0
Accessing HTTPS via CFHTTP
Community Beginner
,
/t5/coldfusion-discussions/accessing-https-via-cfhttp/td-p/173999
Jul 30, 2008
Jul 30, 2008
Copy link to clipboard
Copied
I'm trying to import the public key of a secure site (https)
I want to get to via CFHTTP. But, I'm having a lot of difficulty
getting this to work. Our CF8 server is on a Unix box (SunOS 5.10).
From my Windows XP workstation, I went to the site with IE and
retrieved the public key in DER Binary Format and saved it to a
*.cer file on the CF server (via Samba share). I then used the
keytool to import it into the keystore at
/{jrun_root}/jre/lib/security/cacerts. I verified that it was in
there with the
keytool -list -keystore cacerts command. I then went into
the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml file and
uncommented the jrun.servlet.http.SSLService section and pointed
the keyStore and trustStore attributes to the cacerts key store. I
restarted CF and received a host of errors all saying:
error No available certificate or key corresponds to the SSL cipher suites which are enabled.
Can anyone lend some guidance here? Could it be that the DER file I'm using originated from a windows box?
error No available certificate or key corresponds to the SSL cipher suites which are enabled.
Can anyone lend some guidance here? Could it be that the DER file I'm using originated from a windows box?
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting.
Learn more
LEGEND
,
/t5/coldfusion-discussions/accessing-https-via-cfhttp/m-p/174000#M15788
Jul 30, 2008
Jul 30, 2008
Copy link to clipboard
Copied
HugeBob wrote:
> I'm trying to import the public key of a secure site (https) I want to get to
> via CFHTTP. But, I'm having a lot of difficulty getting this to work. Our CF8
> server is on a Unix box (SunOS 5.10). From my Windows XP workstation, I went
> to the site with IE and retrieved the public key in DER Binary Format and saved
> it to a *.cer file on the CF server (via Samba share). I then used the keytool
> to import it into the keystore at /{jrun_root}/jre/lib/security/cacerts. I
> verified that it was in there with the keytool -list -keystore cacerts
> command.
So far so good.
> I then went into the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml
> file and uncommented the jrun.servlet.http.SSLService section and pointed the
> keyStore and trustStore attributes to the cacerts key store. I restarted CF
> and received a host of errors all saying:
>
> error No available certificate or key corresponds to the SSL cipher suites
> which are enabled.
And this is incorrect. You only need to do this if you are using the
buildin webserver and want to access that webserver directly from your
browser over HTTPS. (And in that case you would need the private key too.)
Undo the changes to jrun.xml, restart CF and try your cfhttp code.
Jochem
--
Jochem van Dieten
Adobe Community Expert for ColdFusion
> I'm trying to import the public key of a secure site (https) I want to get to
> via CFHTTP. But, I'm having a lot of difficulty getting this to work. Our CF8
> server is on a Unix box (SunOS 5.10). From my Windows XP workstation, I went
> to the site with IE and retrieved the public key in DER Binary Format and saved
> it to a *.cer file on the CF server (via Samba share). I then used the keytool
> to import it into the keystore at /{jrun_root}/jre/lib/security/cacerts. I
> verified that it was in there with the keytool -list -keystore cacerts
> command.
So far so good.
> I then went into the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml
> file and uncommented the jrun.servlet.http.SSLService section and pointed the
> keyStore and trustStore attributes to the cacerts key store. I restarted CF
> and received a host of errors all saying:
>
> error No available certificate or key corresponds to the SSL cipher suites
> which are enabled.
And this is incorrect. You only need to do this if you are using the
buildin webserver and want to access that webserver directly from your
browser over HTTPS. (And in that case you would need the private key too.)
Undo the changes to jrun.xml, restart CF and try your cfhttp code.
Jochem
--
Jochem van Dieten
Adobe Community Expert for ColdFusion
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting.
Learn more
HugeBob
AUTHOR
Community Beginner
,
/t5/coldfusion-discussions/accessing-https-via-cfhttp/m-p/174001#M15789
Jul 30, 2008
Jul 30, 2008
Copy link to clipboard
Copied
quote:
Originally posted by: Newsgroup User
HugeBob wrote:
> I'm trying to import the public key of a secure site (https) I want to get to
> via CFHTTP. But, I'm having a lot of difficulty getting this to work. Our CF8
> server is on a Unix box (SunOS 5.10). From my Windows XP workstation, I went
> to the site with IE and retrieved the public key in DER Binary Format and saved
> it to a *.cer file on the CF server (via Samba share). I then used the keytool
> to import it into the keystore at /{jrun_root}/jre/lib/security/cacerts. I
> verified that it was in there with the keytool -list -keystore cacerts
> command.
