• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
1

ColdFusion 2021 Data Source - An SSL socket connection could not be established because JRE 1.4

Community Beginner ,
Jun 07, 2022 Jun 07, 2022

Copy link to clipboard

Copied

I am having trouble getting the keystore to work with ColdFusion 2021. I can not seem to get past the following error:

 

Connection verification failed for data source: <DBName>
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]An SSL socket connection could not be established because JRE 1.4 or above is required.

 

I went through the same steps that worked for ColdFusion 2018.

Using the Java Home folder from JVM Details in the Settings Summary run the following.

 

<JavaHome>\bin\keytool -importkeystore -srckeystore C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.pfx -srcstoretype pkcs12 -destkeystore C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.keystore -deststoretype pkcs12

 

When filling out the Microsoft SQL Server Data Source information I use the following Connection String.

 

EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.keystore;TrustStorePassword=<Password>;HostNameInCertificate=<hostname>

 

Any help would be grealy appreciated.

TOPICS
Database access , Security , Server administration

Views

3.0K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Beginner , Jun 10, 2022 Jun 10, 2022

Hi BKBK,

 

I set the server equal to the IP and received the original error. On that same thought I removed the TrustStore information to see if I got the timeout error as before. I got a new error.

 

Connection verification failed for data source: <MyDB>

java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]The server name in the certificate (<HostNameInCertificate>) does not match the value specified in the hostNameInCertificate connect option (<ServerIP>).

 

I set the serve

...

Votes

Translate

Translate
Adobe Employee ,
Jun 07, 2022 Jun 07, 2022

Copy link to clipboard

Copied

Hi @Brad23632070vu7s 

 

Can you please change the ValidateServerCertificate from true to false and let me know if that resolve the issue.

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 07, 2022 Jun 07, 2022

Copy link to clipboard

Copied

Hi Priyank,

I updated the ValidateServerCertificate to false and received the same error.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 07, 2022 Oct 07, 2022

Copy link to clipboard

Copied

I know this is from several months ago, but Brad you say here to Priyank that setting ValidateServerCertificate=false did NOT work, but the next day you wrote in messages with bkbk that it DID work.

 

I know in the end you got the certs working, but I want to chime in here to note that this HAS been the solution to that "JRE 1.4" error for some folks, so if they find this thread, they should not dismiss it as a possible option. 🙂

 

If you or anyone seeing this may have more to say on this, I'm sure many would welcome the discussion. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 08, 2022 Jun 08, 2022

Copy link to clipboard

Copied

Instead of

    TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.keystore

should it perhaps be the following instead?

    TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 08, 2022 Jun 08, 2022

Copy link to clipboard

Copied

Hi BKBK,

I exported the certificate from the database server as a <DBServerName>.cer and imported it to C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts

I changed the connection string to the following.

EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;TrustStorePassword=<Password>;HostNameInCertificate=<hostname>

Still receiving the same error.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 08, 2022 Jun 08, 2022

Copy link to clipboard

Copied

Hmm. What happens when you try

C:\ColdFusion2021\jre\lib\security\cacerts

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 08, 2022 Jun 08, 2022

Copy link to clipboard

Copied

Hi BKBK,

I added the certificate to C:\ColdFusion2021\jre\lib\security\cacerts using the keytool in C:\ColdFusion2021\jre\bin. I also updated the connection string to point to C:\ColdFusion2021\jre\lib\security\cacerts. That didn't work either.

A few other tests I tried while troubleshooting.

In an attempt to get a different error message I tried pointing to keystores that didn't exist. I tried adding incorrect passwords. All resulting in the same error.

If I remove the TrustStore and just use:

 

EncryptionMethod=SSL;ValidateServerCertificate=true;

 

I get the following error:

 

Connection verification failed for data source: <DBName>
java.sql.SQLException: Timed out trying to establish connection

 

If I change ValidateServerCertificate to false without the TrustStore it connects. Our security team has asked that we verify the certificate so I tried a few more tests. It seems to be consistent that when I pass the TrustStore with any value I receive the original error message.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 08, 2022 Jun 08, 2022

Copy link to clipboard

Copied

 

<JavaHome>\bin\keytool -importkeystore -srckeystore C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.pfx -srcstoretype pkcs12 -destkeystore C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.keystore -deststoretype pkcs12

 


By @Brad23632070vu7s

 

The way you import the key looks complicated. Plus, it misses a password (I think).

