Authenticating the TREX Name Server

Context

When the TREX name server sends a request to the TREX Web server, it also transmits the public information for its certificate. The TREX Web server uses this information to authenticate the TREX name server.

You must have entered the owner and issuer of the client certificate of the TREX name server into one of the following configuration files, depending on your operating system and Web server:

IIS/ Windows:TREXcert.ini
Apache / UNIX:httpd.conf

The TREX Web server compares the information transmitted with the information in the configuration file, and only forwards requests from clients that it recognizes. If the Web server receives a request from a client that it does not recognize, it sends the request back. You can enter more than one client certificate into the relevant configuration file.

Procedure

Entering the Owner and Issuer of the Client Certificate in the TREXcert.ini File (IIS/Windows)
1. Open the <TREX_Directory>\TREXcert.ini configuration file on the TREX Web server with a text editor.
  
  Note
  For security reasons, you should protect the TREXcert.ini configuration file on Windows with operating system methods. For example, you can dictate that only certain users can read the file.
2. In the [WEBSERVERCERTIFICATEnn] section, replace the entry nn with 1 when you enter the first client certificate. If a client certificate has already been entered, number other entries sequentially. You can enter as many client certificates as you want. You need to number these in ascending order.
  
  Example
  [WEBSERVERCERTIFICATE1]
  
  subject=
  
  issuer=
3. In the parameters subject= and issuer=, enter the owner and issuer of the client certificate.
  
  Note
  You can get this information from the SAPSSLS.pse keystore with the following SAPGENPSE command:
  
  sapgenpse get_my_name -p SAPSSLS.pse
4. You enter the information displayed into the TREXcert.ini configuration file as follows:
  
  [WEBSERVERCERTIFICATE2]
  
  subject=CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=m country, EMail=myaccount@mydomain
  
  issuer=CN=My Certificate Authority (CA), OU=Certificate Center, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMail=caaccount@ cacompany.com
  
  Note
  You already entered the specifications for subject and issuer for the TREX Java client in the configuration file TREXcert.ini when configuring secure communication between the TREX Web server and the TREX Java client (HTTPS), thereby authenticating the TREX Java client with the TREX Web server (see Authenticating the TREX Java Client). You have now added the TREX name server as an additional communication partner of the TREX Web server in the [WEBSERVERCERTIFICATE2] section.
5. Note the following:
  - Names - The holder of the certificate is known as the owner in the SAPGENPSE cryptography tool and as the subject in the configuration file.
    
    Several names are permitted for the following information in the configuration file:
    
    Information
    
    Name in TREXcert.ini
    
    State
    
    ST= und S=
    
    E-mail Address
    
    E-Mail= and E=
    
    The other names need to be entered into the configuration file exactly as they appear in the keystore, that is, 0= is the organization, L= is the location, and so on.
  - Spelling – The spelling of the entries in the configuration file must be exactly the same as in the keystore. Pay particular attention to lower- and uppercase and to the spacing in parameter values.
  - Order - The order of the values in the parameters subject= and issuer= is irrelevant. For example, both subject=CN=myhost.mydomain, OU=mydepartment, O=mycompany, ... and subject=O=mycompany, OU=mydepartment, CN=myhost.mydomain, ... are permitted.
  - Line breaks - All values for one parameter (for example, in subject=), must be on a single line. Separate entries on the line using commas and spaces as in the example below.
    
    issuer=E=caaccount@ cacompany.com, C=CA Country, ...
6. Save the TREXcert.ini file and close the editor.
Enter the owner and issuer of the client certificate in httpd.conf (Apache/UNIX)
1. Log on with the user that you used to install TREX.
2. Stop TREX.
3. Go to the TREX installation directory and then into the configuration directory of the Web server:
  
  cd <TREX_Directory>/Apache/conf
4. Open the httpd.conf configuration file.
  
  Caution
  Make a backup copy of the httpd.conf configuration file in case you decide in the future that you no longer want to run the Apache Web server over a secure connection.
5. In the Apache Web server configuration file httpd.conf search for the line with the second instruction SSLRequire, which is within the tags <Location /TREX> and </Location> The httpd.conf configuration file is delivered in the following form by default:
```
<Location /TREX>
SetHandler trex-handler
#   usage of SSLRequire:
#   standard apache example:
#   SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#   SAP EP example
#       SSLRequire      (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=p54896 client/Email=andreas.mustermann@sap.com" and \%{SSL_CLIENT_I_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=CA TREX/Email=andreas.mustermann@sap.com" )
</Location>
                  
```
  Note
  Make sure that you use a backslash (\) to divide lines that are too long.
6. The instruction SSLRequire is commented out by default. To activate it, remove the comment sign (#) from the line SSLRequire.
  
  Note
  You already entered the specifications for subject and issuer for the TREX Java client in the Apache Web server configuration file httpd.conf when configuring secure communication between the TREX Web server and the TREX Java client, thereby authenticating the TREX Java client with the TREX Web server (see Modifying the Configuration File of the Apache Web Server).
7. Add the entry for the Subject and Issuer of the TREX name server after the entry for the Subject and Issuer for the TREX Java client.
  1. Enter the Owner (Subject) and Issuer for the client certificate in the following form:
    
    SSLRequire (%{SSL_CLIENT_S_DN} eq "<Owner(Subject)>" and %{SSL_CLIENT_I_DN} eq "<Issuer(Issuer)>")
  2. Link the two entries with parentheses (…) in the following way:
    
    (Subject/Issuer Java Client)or(Subject/Issuer Name Server )
    
    Example
    (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=SAP AG/OU=TREX/CN=TREX Java Client/Email=my.account@sap.com" and %{SSL_CLIENT_I_DN} eq "/C=DE/ST=BadenWuerttemberg/L=Walldorf/O=CA Company/OU=Certificate Center/CN=My Certificate Authority/Email=ca.account@ca-company.com")
    
    or\
    
    (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=SAP AG/OU=TREX/CN=TREX Java Client/Email=my.account@sap.com" and %{SSL_CLIENT_I_DN} eq "/C=DE/ST=BadenWuerttemberg/L=Walldorf/O=CA Company/OU=Certificate Center/CN=My Certificate Authority/Email=ca.account@ca-company.com" )
    
    Note
    You find the information on the Owner and Issuer of the client certificate in the SAPSSLS.pse keystore using the following SAPGENPSE command:
    
    sapgenpse get_my_name -p SAPSSLS.pse
    
    Caution
    Note that you have to enter the owner and issuer in two different places in httpd.conf. There is a tag <Location /trex> tag (TREX in lowercase) and a <Location /TREX> tag (TREX in uppercase).
8. Save the configuration file and close the text editor.
9. Restart TREX.

Information	Name in TREXcert.ini
State	`ST=` und `S=`
E-mail Address	`E-Mail=` and `E=`

Results

You have configured secure communication using HTTPS between the TREX name server and the TREX Web server.