Configure SSL for a ColdFusion instance
Copy link to clipboard
Copied
Generate a keystore pkcs12
Follow the steps below:
- Generate the keystore using JRE keytool. Navigate to the JRE/JDK\bin folder in your machine. Run the commands:
-
keytool -genkeypair -keystore myKeystore.p12 -storetype PKCS12 -storepass changeit -alias mycert -keyalg RSA -keysize 2048 -validity 99999
-
keytool -exportcert -keystore myKeystore.p12 -storepass changeit -alias mycert -rfc -file mycert.pem
-
- Once the .p12 and .PEM files are generated, copy these to an appropriate location.
- Take the backup of server.xml in your instances. The file is located in ColdFusion\{instance}\runtime\conf.
- Once you back up the file, search for 8443 in server.xml. There is an entry, which is commented.
<!--<Connector packetSize="65535" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />-->
The code above is commented in server.xml.
- After you uncomment the file, add the attribute keystoreFile, as shown below:
<Connector packetSize="65535" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="myKeystore.p12" keystorePass="changeit"/>
The path of the keystoreFile is the location where you'd copied the keystore. Specify the full path based on the OS.
- Restart ColdFusion service and access the ColdFusion Admin with the url,
https://hostname:8443/CFIDE/administrator/index.cfm
- In server.xml, comment the line that contains the HTTP port.
<!--internal webserver start <Connector packetSize="65535" port="8503" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8451"/> internal webserver end-->
If you see an error message related to SSL handshake, in jvm.config, add the argument,
"-Dcom.sun.net.ssl.enableECC=false"
Copy link to clipboard
Copied
Saurav_Ghosh will it make Coldfusion database connections SSL enabled too?
Copy link to clipboard
Copied
No, for that you need to install certificates on your DB server. The exact details will depend on your DB server software. Here's some documentation on that for MS SQL Server.
Dave Watts, Eidolon LLC

