Exit
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0

Accessing HTTPS via CFHTTP

Community Beginner ,
Jul 30, 2008 Jul 30, 2008
I'm trying to import the public key of a secure site (https) I want to get to via CFHTTP. But, I'm having a lot of difficulty getting this to work. Our CF8 server is on a Unix box (SunOS 5.10). From my Windows XP workstation, I went to the site with IE and retrieved the public key in DER Binary Format and saved it to a *.cer file on the CF server (via Samba share). I then used the keytool to import it into the keystore at /{jrun_root}/jre/lib/security/cacerts. I verified that it was in there with the keytool -list -keystore cacerts command. I then went into the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml file and uncommented the jrun.servlet.http.SSLService section and pointed the keyStore and trustStore attributes to the cacerts key store. I restarted CF and received a host of errors all saying:

error No available certificate or key corresponds to the SSL cipher suites which are enabled.

Can anyone lend some guidance here? Could it be that the DER file I'm using originated from a windows box?
2.5K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jul 30, 2008 Jul 30, 2008
HugeBob wrote:
> I'm trying to import the public key of a secure site (https) I want to get to
> via CFHTTP. But, I'm having a lot of difficulty getting this to work. Our CF8
> server is on a Unix box (SunOS 5.10). From my Windows XP workstation, I went
> to the site with IE and retrieved the public key in DER Binary Format and saved
> it to a *.cer file on the CF server (via Samba share). I then used the keytool
> to import it into the keystore at /{jrun_root}/jre/lib/security/cacerts. I
> verified that it was in there with the keytool -list -keystore cacerts
> command.

So far so good.


> I then went into the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml
> file and uncommented the jrun.servlet.http.SSLService section and pointed the
> keyStore and trustStore attributes to the cacerts key store. I restarted CF
> and received a host of errors all saying:
>
> error No available certificate or key corresponds to the SSL cipher suites
> which are enabled.


And this is incorrect. You only need to do this if you are using the
buildin webserver and want to access that webserver directly from your
browser over HTTPS. (And in that case you would need the private key too.)


Undo the changes to jrun.xml, restart CF and try your cfhttp code.

Jochem


--
Jochem van Dieten
Adobe Community Expert for ColdFusion
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 30, 2008 Jul 30, 2008
quote:

Originally posted by: Newsgroup User
HugeBob wrote:
> I'm trying to import the public key of a secure site (https) I want to get to
> via CFHTTP. But, I'm having a lot of difficulty getting this to work. Our CF8
> server is on a Unix box (SunOS 5.10). From my Windows XP workstation, I went
> to the site with IE and retrieved the public key in DER Binary Format and saved
> it to a *.cer file on the CF server (via Samba share). I then used the keytool
> to import it into the keystore at /{jrun_root}/jre/lib/security/cacerts. I
> verified that it was in there with the keytool -list -keystore cacerts
> command.

So far so good.


> I then went into the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml
> file and uncommented the jrun.servlet.http.SSLService section and pointed the
> keyStore and trustStore attributes to the cacerts key store. I restarted CF
> and received a host of errors all saying:
>
> error No available certificate or key corresponds to the SSL cipher suites
> which are enabled.


And this is incorrect. You only need to do this if you are using the
buildin webserver and want to access that webserver directly from your
browser over HTTPS. (And in that case you would need the private key too.)


Undo the changes to jrun.xml, restart CF and try your cfhttp code.



Jochem,

Since I was getting all those errors during CF start up, I killed it, removed the changes and restarted the server. But, no luck. The template containing the CFHTTP still can't connect.
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jul 31, 2008 Jul 31, 2008
HugeBob wrote:
> Since I was getting all those errors during CF start up, I killed it, removed
> the changes and restarted the server. But, no luck. The template containing
> the CFHTTP still can't connect.

Code and complete eror message please :)

Jochem


--
Jochem van Dieten
Adobe Community Expert for ColdFusion
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 04, 2008 Aug 04, 2008
LATEST
In looking at the Unix server CF sits on, I noticed that there are two JRE's installed: one in the JRun directory and one that's in the system path. The results of "whereis java" always points to the version not in the JRun install directory. Even if I go into /export/jrun4/jre/bin and try "whereis ./java", I don't get the version used by JRun. So, my question is, does CF actually use the JRE path in the CF Administrator's JVM Details:Java Home or does it use the system path to reach the JRE? If it uses the system path, it will never use the cacerts keystore containing the certs of the servers to be reached via CFHTTP.

Here's the code I'm using. It's a very small test page that collects the users public key in base-64 format, wraps it in XML and posts it to a webservice which returns the attributes (attrib1, attrib2, ...) about the user based on their cert.

<cfset inputXML = "<authenticate><Cert>" & cgi.CERT_SUBJECT & "</Cert><attributes>attrib1,attrib2,attrib3,attrib4,attrib5</attributes></authenticate>">
<cfhttp method="POST" url="https://secwebserv.here" port="443" result="res" timeout="300" throwonerror="no">
<cfhttpparam type="Header" name="Accept-Encoding" value="*">
<cfhttpparam type="Header" name="TE" value="deflate;q=0">
<cfhttpparam type="xml" value="#inputXML#">
</cfhttp>

When I dump the results, I get:
ErrorDetail: I/O Exception: peer not authenticated
Filecontent: Connection Failure
Mimetype: Unable to determine MIME type of file.
Statuscode: Connection Failure. Status code unavailable.
Text: YES
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources