Show TOC

Procedure documentationAuthenticating the TREX Java Client Locate this document in the navigation structure

 

If the Java client sends a request to the Web server during routine operation, it also transmits the public information for its certificate. The Web server uses this information to authenticate the Java client.

The prerequisite for this is that you enter the information from the client certificate into the TREXcert.ini configuration file. The Web server compares the information transmitted with the information in the configuration file, and only forwards requests from clients that it recognizes. If the Web server receives a request from a client that it does not recognize, it sends the request back.

You can enter more than one client certificate into the configuration file. This is beneficial if multiple portals are accessing TREX using secure communication.

For security reasons, you should protect the TREXcert.ini configuration file with operating system methods. For example, you can dictate that only certain users can read the file.

Caution Caution

The Web server reads the configuration file during routine operation. Therefore, the user on which the IISADMIN service and the WWW Publishing Service run needs to have read-access to the configuration file.

End of the caution.

Prerequisites

  • You have provided the certificates for the Java client (see Providing the Certificates for the Java Client).

  • To prepare, start the SAP NetWeaver Administrator and load the TREX keystore, TREXKeyStore, that contains the certificates for the Java client.

Procedure

  1. Open the configuration file <TREX_Directory>\TREXcert.ini on the TREX Web server with a text editor.

  2. In the [WEBSERVERCERTIFICATEnn] section, replace the nn entry with 1 when you enter the first client certificate. You can enter as many client certificates are necessary. Number them sequentially.

    Example Example

    [WEBSERVERCERTIFICATE1]

    subject=

    issuer=

    End of the example.

  3. In the parameters subject= and issuer=, enter the owner and issuer of the client certificate.

    You can get this information from the SAP NetWeaver Administrator.

    1. Start the SAP NetWeaver Administrator.

    2. Navigate to   Configuration Management   Security Management   Key Storage  .

      The Content: Key Storage Views area displays the keystores and certificates that you already created.

    3. Use filter function to find the TREXKeyStore and select the TREXKeyStore entry.

    4. The Entries: Keystore Entries window displays the parameters of the TREX keystore.

      SAP NetWeaver Administrator displays the following information on the Subject name (name of owner) and Issuer name (name of issuer):

      Subject name: CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=mycountry, EMAIL=myaccount@mydomain

      Issuer name: CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMAIL=caaccount@cacompany.com

    5. Select the entries for Subject name and Issuer name and enter them as the subject (=owner) and issuer in the TREXcert.ini configuration file as follows:

      [WEBSERVERCERTIFICATE1]

      subject=CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=mycountry, EMail=myaccount@mydomain

      issuer=CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMail=caaccount@ cacompany.com

  4. Save the TREXcert.ini file and close the editor.

  5. You have to restart TREX in order for the changes to the configuration file TREXCert.ini to be accepted by TREX.

  6. Restart the TREX web server.

Result

If a client that is not entered into the TREXcert.ini configuration file sends a request to the Web server, the request is rejected with status 403 (access denied). The Web server also rejects requests if

  • No client certificate has been sent

  • The client certificate sent is from a CA that the Web server does not trust

See also:

Troubleshooting