Show TOC

Authenticating the TREX Name ServerLocate this document in the navigation structure

Use

When the TREX name server sends a request to the TREX Web server, it also transmits the public information for its certificate. The TREX Web server uses this information to authenticate the TREX name server.

You must have entered the owner and issuer of the client certificate of the TREX name server into one of the following configuration files, depending on your operating system and Web server:

  • IIS/ Windows:TREXcert.ini
  • Apache/UNIX:httpd.conf

The TREX Web server compares the information transmitted with the information in the configuration file, and only forwards requests from clients that it recognizes. If the Web server receives a request from a client that it does not recognize, it sends the request back. You can enter more than one client certificate into the relevant configuration file.

Entering the Owner and Issuer of the Client Certificate in the TREXcert.ini File (IIS/Windows)

  1. Open the <TREX_Directory>\TREXcert.ini configuration file on the TREX Web server with a text editor.

For security reasons, you should protect the TREXcert.ini configuration file on Windows with operating system methods. For example, you can dictate that only certain users can read the file.

  1. In the [WEBSERVERCERTIFICATEnn] section, replace the entry nn with 1 when you enter the first client certificate. If a client certificate has already been entered, number other entries sequentially. You can enter as many client certificates as you want. You need to number these in ascending order.
    Tip

    [WEBSERVERCERTIFICATE1]

    subject=

    issuer=

  2. In the parameters subject= and issuer=, enter the owner and issuer of the client certificate.

You can get this information from the SAPSSLS.pse keystore with the following SAPGENPSE command:

sapgenpse get_my_name -p SAPSSLS.pse

  1. You enter the information displayed into the TREXcert.ini configuration file as follows:

    [WEBSERVERCERTIFICATE2]

    subject=CN=myhost.mydomain, OU=mydepartment, O=mycompany, L=mycity, ST=mystate, C=m country, EMail=myaccount@mydomain

    issuer=CN=My Certificate Authority (CA), OU=CertificateCenter, O=CA Company, L=CA City, ST=CA State, C=CA Country, EMail=caaccount@ cacompany.com

    Note

    You already entered the specifications for subject and issuer for the TREX Java client in the configuration file TREXcert.ini when configuring secure communication between the TREX Web server and the TREX Java client, thereby authenticating the TREX Java client with the TREX Web server (see Authenticating the TREX Java Client). You have now added the TREX name server as an additional communication partner of the TREX Web server in the [WEBSERVERCERTIFICATE2] section.

  2. Note the following:
    • Names - The holder of the certificate is known as the owner in the SAPGENPSE cryptography tool and the subject in the configuration file.

      Several names are permitted for the following information in the configuration file:

      Information Name in TREXcert.ini

      State

      ST= and S=

      E-mail Address

      E-Mail= and E=

      The other names need to be entered into the configuration file exactly as they appear in the keystore, that is, 0= is the organization, L= is the location, and so on.

    • Spelling - The spelling of the entries in the configuration file must be exactly the same as in the keystore. Pay particular attention to lower- and uppercase and to the spacing in parameter values.
    • Order - The order of the values in the parameters subject= and issuer=is irrelevant. For example, both subject=CN=myhost.mydomain, OU=mydepartment, O=mycompany, ... and subject=O=mycompany, OU=mydepartment, CN=myhost.mydomain, ... are permitted.
    • Line breaks - All values for one parameter (for example, in subject=), must be on a single line. Separate entries on the line using commas and spaces as in the example below.

      issuer=E=caaccount@ cacompany.com, C=CA Country, ...

  3. Save the TREXcert.ini file and close the editor.

Enter the owner and issuer of the client certificate in httpd.conf (Apache/UNIX)

  1. Log on with the user that you used to install TREX.
  2. Stop TREX.
  3. Go to the TREX installation directory and then into the configuration directory of the Web server:

    cd <TREX_Directory>/Apache/conf

  4. Open the httpd.conf configuration file.
    Caution

    Make a backup copy of the httpd.conf configuration file in case you decide in the future that you no longer want to run the Apache Web server over a secure connection.

  5. In the Apache Web server httpd.conf configuration file, search for the line with the second instruction SSLRequire, which is within the <Location /TREX> and </Location> tags. The httpd.conf configuration file delivered in the following form by default:

    <Location /TREX>

    SetHandler trex-handler

    #   usage of SSLRequire:

    #   standard apache example:

    #   SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

    #   SAP EP example

    #       SSLRequire      (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=p54896 client/Email=andreas.mustermann@sap.com" and \%{SSL_CLIENT_I_DN} eq "/C=DE/ST=BW/L=Walldorf/O=SAP Portals/OU=TREX/CN=CA TREX/Email=andreas.mustermann@sap.com" )

    </Location>

Make sure that you use the backslash (\) to divide lines that are too long.

  1. The instruction SSLRequire is commented out by default. To activate it, remove the comment sign (#) from the line SSLRequire.
    Note

    You already entered the specifications for subject and issuer for the TREX Java client in the Apache Web server configuration file httpd.conf when configuring secure communication between the TREX Web server and the TREX Java client, thereby authenticating the TREX Java client with the TREX Web server (see Modifying the Configuration File of the Apache Web Server).

  2. Add the entry for the Subject and Issuer of the TREX name server after the entry for the Subject and Issuer for the TREX Java client.
    1. Enter the Owner (Subject) and Issuer for the client certificate in the following form:

      SSLRequire (%{SSL_CLIENT_S_DN} eq "<Owner(Subject)>" and %{SSL_CLIENT_I_DN} eq "<Issuer(Issuer)>")

    2. Link the two entries with parentheses (…) in the following way:

      (Subject/Issuer Java client)or (Subject/Issuer name server)

      Tip

      (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=SAP AG/OU=TREX/CN=TREX Java Client/Email=my.account@sap.com" and %{SSL_CLIENT_I_DN} eq "/C=DE/ST=BadenWuerttemberg/L=Walldorf/O=CA Company/OU=Certificate Center/CN=My Certificate Authority/Email=ca.account@ca-company.com" )

      or\

      (%{SSL_CLIENT_S_DN} eq "/C=DE/ST=Baden Wuerttemberg/L=Walldorf/O=SAP AG/OU=TREX/CN=TREX Java Client/Email=my.account@sap.com" and %{SSL_CLIENT_I_DN} eq "/C=DE/ST=BadenWuerttemberg/L=Walldorf/O=CA Company/OU=Certificate Center/CN=My Certificate Authority/Email=ca.account@ca-company.com" )

      You find the information on the owner and issuer of the client certificate in the SAPSSLS.pse keystore using the following SAPGENPSE command:

      sapgenpse get_my_name -p SAPSSLS.pse

      Caution

      Note that you have to enter the owner and issuer in two different places in httpd.conf. There is a tag <Location /trex> tag (TREX in lowercase) and a <Location /TREX> tag (TREX in uppercase).

  3. Save the configuration file and close the text editor.
  4. Restart TREX.

Result

You have configured secure communication using HTTPS between the TREX name server and the TREX Web server.