 

I expected something like:

keytool -import -alias myCertificateAlias -file "\path\to\myCertFile.cer" -keystore C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts -storepass myPassword

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 08, 2022 Jun 08, 2022

Copy link to clipboard

Copied

Hi BKBK,

 

When I tried using cacerts instead of the <DBServerName>.keystore file I did change to a different import command. I used the following:

keytool -import -trustcacerts -alias <DBServerName> -file C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.cer -keystore cacerts

I also had to export the certificate from the Database Server as a 'cer' because the 'pfx' certificate was giving me the following error:

keytool error: java.lang.Exception: Input not an X.509 certificate

Without the password parameter I am prompted to enter the password. I removed my cacerts file and added an original back and tried the following import command:

keytool -import -alias <DBServerName> -file C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.cer -keystore C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts -storepass <MyPassword>

I used the following connection string when testing the cacerts file:

EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;TrustStorePassword=<MyPassword>;

Still getting the same error.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 08, 2022 Jun 08, 2022

Copy link to clipboard

Copied

Wondered whether you should then use Keystore=... instead of Truststore=...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

I tried Keystore instead of TrustStore this morning with both the <DBServerName>.keystore and cacerts file. Unfortunately I am still receiving the original error.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Could it be that it is sufficient to import the certificates, and not include any certificate details as JDBC quesry-string?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Hi BKBK,

When I leave out the certificate details I get a timeout error unless I also set ValidateServerCertificate to false. Without validation is there a reason to import the certificates?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

OK. You have all the ingredients to get this to work. I get the impression we're overlooking something. 

 

Starting afresh: 

  1.  List the certificates currently in cacerts.
    To do so, run the keytool command: keytool -list -v -cacerts 
    Take my case, for example. I am on CF2021 Update 4 on Windows. The Java that my CF installation uses is C:\Program Files\Java\jdk-11.0.15.1 (To verify your CF's Java, check the value of java.home in /bin/jvm.config )
    So, to list the certificates in cacerts, I proceed as follows:
    1(a) Open CMD as administrator;
    1(b) Use cd command to navigate in DOS to C:\Program Files\Java\jdk-11.0.15.1\bin;
    1(c) Run DOS command: keytool -list -v -cacerts > C:\Users\BKBK\Desktop\outputfile.txt
    The result is that a list of the certificates is dumped on my desktop as outputfile.txt.

  2. After you do same on your side, confirm that all the required certificates have been imported.


Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

quote

Hi BKBK,

When I leave out the certificate details I get a timeout error unless I also set ValidateServerCertificate to false. Without validation is there a reason to import the certificates?


By @Brad23632070vu7s

 

I see your point. I would leave it at ValidateServerCertificate=true

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

 

I used the following connection string when testing the cacerts file:

EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;TrustStorePassword=<MyPassword>;

Still getting the same error.


By @Brad23632070vu7s

 

This time you omitted HostNameInCertificate.

 

Could you please try that again, proceeding as follows:

  1.  Restart ColdFusion;
  2.  Use the connection string,
    EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;HostNameInCertificate=CerficateServerHostName;TrustStorePassword=YourPassword

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

 
HostNameInCertificate=CerficateServerHostName;


By @BKBK

 

Verify the correct value CerficateServerHostName as follows:

  1.  Browse to the website whose certificate you've imported. I shall assume you use Chrome to do so.
  2.  Click on the padlock symbol in the top left-hand corner of the browser's address field.
  3.  Click on "Connection is secure".
  4.  Click on "Certificate is valid", then on the "Details" tab.
  5.  Read off the value of the "Subject" field. That is the value that you should use as HostNameInCerficate

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

Hi BKBK,

I verified the java home in jvm.config:
java.home=C:/ColdFusion2021/jdk-11.0.15.1

I confirmed the certificate is in outputfile.txt.

I verified the host name I am using matches the subject in the certificate.

I restarted ColdFusion and tried the following connection string:

EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;HostNameInCertificate=<subjectInCertificate>;TrustStorePassword=<MyPassword>

Still seeing the original error.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

Let's assume for the moment that the connection string is good. 

Take a look at the datasource settings in the Administrator (corresponding to the connection string).  Test by setting server equal to the IP of the database server.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

Hi BKBK,

 

I set the server equal to the IP and received the original error. On that same thought I removed the TrustStore information to see if I got the timeout error as before. I got a new error.

 

Connection verification failed for data source: <MyDB>

java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]The server name in the certificate (<HostNameInCertificate>) does not match the value specified in the hostNameInCertificate connect option (<ServerIP>).

 

I set the server back to the server name and it connected!

 

So the solution that worked for our situation is:

 

Using cacerts instead of a keystore and not passing the KeyStore information in the connection string.

 

I used the following connection string:

 

EncryptionMethod=SSL;ValidateServerCertificate=true;

 

Thanks for all your help! I was just about to give up.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

I am glad to hear it now works. Thanks for documenting your findings and for sharing the solution.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 10, 2024 Jul 10, 2024

Copy link to clipboard

Copied

LATEST

Were you able to discern why this is working?

 

I ran into a similar situation in ColdFusion 2023.  I eventually got it to work.  The abbreviated version of the connection string worked.  I added the HostNameInCertificate and that worked as well.  If I changed the hostname to something invalid, I got the error message you indicated.

 

I'm confused as to why this is working, though. How is it validating without knowing which TrustStore is being used and without being provided a password with which to access the TrustStore?  I decided to change the password for the cacerts to see if that impacted anything and it did not.  If it does use cacerts, does Java have access to the password?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation