Show TOC

Procedure documentationModifying the Configuration File of the Apache Web Server Locate this document in the navigation structure

 

The Apache Web server has a central configuration file httpd.conf that contains all configuration information. To configure the Apache Web server for SSL, modify this configuration file.

Then enter the following information into httpd.conf:

  • Certificate of the Web Server

    Enter the path to the files that contain the private key of the Web server, the server certificate, and the root certificate of the CA.

  • Owner and Issuer of the Client Certificate (TREX Java Client)

    The owner and issuer of the certificate that belongs to the Java client. The Web server can authenticate the Java client using this information.

Prerequisites

You have made the following files available:

  • The private key of the Web server (serveru.key)

  • The server certificate of the Web server that the certification authority (CA) issued (serveru.crt)

  • The CA root certificate in the form CERTIFICATE_AUTHORITY.crt (ca.crt)

    Note Note

    Below, the root certificate of your CA is referred to as ca.crt. Enter the valid root certificate of your CA in all places where ca.crt appears.

    End of the note.

Storage Locations for Certificates and Keys

The files are stored in the following directories.

Certificate/Key

Directory

serveru.key

<TREX_DIR>/Apache/conf/ssl.key

serveru.crt

ca.crt

<TREX_DIR>/Apache/conf/ssl.crt

serveru.csr

<TREX_DIR>/Apache/conf/ssl.csr

  • You have provided the certificates for the Java client (see Providing the Certificates for the Java Client). The information on the subject name (DN; owner) and issuer name (issuerDN; issuer) of the certificate that belongs to the Java client can be obtained from the SAP NetWeaver Administrator. You then enter the owner and issuer into the configuration file httpd.conf.

Procedure

Opening the httpd.conf Configuration File

  1. Log on with the user that you used to install TREX.

  2. Stop TREX.

  3. Go to the TREX installation directory and then into the configuration directory of the Web server.

    cd <TREX_DIR>/Apache/conf

  4. Open the configuration file httpd.conf and enter the information specified in the sections below. Save the configuration file and close the text editor.

    Caution Caution

    Make a backup copy of the configuration file httpd.conf in case you decide in the future that you no longer want to run the Apache Web server over a secure connection.

    End of the caution.

  5. Restart TREX.

Certificate of the Web Server

  1. Search for the instruction SSLCACertificateFile in the httpd.conf configuration file. Enter the path to the file that contains the root certificate of your CA (ca.crt).

    Example Example

    SSLCACertificateFile conf/ssl.crt/ca.crt

    End of the example.

  2. Search for the instruction SSLCertificateFile. Enter the path to the file that contains the server certificate of your CA (serveru.crt).

    Example Example

    SSLCertificateFile conf/ssl.crt/serveru.crt

    End of the example.

  3. Search for the instruction SSLCertificateKeyFile Enter the path to the file that contains the private key of your CA (serveru.key).

    Example Example

    SSLCertificateKeyFile conf/ssl.key/serveru.key

    End of the example.

    Note Note

    You may have to remove the comment signs from some entries in the configuration file httpd.conf so that the settings become valid. You do this by deleting the comment signs (#) from each relevant line.

    End of the note.
Owner and Issuer of the Client Certificate (TREX Java Client)

  1. The information on the subject name (DN; owner) and issuer name (issuerDN; issuer) of the client certificate can be obtained from the SAP NetWeaver Administrator.

    1. Start the SAP NetWeaver Administrator.

    2. Navigate to   Configuration Management   Security Management   Key Storage  .

      The Content: Key Storage Views area displays the keystores and certificates that you already created.

    3. Use filter function to find the TREXKeyStore and select the TREXKeyStore entry.

    4. The Entries: Keystore Entries window displays the parameters of the TREX keystore.

      SAP NetWeaver Administrator displays the following information on the subject name (DN; owner) and issuer name (IssuerDN; issuer):

      Subject name: CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=mycountry, EMAIL=myaccount@mydomain

      Issuer name: CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMAIL=caaccount@cacompany.com

  2. Copy the specifications for the subject name (DN; owner) and issuer name (issuerDN; issuer) and enter the information in the httpd.conf Apache configuration file.

  3. In the httpd.conf configuration file, search for the line with the second SSLRequire instruction, which is within the tags <Location /TREX> and </Location>. The default httpd.conf configuration file is delivered in the following form:

    Syntax Syntax

      2. 

    2. <Location /TREX>
      3. 

    3.         SetHandler trex-handler
      4. 

    4. #   usage of SSLRequire:
      5. 

    5. #   standard apache example:
      6. 

    6. #   SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
      7. 

    7. #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
      8. 

    8. #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
      9. 

    9. #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
      10. 

    10. #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
      11. 

    11. #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
      12. 

    12. #   SAP Portal example
      13. 

    13. #       SSLRequire      (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=p54896 client/Email=andreas.mustermann@sap.com" and \%{SSL_CLIENT_I_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=CA TREX/Email=andreas.mustermann@sap.com" )
      14. 

    14. </Location>
      15. 

      16. 

      17. 

    

    End of the code.
    

    Note Note
    Make sure that you use a backslash (\) to divide lines that are too long.
    

    End of the note.
    

  4. The instruction SSLRequire is commented out by default. To activate it, remove the comment sign (#) from the line SSLRequire.
    

  5. Enter the subject name (DN; owner) and issuer name (IssuerDN; issuer) of the client certificate there in the following form: SSLRequire (%{SSL_CLIENT_S_DN} eq "<owner [DN]>" and %{SSL_CLIENT_I_DN} eq "< issuer [IssuerDN]>")
    

    Example Example
    (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=SAP AG/OU=TREX/CN=TREX Java Client/Email=my.account@sap.com" and %{SSL_CLIENT_I_DN} eq "/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=CA Company/OU=Certificate Center/CN=My Certificate Authority/Email=ca.account@ca-company.com" )
    

    End of the example.
    

    Caution Caution
    Note that you have to enter the owner and issuer in two different places in the configuration file httpd.conf. There is a tag <Location / trex> (TREX lowercase) and a tag <Location / TREX> (TREX uppercase).
    

    End of the caution.
    







Result
You have now configured the Apache Web server for secure communication using SSL. You should now change the start mode of the Apache Web server.