Show TOC

Authenticating the TREX Java ClientLocate this document in the navigation structure


If the Java client sends a request to the Web server during routine operation, it also transmits the public information for its certificate. The Web server uses this information to authenticate the Java client.

The prerequisite for this is that you enter the information from the client certificate into the TREXcert.ini configuration file. The Web server compares the information transmitted with the information in the configuration file, and only forwards requests from clients that it recognizes. If the Web server receives a request from a client that it does not recognize, it sends the request back.

You can enter more than one client certificate into the configuration file. This is beneficial if multiple portals are accessing TREX using secure communication.

For security reasons, you should protect the TREXcert.ini configuration file with operating system methods. For example, you can dictate that only certain users can read the file.


The Web server reads the configuration file during routine operation. Therefore, the user on which the IISADMIN service and the WWW Publishing Service run needs to have read-access to the configuration file.

  • You have provided the certificates for the Java client (see Providing the Certificates for the Java Client).

  • Start SAP NetWeaver Administrator and load the TREX keystore TREXKeyStore that contains the certificates for the Java client.

  1. Open the <TREX_Directory>\TREXcert.ini configuration file on the TREX Web server with a text editor.

  2. In the [WEBSERVERCERTIFICATEnn] section, replace the entry nn with 1 when you enter the first client certificate. You can enter as many client certificates are necessary. Number them sequentially.





  3. In the parameters subject= and issuer=, enter the owner and issuer of the client certificate.

    You can get this information from the SAP NetWeaver Administrator.

    1. Start the SAP NetWeaver Administrator.

    2. Go to Start of the navigation path Configuration Management Next navigation step Security Management Next navigation step Key Storage End of the navigation path.

      The Content: Key Storage Views area displays the keystores and certificates that have already been created.

    3. Use the filter function to search for TREXKeyStore and select the entry TREXKeyStore.

    4. The Entries: Keystore Entries window displays the parameters of the TREX keystore.

      The following information about Subject name (name of the owner) and Issuer name (name of the issuer) are displayed in SAP NetWeaver Administrator:

      Subject name:CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=mycountry, EMAIL=myaccount@mydomain

      Issuer name: CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country,

    5. Select the entries about Subject name and Issuer name and enter this information as subject (= owner) and issuer (= issuer) in the configuration file TREXcert.ini as follows:


      subject=CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=mycountry, EMail=myaccount@mydomain

      issuer=CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMail=caaccount@

  4. Save the TREXcert.ini file and close the editor.

  5. You have to restart TREX in order for the changes to the TREXCert.ini configuration file to be accepted by TREX.

  6. Restart the TREX web server.


If a client that is not entered in the configuration file TREXcert.ini sends a request to the Web server, the request is denied with status 403 (access denied). The Web server also rejects requests if

  • No client certificate has been sent

  • The client certificate sent is from a CA that the Web server does not trust

For more information, see: