ColdFusion Muse

thanks heaps, you just saved me a whole bunch of time

note that it's necessary to restart CF Server after registering a new certificate, and for those who may be stumped (since it's not intuitively obvious) if you don't know where to find the certificate file for a particular webservice, Internet Explorer will give it to you with export options by double-clicking the padlock icon if you have the service url open in a browser. A base-64 export worked for me. I don't know how Firefox exposes them.

Ike - thanks for the additional info. You are definitely right about "how to get the certificate". It's not something immediately apparent.

welcome... actually, I'd go so far as to say it's nearly an easter egg. :)

This was excellent - thank you for writing it up and for including the additional comments of which getting the certificate was particularly useful. Password error I think on this line "-storepass changit" should be "-storepass changeit"

Thanks again.

If Java is installed in a separate directory than ColdFusion, be sure to install the crt in the cacert file in the Java directory.

To figure out the java directory, click on "System Information" in the coldfusion administrator and look at the entry under "Java Home"

The path to your cacert file will be:
[java home directory]\lib\security

So the command line code would be:
[java home directory]\lib>keytool -list -storepass changeit -noprompt -keystore [java home directory]\lib\security\cacerts

Hi, Mark, I am banging my head on the wall on this issue and stumbled upon your blog post.

I just want to clarify your post, I have stored the certificate from a client which web service we want to invoke. Are you saying that I also need signing certificates that the client use to produce his certificate?

Felix:

Can you embellish on what your problem is? I cannot determine from what you say your particular situation, but if you have a client certificate (.cer) and you are calling their program from ColdFusion, then all you need to do is register the certificate (using keytool utility) to the keystore of the java instance that your CF server is running under. See Jill's comment for details about locating the correct jre. Once you have done that, restart your CF server and you should be able to connect.

Hi Jason,

These are the steps that I took to install the certificate:
1. Generate a CSR using openSSL tool.
2. Supply the client with this CSR, the returned us a CRT file.
3. I stored the CRT file using keytool on CF8 jre/bin
4. Restarted the CF server
5. Invoke the client web service URL, got the error: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
6. Client suggested us to store the root CRT from his site as well, so we did that too (same as step 3).
7. The error still persist..

:(

Hi all, I think I sort of worked out why I had the problem.
My client is requiring SSLv3 which not yet supported (it's still in CF feature wishlist):
http://labs.adobe.com/wiki/index.php/Scorpio:Custo... no 35

I think we will go with creating .NET object and invoke it via CF.
Thanks for all the help!

Thanks for the great posting! I am still having issues and not sure if the port is the issue. Does port 636 need to be open on both Coldfusion and LDAP server in order to create a secure connection?

A couple of updates on this, just for information:

You can retrieve a certificate in Firefox by double-clicking the padlock, same as IE. Go to details and export.

And the one that got me for the last half hour...

Do not use directories with extended names - keytool doesn't like "Documents and Settings" (even with double quotes). Just stick it in c:\temp - it's much easier.

Oh yes - the keytool in CF8 is in C:\ColdFusion8\runtime\jre\bin (not jre\lib)

Thanks a lot for creating this simple guide - can't understand why Adobe (and Macromedia) make no mention of it anywhere under web services.

Hey there I've been thru the guides and am pretty sure I did everything right but the damn thing is still returning a

This exception was caused by: javax.mail.MessagingException: Connect failed; nested exception is: javax.net.ssl.SSLException: untrusted server cert chain.

I'm basically trying to connect to Gmail using CFPOP. Now CFPOP doesn't really support SSL so I've had to change the necessary java properties to get it to connect by

<CFSET javaSystem = createObject("java", "java.lang.System") />
<CFSET prop = javaSystem.getProperties() />
<CFSET prop.setProperty("mail.pop3.socketFactory.class", "javax.net.ssl.SSLSocketFactory") />
<CFPOP name = "rsCheckNew" action = "getHeaderOnly"
server = "pop.gmail.com" port = "995" timeout = "10"
username = "username@gmail.com" password = "password">

