more than one client certificate into the configuration file. This is beneficial if multiple portals are accessing TREX using secure communication.
For security reasons, you should protect the TREXcert.ini configuration file with operating system methods. For example, you can dictate that only certain users can read the file.
The Web server reads the configuration file during routine operation. Therefore, the user on which the IISADMIN service and the WWW Publishing Service run needs to have read-access to the configuration file.
Prerequisites
You have provided the certificates for the Java client (see Providing the Certificates for the Java Client).
To prepare, start the J2EE Visual Administrator on the portal server, and load the keystore that contains the certificates for the Java client.
Procedure
...
1. Open the configuration file <TREX_Directory>\TREXcert.ini on the TREX Web server with a text editor.
2. In the [WEBSERVERCERTIFICATEnn] section, replace the entry nn with 1 when you enter the first client certificate. You can enter as many client certificates are necessary. Number them sequentially.
[WEBSERVERCERTIFICATE1]
subject=
issuer=
3. In the parameters subject= and issuer=, enter the owner and issuer of the client certificate.
You can get this information from the J2EE Visual Administrator.
4. To do this, start the visual administrator in the J2EE Engine.
5. In the left-hand window of the visual administrator, choose the Cluster tab.
6. Expand the node of the server on which the J2EE Engine is running.
7. Expand the Services node.
8. Choose the entry Storage under Services.
9. In the Views window of the Runtime tab, choose the entry TREXKeyStore.
10. In the Entries window, choose sslkey.
11. The parameters of the private key sslkey appear in the right-hand window.
The following information on the owner (DN) and issuer (IssuerDN) is displayed in the J2EE visual administrator:
Owner (DN): CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=mycountry, EMAIL=myaccount@mydomain
Issuer [IssuerDN]: CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMAIL=caaccount@cacompany.com
12. Copy the specifications under Owner [DN] und Issuer [issuerDN] and enter this information as subject (= Owner) und issuer (= Issuer) in the configuration file TREXcert.ini as follows:
[WEBSERVERCERTIFICATE1]
subject=CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=mycountry, EMail=myaccount@mydomain
issuer=CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMail=caaccount@ cacompany.com
13. Save the TREXcert.ini file and close the text editor.
14. You have to restart TREX in order for the changes to the configuration file TREXCert.ini to be accepted by TREX.
15. Restart the IIS (Internet Information Server).
Result
If a client that is not entered into the TREXcert.ini configuration file sends a request to the Web server, the request is rejected with status 403 (access denied). The Web server also rejects requests if
· No client certificate has been sent
· The client certificate sent is from a CA that the Web server does not trust
See also: