Hi
We are trying to work with a 3rd party server product that has a REST API so we are using cfhttp to interact with it. We want to implement two-way SSL for the calls so that it is only our app that is able to make calls to the REST API. So we put a password protected .p12 cert into C:\ColdFusion9\runtime\jre\lib\security and from the same location import the p12 into the keystore via the command:
..\..\bin\keytool -importkeystore -srckeystore CAAT_Client.p12 -destkeystore cacerts.jks -srcstoretype pkcs12 -deststoretype JKS -alias contentanlystclient -destalias CAAT_ClientP12 -deststorepass changeit -destkeypass changeit
The process asks for the password for the cert and then seems to import it. I say seems because it is not in the list when I do:
..\..\bin\keytool -storepass changeit -list -keystore cacerts
However, if I try to reimport the cert it says: Existing entry alias contentanlystclient exists, overwrite? [no]:
It seems that maybe the -list command only lists .cer certs rather than .p12 certs too (this is the stange keystore behaviour referenced in the title).
So it seems the cert exists. However when we call the REST API using cfhttp with https we get the error:
I/O Exception: peer not authenticated
We tried adding the JVM argument -Dcoldfusion.disablejsafe=true as suggested in http://www.raymondcamden.com/index.cfm/2011/1/12/Diagnosing-a-CFHTTP-issue--peer-not-authenticated but it made no difference (the post is for a different issue but thought it was worth a try. Also tried changing the ssl.TrustManagerFactory.algorithm in C:\CF9\runtime\jre\lib\security\java.security to no avail).
We need to make sure access to the 3rd party app is locked down to our CF app but we're at our wits end trying to work out why it is not working. Any assistance would be greatly appreciated.
Thanks
Nathan
1
Reply
AdChoices