I've also gotten the Gmail cert from the browser and executed the necessary keytool command. keytool -list -keystore c:\cfusionmx\runtime\jre\lib\security\cacerts shows

thawtepersonalfreemailca, Sat Feb 13 04:12:16 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
thawtepersonalbasicca, Sat Feb 13 04:11:01 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
verisignclass3ca, Tue Jun 30 01:05:51 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawteserverca, Sat Feb 13 04:14:33 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
thawtepersonalpremiumca, Sat Feb 13 04:13:21 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
verisignclass4ca, Tue Jun 30 01:06:57 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
gmail, Mon Nov 03 11:38:23 SGT 2008, trustedCertEntry,
Certificate fingerprint (MD5): 63:1E:F3:56:B0:B0:F7:8D:E4:8C:8F:7D:8E:F5:68:D0
verisignclass1ca, Tue Jun 30 01:06:17 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Tue Jun 30 01:07:34 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, Sat Feb 13 04:15:26 SGT 1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
verisignclass2ca, Tue Jun 30 01:06:39 SGT 1998, trustedCertEntry,
Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

gmail is the alias I created using the import tool. Anything else that I've missed out ? I'm going thru my keyboards real quick and I'm pretty sure my skull is cracked from all the banging on the wall.

@Michael,

The problem is not the cert you installed. The cert is a part of a "chain" of certs from the provider with a governing heirarchy. You probably need to add an "intermediate" certificate to get it working. As it stands the cert you installed is telling the system to look further up the chain but there is no trusted cert further up the chain.

Do a google for "intermediate certificates" for more information. You can probably also examine the certs in your local repo for FF or IE and figure out which ones are google intermediates.

Ok fixed this one:

Like Mark said, the certification chain was required; not merely the certificate. If you're using some kind of GUI tool (ie browser) you should be able to view those fairly easily. If you're not, you'll have to traverse the certificate manually from its cert structure and figure out where to download it from. I strongly recommend that you go for the first option :)

Secondly, if you're connecting to gmail like I was, exporting the cert from your browser doesn't work. You'll be getting a cert registered to www.google.com and NOT pop.gmail.com (which is what you're connecting to). Makes a world of a difference. I did an Ethereal trace before realising that. I'd imagine that you could use some kind of SSL investigator to retrieve the cert if you need to.

Thirdly, the actual keystore used is also important. The VM has its default keystore location (usually cfusionmx/runtime/jre/lib/security/cacerts) *but* if you've done any reconfiguration to your CF process and ran it under another user account or changed ownership, it'll look by default into your "document and settings" folder (/user/local) for unix I think.

To specify a custom keystore you could either

a. Set it as your VM parameter in CF admin using the
-Djavax.net.ssl.trustStore=[keystore location] -Djavax.net.ssl.trustStorePassword=[keystore password]

or you could set it as a java system property since you're already messing with that before calling CFPOP by doing

<CFSET javaSystem = createObject("java", "java.lang.System") />
   <CFSET prop = javaSystem.getProperties() />
   <CFSET prop.setProperty("mail.pop3.socketFactory.class", "javax.net.ssl.SSLSocketFactory") />
   <CFSET prop.setProperty("javax.net.ssl.trustStore", "C:\CFusionMX\runtime\jre\lib\security\cacerts") />
   <CFSET prop.setProperty("javax.net.ssl.trustStorePassword", "changeit") />

Seems to connect fine with no issues. Have to say Gmail's implementation of the POP protocol is kinda funky tho. Your CFPOP is going to retrieve *all* messages from a certain date which would be painful down the line. Doesn't seem like gmail removes those mail from server once you've read them so if the user has set to download all mails, your CFPOP is going to go thru *ALL* mails the user has ever received since day 1.

Various ways to get around that I guess depending on what you're trying to achieve. As far as connectivity goes tho, the above should resolve any issues you have.

Michael,

Awesome explanation... thanks!!

Btw, anyone getting blank message ids using CFPOP for gmail ? Doesn't seem to return anything on the UID column. Kinda stuffs everything up really. Anyone else came across this and fixed it ?

Whoops I meant yahoo mail. Gmail returns the IDs fine.

I have been banging up against this issue for nearly a week now, this is almost no information on the web about it. Thank god for the ColdfusionMuse!

Here's my code:
<cfset ws = CreateObject("webservice","https://financial3.symetra.com/sws2008/service.asm...;, wsargs)>
<cfset ws._setProperty("axis.transport.version", "1.1")>
<cfset resp = ws.symetraQuote(xmlstr)>

I downloaded the cert by browsing the URL in IE and downloaded all three levels of certs from the "Certification Path" tab. The bottom two levels installed successfully, the top (verisign) was already there so I didn't overwrite it.

The createObject() works and I can cfdump the returned variable and see the methods. The second call _setProperty() also seems to work. But whenever I try to call the method() I get the error...

