Copy link to clipboard
Copied
The following connection string worked in ColdFusion 2018:
EncryptionMethod=SSL;ValidateServerCertificate=true;HostNameInCertificate=SQL-SERVER;TrustStore=e:\Java\jdk-11.0.13\lib\security\cacerts;TrustStorePassword=[mypassword]
When I attempted the connection, I got the error message: An SSL socket connection could not be established because JRE 1.4 or above required
I attempted to connect without requiring SSL, but got a different error which I resolved by adding AuthenticationMethod=NTLM.
After resolving that, I added the above to the connection string, but got the same error. I figured the issue was the fact that I have ColdFusion running on jdk-17.0.11. I went ahead and created a new truststore like we did in production and imported all three of the certificates.
Same error.
I ran across a post with similar problems where the recommendation was to use cacerts instead of a custom truststore. I imported the certificates using the following commands into the cacerts truststore:
E:\Java\jdk-17.0.11\bin\keytool -import -v -trustcacerts -cacerts -storepass [mypassword] -noprompt -alias my_root_ca -file C:\Temp\test-server-certificates\my_root_ca.crt
E:\Java\jdk-17.0.11\bin\keytool -import -v -trustcacerts -cacerts -storepass [mypassword]-noprompt -alias my_intermediate_ca -file C:\Temp\test-server-certificates\my_intermediate_ca.crt
E:\Java\jdk-17.0.11\bin\keytool -import -v -trustcacerts -cacerts -storepass [mypassword] -noprompt -alias sql-server -file C:\Temp\sql_server_certificates\sql-server.dc3n.navy.mil\sql-server.cert.crt
The connection string works:
AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=false
The following connection strings do not work:
AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=true;HostNameInCertificate=SQL-SERVER;TrustStore=E:\Java\jdk-17.0.11\lib\security\cacerts;TrustStorePassword=changeit
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]An SSL socket connection could not be established because JRE 1.4 or above is required.
AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=false;HostNameInCertificate=SQL-SERVER;TrustStore=E:\Java\jdk-17.0.11\lib\security\cacerts;TrustStorePassword=changeit
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]An SSL socket connection could not be established because JRE 1.4 or above is required.
AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=false;HostNameInCertificate=SQL-SERVER;TrustStore=E:\Java\jdk-17.0.11\lib\security\cacerts;TrustStorePassword=changeit
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]An SSL socket connection could not be established because JRE 1.4 or above is required.
AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=true
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]SSL handshake failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Any assistance you can provide is greatly appreciated because this is driving me bonkers. As you can see, I can get it to work if I don't validate the certificate, but I would prefer to do things the proper and more secure way.
Copy link to clipboard
Copied
After importing the certificates, I did restart the ColdFusion service.
I tried the different combinations of the connection strings and they appeared not to work. However, I just went back in and tried the following:
AuthenticationMethod=ntlm;EncryptionMethod=SSL;ValidateServerCertificate=true;
It worked.
When you add the references to the hostname, the truststore path, and the truststore password, it bombs out.
Does anyone understand why the abbreviated form works and specifying the aforementioned parameters makes it throw an error?
How is it validating the certificate if it doesn't have a TrustStore and no password with which to access it?