So far so good.
> I then went into the /{jrun_root}/servers/cfusion/SERVER-INF/jrun.xml
> file and uncommented the jrun.servlet.http.SSLService section and pointed the
> keyStore and trustStore attributes to the cacerts key store. I restarted CF
> and received a host of errors all saying:
>
> error No available certificate or key corresponds to the SSL cipher suites
> which are enabled.
And this is incorrect. You only need to do this if you are using the
buildin webserver and want to access that webserver directly from your
browser over HTTPS. (And in that case you would need the private key too.)
Undo the changes to jrun.xml, restart CF and try your cfhttp code.
Jochem,
Since I was getting all those errors during CF start up, I killed it, removed the changes and restarted the server. But, no luck. The template containing the CFHTTP still can't connect.
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting.
Learn more
LEGEND
,
/t5/coldfusion-discussions/accessing-https-via-cfhttp/m-p/174002#M15790
Jul 31, 2008
Jul 31, 2008
Copy link to clipboard
Copied
HugeBob wrote:
> Since I was getting all those errors during CF start up, I killed it, removed
> the changes and restarted the server. But, no luck. The template containing
> the CFHTTP still can't connect.
Code and complete eror message please :)
Jochem
--
Jochem van Dieten
Adobe Community Expert for ColdFusion
> Since I was getting all those errors during CF start up, I killed it, removed
> the changes and restarted the server. But, no luck. The template containing
> the CFHTTP still can't connect.
Code and complete eror message please :)
Jochem
--
Jochem van Dieten
Adobe Community Expert for ColdFusion
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting.
Learn more
HugeBob
AUTHOR
Community Beginner
,
LATEST
/t5/coldfusion-discussions/accessing-https-via-cfhttp/m-p/174003#M15791
Aug 04, 2008
Aug 04, 2008
Copy link to clipboard
Copied
In looking at the Unix server CF sits on, I noticed that
there are two JRE's installed: one in the JRun directory and one
that's in the system path. The results of "whereis java" always
points to the version not in the JRun install directory. Even if I
go into /export/jrun4/jre/bin and try "whereis ./java", I don't get
the version used by JRun. So, my question is, does CF actually use
the JRE path in the CF Administrator's JVM Details:Java Home or
does it use the system path to reach the JRE? If it uses the system
path, it will never use the cacerts keystore containing the certs
of the servers to be reached via CFHTTP.
Here's the code I'm using. It's a very small test page that collects the users public key in base-64 format, wraps it in XML and posts it to a webservice which returns the attributes (attrib1, attrib2, ...) about the user based on their cert.
<cfset inputXML = "<authenticate><Cert>" & cgi.CERT_SUBJECT & "</Cert><attributes>attrib1,attrib2,attrib3,attrib4,attrib5</attributes></authenticate>">
<cfhttp method="POST" url="https://secwebserv.here" port="443" result="res" timeout="300" throwonerror="no">
<cfhttpparam type="Header" name="Accept-Encoding" value="*">
<cfhttpparam type="Header" name="TE" value="deflate;q=0">
<cfhttpparam type="xml" value="#inputXML#">
</cfhttp>
When I dump the results, I get:
ErrorDetail: I/O Exception: peer not authenticated
Filecontent: Connection Failure
Mimetype: Unable to determine MIME type of file.
Statuscode: Connection Failure. Status code unavailable.
Text: YES
Here's the code I'm using. It's a very small test page that collects the users public key in base-64 format, wraps it in XML and posts it to a webservice which returns the attributes (attrib1, attrib2, ...) about the user based on their cert.
<cfset inputXML = "<authenticate><Cert>" & cgi.CERT_SUBJECT & "</Cert><attributes>attrib1,attrib2,attrib3,attrib4,attrib5</attributes></authenticate>">
<cfhttp method="POST" url="https://secwebserv.here" port="443" result="res" timeout="300" throwonerror="no">
<cfhttpparam type="Header" name="Accept-Encoding" value="*">
<cfhttpparam type="Header" name="TE" value="deflate;q=0">
<cfhttpparam type="xml" value="#inputXML#">
</cfhttp>
When I dump the results, I get:
ErrorDetail: I/O Exception: peer not authenticated
Filecontent: Connection Failure
Mimetype: Unable to determine MIME type of file.
Statuscode: Connection Failure. Status code unavailable.
Text: YES
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting.
Learn more