Cannot perform web service invocation symetraQuote.
The fault returned when invoking the web service operation is:

AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: java.net.ConnectException: Connection timed out: connect
faultActor:
faultNode:
faultDetail:
   {http://xml.apache.org/axis/}stackTrace:java.net.ConnectException: Connection timed out: connect

This was tested from two different servers, one over the internet and one in the same LAN. Within the LAN, if SSL is removed, it works fine, but going via SSL fails every time.

Any help would be HUGELY appreciated!

Thanks. This is very informative. It helped us solve a java ssl issue in our application.

I don't suppose Adobe has a KB article about this, do they? My server team is going to balk about doing this with information from an unofficial source.

Al --

http://www.google.com/search?q=coldfusion+keytool+...

http://kb.adobe.com/selfservice/viewContent.do?ext...

After enough paperwork to clearcut clearcut a moderately-sized grove of trees, the server team ran the command to add to the keystore.

It worked perfectly.

At least, I can now programmatically get to the webservice over SSL. Consuming is now my next challenge.

Thank you all for your help.

Here's a tool from Sun that should make the chained certs a bit easier.

http://blogs.sun.com/andreas/entry/no_more_unable_...

you'll have to compile it & run it from the command line. To make it work for you without any code changes, first figure out where it's trying to find jssecacerts, then copy your cacerts file there and rename it to jssecacerts. Once you've imported the certificate you need, you can copy it back to jrun4\jre\lib\security (or wherever it is supposed to be on your install).

To use it (after compiling it) run it from the command line like so: java InstallCert financial3.symetra.com
(to use Gary's example above)

It'll check it and throw errors if it doesn't trust the final cert. It'll prompt you, asking which cert in the chain you want to add to your trust store. Add the root one and run it again; work your way up from there until it doesn't throw errors anymore.

Just want to say thanks for this post it helped me with an error connecting to a web service via SSL.

Allright, I have been looking all arround and this post was the best one so far. I have been able to get throught the initial SSL issue, but I am running into the issue of passing a client certificate to the web service. Has anyone needed to do this and solved the riddle of how to do it?

Same problem, I need to pass a client cert too. Anyone had success doing it? I need to consume a WS from a server that requires mutual SSL (Grants.gov), I can browse the WSDL via firefox but when I import that same client cert into my local cacerts file I still cannot authenticate (     I/O Exception: peer not authenticated ).

Thanks in advance!

Let me see if I can get a solution together for this problem and I will post a follow up. Feel free to send me details if you resolve the issue.

We finally got around v3 SSL encryption by using this tag : CFX_HTTP5

It is available at different spots on the net, here's one:
http://www.cftagstore.com/tags/cfxhttp5.cfm

It seems that CF 7 DOES NOT support client side certs period, however, with CF 8 no problem, just add the "ClientCert" and "ClientCertPassword" into the tag as seen below and voila!

<cfhttp url="https://at07ws.grants.gov:446/agency-s2s-server/se...; clientcert="c:\junk\myClientCert.p12" ClientCertPassword="changeit">

@Frank,

That's great if you want to use CFHTTP - but invoking a WS service using createobject or Cfinvoke will still not be able to use a client cert. That's the real problem here.

@ Mark,

Good poing but I think this workaround should solve my immediate need:

http://www.jamesnetherton.com/blog/2007/01/14/Invo...

Love the CF Muse ... Frank

If you're on a windows server, I'd suggest CFX_HTTP5 -- even if you're using CF8 (and it's actually not available in raw CF8, you have to patch to the latest version I think).

It's $50 and adds a number of features that make it superior to CFHTTP. It uses your windows cert manager instead of having to mess about with the keystore/truststore stuff. It has session support. It can do lots of HTTP requests at the same time, great if you're dealing with stuff where some of the requests take longer than others. We use it extensively. Most code can be pretty easily converted to it.

http://www.cftagstore.com/tags/cfxhttp5.cfm

I know this is an old post but please NEVER let it go down... it saved me!!

Just to verify how I managed to get PayPal and Ebay API's working which both use this new certificate.

1 - Open both of the API pages in internet explorer (it has some uses) - Double click the Secure icon and then save the certificate as base64 (thanks to ike) in the "lib" folder. One called paypal.cer and the other ebay.cer
2 - Create a batch file to do the import
3 - Reboot CF and Voila - It works.

Batch file contents:-

@echo off
cls
..\bin\keytool -import -keystore w:\jrun4\jre\lib\security\cacerts -alias paypal -storepass changeit -noprompt -trustcacerts -file paypal.cer
..\bin\keytool -import -keystore w:\jrun4\jre\lib\security\cacerts -alias ebay -storepass changeit -noprompt -trustcacerts -file ebay.cer
pause

Thank you this was a huge help I narrowed it down to the SSL issue form the error in the CFADMIN when refreshing the web service. Then realized I had CF 7 so took out the CFWINDOW lines of code and then did the cert import and code started to work.

I did not get the command line options that were mentioned here to work instead I had to go get CERTMAN
http://certman.riaforge.org/
Then install it and remove the CFWINDOW lines of code in the addcertForm.cfm page plus create a extensionscustom.cfm that my CFIDE/Administrator did not have.

Hi,

Please i'm having a headache connecting to a host via cfhttp using ssl. They sent me a *.keystore file and i tried using the keytool to view it but get the error "Keystore was tampered with, or password was incorrect". They said i should just place the *.keystore file and point to it during a https call but coldfusion 8 (clientcert) only accepts files in PKCS12 format.

Please what should I do with the *.keystore file sent to me?

very comfortable jordans sneaker for either basketball or to make any chill out outfit look clean. I love air jordan shoes ! Great Buy! This product was delivered very quickly. I would definitely buy from http://www.jordanshoesforsale.org/

I got the javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
error and it turned out I had added a trusted root level certificate that should not have been on the machine. i removed it from the certificates on the local machine via the MMC snap-in and things were then up and running.

Thanks for this post. Stupidly, the only thing my PayPal instructions forgot to mention was the CF restart. After that, everything worked perfectly. It's a dumb 'gotcha', but still a 'gotcha' nonetheless.

@Mark - did you ever figure out how to supply the client cert using WS via a CreateObject? I'm completely stymied here.

I’ve been through a very difficult few days trying to get an SSL connection to Highrise (37signals) to work on my Mac development server, without any luck at all. I installed the whole chain of certs, confirmed they were installed, set up logging of the entire ssl handshake by adding -Djavax.net.debug=all as an argument to the JVM under CF Administrator to try and understand what was going on under the hood, etc. The strange thing was that when I, as a last resort, tried to install the cert on the Linux production server, it worked. I note that sometimes folks report that they install certificates needed but it doesn't work for them.

I don't know why in one case it works and one it doesn't. I just thought I'd report my experience here in case it helps anyone else.

@Nando - Nice of you, guess u followed the instructions to the letter...I went through a similar nightmare. I was using https to connect to a remote server via a Point-to-point VPN but kept getting certificate mis-match error. The host said I must use an IP address in the URL and not the domain name meanwhile, their certificate was registered to a domain name. If I used the domain name in the URL, it fails...it was just frustrating. The trick for me (which am not currently sure of the consequence) was to add a header parameter to cfhttpparam with the name "Host" and use the domain name in the URL and it worked.

So if anyone is going through this same problem, which i doubt because my remote server are currently upgrading their system....this might help

This post has been extremely helpful, thank you SOOOOOO much!

We are experiencing the situation where are CF scheduled tasks are getting "peer not authenticated". We were running CF8 on Solaris/Sun 1 but have gone to CF9 on Red Hat Linux/Apache. They were running fine until we made the upgrade. We have a Verisign cert installed on our website which is NOT registered in our runtime\jre\lib\security\cacerts. Based on this article it appears that we need to register it. Can anyone confirm this and think that it will solve our problem?

The most well-known Jordan Retro 5 shoes among Nike friends and family is Nike NBA sequence, which many NBA people wear. Jordan 5 shoes are backed by popular NBA gamers like Jordan Retro 5 fire red, Kobe Bryant and also Dwayne Wade, to call a few. http://www.jordanretro5firered.net

i have big problem. since May 27 2015 my website lost connection with authorize.net. customer check out they got an exception error instead of check out success confirmation. My host still not able fix it. they said already update all required cert. but my hired tech able to test with sand box test URL with SSL SHA-2(i think which is already applied) and it work but when i tried to use production URL( https://secure.authorize.net/gateway/transact.dll). got the connection failure

SSL: GeoTrust SHA-2
coldfusion server: Coldfusion version 9.0.1.274733
Windows Server , Windows Server 2008 R2 Enterprise Edition SP1
Java: 1.7xxxx

authorize.net payment process page code:
<!--- USER SETTING [ START ] ==================================================== --->
<cfset variables.AuthNetLogin = "XXXXXXXXX"><!--- Fill in your login --->
<cfset variables.TransactionKey = "XXXXXXXX"><!--- Fill in your transaction key OR password --->
<cfset variables.AuthNetPassword = "">
<cfset variables.TestMode = "False">
<!--- USER SETTING [ END ] ====================================================== --->

<cfhttp url="https://secure.authorize.net/gateway/transact.dll"" target="_blank">https://secure.authorize.net/gateway/transact.dll&...; method="post">
   <cfhttpparam type="FormField" name="x_Login" value="#variables.AuthNetLogin#">
<cfif variables.AuthNetPassword NEQ "">
      <cfhttpparam type="FormField" name="x_Password" value="#variables.AuthNetPassword#">
   <cfelse>
      <cfhttpparam type="FormField" name="x_tran_key" value="#variables.TransactionKey#">
   </cfif>
   <cfhttpparam type="FormField" name="x_version" value="True">
   <cfhttpparam type="FormField" name="x_type" value="AUTH_CAPTURE">
   
   <cfhttpparam type="FormField" name="x_Amount" value="#NumberFormat(Client.OrderTotal,'999999999.99')#">
   <cfhttpparam type="FormField" name="x_Card_Num" value="#request.CCNumber#">
   <cfhttpparam type="FormField" name="x_Exp_Date" value="#NumberFormat(request.CCExprDate,"0999")#">
   <cfhttpparam type="FormField" name="x_card_code" value="#request.CCV#">

   <cfhttpparam type="FormField" name="x_Last_Name" value="#rsGetCustBilling.cst_LastName#">
   <cfhttpparam type="FormField" name="x_First_Name" value="#rsGetCustBilling.cst_FirstName#">
   <cfhttpparam type="FormField" name="x_company" value="NA">
   <cfhttpparam type="FormField" name="x_Address" value="#rsGetCustBilling.cst_Address1#">
   <cfhttpparam type="FormField" name="x_City" value="#rsGetCustBilling.cst_City#">
   <cfhttpparam type="FormField" name="x_State" value="#rsGetCustBilling.stprv_Name#">
   <cfhttpparam type="FormField" name="x_Zip" value="#rsGetCustBilling.cst_Zip#">
   <cfhttpparam type="FormField" name="x_Country" value="#rsGetCustBilling.country_Code#">
   <cfhttpparam type="FormField" name="x_Phone" value="#rsGetCustBilling.cst_Phone#">
   <cfhttpparam type="FormField" name="x_email" value="#rsGetCustBilling.cst_Email#">
   <cfhttpparam type="FormField" name="x_customer_ip" value="#cgi.remote_addr#">

   <cfhttpparam type="FormField" name="x_Method" value="CC">
   <cfhttpparam type="FormField" name="x_ADC_Delim_Character" value=",">
   <cfhttpparam type="FormField" name="x_ADC_Delim_Data" value="TRUE">
   <cfhttpparam type="FormField" name="x_ADC_Encapsulate_Character" value="">
   <cfhttpparam type="FormField" name="x_ADC_URL" value="FALSE">
   <cfhttpparam type="FormField" name="x_Test_Request" value="#variables.TestMode#">
</cfhttp>

<cfset request.TransactionResult = Val(ListFirst(cfhttp.fileContent))>
??<cfset Request.TransactionID = ListGetAt(cfhttp.fileContent, '7')>
<cfset request.TransactionMessage = ListGetAt(cfhttp.fileContent, '4')>

<!--- 1=Pending, 2=Verified, 3=Shipped --->
<cfif request.TransactionResult EQ 1>
   <cfset request.TransactionResult = "Approved">
   <cfset request.OrderStatusID = 2>
</cfif>   


anyone can shred some light where goes wrong? the server or the payment processing code? the code works fine before may 15, 2015. thanks in advance. my site is down almost 2 month....

Thanks Mark. problem resolved. those have same problem please refer to this link. thanks all.....

http://community.developer.authorize.net/t5/Integr...

Hi Mark. I know this is a really old post but I really need your help. I have just installed an intermediate & primary SSL certificate on my VPS. Everything is working well, except when I make a cfhttp call from app.establishmindfulness.com to advert.establishmindfulness.com. These 2 subdomains are on the same server, and I am using a wildcard SSL certificate that covers all sub domains. Do I need to install the intermediate.crt & primaryssl.crt in my keystore cacerts? Is this the problem. I tried just installimg the certificate.cer that I grabbed from Internet Explorer, but maybe this is the wrong approach?