Important for MM Folks concerning SSL Ceritificates and ColdFusion MX

This may or may not be in the docs but I haven't seen any references to it yet aside from a technote concerning CFLDAP and SSL communication. I'm finding that for most of our internal SSL sites I need to manually import each web servers SSL certificate into the keystore for the JRE used by CFMX in order to enable HTTPS communication either by CFHTTP of CFLDAP. I think this needs to be highlighted *somewhere* because with CF5 this was not the case...this had me believing there was a bug in CFMX throughout the entire beta testing cycle and has caused me to waste countless hours !!!  :-( Here's what to do if you're having SSL com problems: *  Goto a page on the SSL server in question *  Double click on the lock icon *  Goto details tab *  Click on COPY TO FILE *  Choose base64 option and save the file *  Copy the CER file into  C:\CFusionMX\runtime\jre\lib\security  (or whichever JRE CFMX is using) *  Run this commandline in that same directory (keytool.exe is located in C:\CFusionMX\runtime\jre\bin) keytool -import -keystore cacerts -alias giveUniqueName -file filename.cer *  Default password is "changeit" or "change it" *  Upon successful import restart CFMX and now CFHTTP and CFLDAP over SSL will work with that particular site Stacy Young System Integration Specialist, Architecture Surefire Commerce http://www.sfcommerce.com <http://www.sfcommerce.com> (p) 514-380-2700 ext: 3234 (f) 514-380-2760 AVIS IMPORTANT: ------------------------------- Les informations contenues dans le present document et ses pieces jointes sont strictement confidentielles et reservees a l'usage de la (des) personne(s) a qui il est adresse. Si vous n'etes pas le destinataire, soyez avise que toute divulgation, distribution, copie, ou autre utilisation de ces informations est strictement prohibee.  Si vous avez recu ce document par erreur, veuillez s'il vous plait communiquer immediatement avec l'expediteur et detruire ce document sans en faire de copie sous quelque forme. WARNING:   ------------------------------- The information contained in this document and attachments is confidential and intended only for the person(s) named above.  If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution, or any other use of the information is strictly prohibited.  If you have received this document by mistake, please notify the sender immediately and destroy this document and attachments without making any copy of any kind.

If this is indeed a requirement, then this seems like a large barrier to use of SSL connections.  What that basically means is that you have to know in advance every SSL server with which you want to connect.   Does that also mean that you will have to manually re-import the certificates when they expire and they are re-issued?  This could be a major pain in the butt. Kevin >>> Stacy.Young@sfcommerce.com 07/10/02 02:52PM >>> This may or may not be in the docs but I haven't seen any references to it yet aside from a technote concerning CFLDAP and SSL communication. I'm finding that for most of our internal SSL sites I need to manually import each web servers SSL certificate into the keystore for the JRE used by CFMX in order to enable HTTPS communication either by CFHTTP of CFLDAP. I think this needs to be highlighted *somewhere* because with CF5 this was not the case...this had me believing there was a bug in CFMX throughout the entire beta testing cycle and has caused me to waste countless hours !!!  :-( Here's what to do if you're having SSL com problems: *  Goto a page on the SSL server in question *  Double click on the lock icon *  Goto details tab *  Click on COPY TO FILE *  Choose base64 option and save the file *  Copy the CER file into  C:\CFusionMX\runtime\jre\lib\security  (or whichever JRE CFMX is using) *  Run this commandline in that same directory (keytool.exe is located in C:\CFusionMX\runtime\jre\bin) keytool -import -keystore cacerts -alias giveUniqueName -file filename.cer *  Default password is "changeit" or "change it" *  Upon successful import restart CFMX and now CFHTTP and CFLDAP over SSL will work with that particular site Stacy Young System Integration Specialist, Architecture Surefire Commerce http://www.sfcommerce.com <http://www.sfcommerce.com> (p) 514-380-2700 ext: 3234 (f) 514-380-2760 AVIS IMPORTANT: ------------------------------- Les informations contenues dans le present document et ses pieces jointes sont strictement confidentielles et reservees a l'usage de la (des) personne(s) a qui il est adresse. Si vous n'etes pas le destinataire, soyez avise que toute divulgation, distribution, copie, ou autre utilisation de ces informations est strictement prohibee.  Si vous avez recu ce document par erreur, veuillez s'il vous plait communiquer immediatement avec l'expediteur et detruire ce document sans en faire de copie sous quelque forme. WARNING:   ------------------------------- The information contained in this document and attachments is confidential and intended only for the person(s) named above.  If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution, or any other use of the information is strictly prohibited.  If you have received this document by mistake, please notify the sender immediately and destroy this document and attachments without making any copy of any kind.

Thanks, Kevin!  This is exactly what I needed. Respectfully, Adam Phillip Churvis Advanced Intensive ColdFusion MX Training http://www.ColdFusionTraining.com E-mail:  info@coldfusiontraining.com Phone:   770-446-8866 > If this is indeed a requirement, then this seems like a large barrier to use of SSL connections.  What that basically means is that you have to know in advance every SSL server with which you want to connect. > > Does that also mean that you will have to manually re-import the certificates when they expire and they are re-issued?  This could be a major pain in the butt. ----- Excess quoted text cut - see Original Post for more ----- CFMX ----- Excess quoted text cut - see Original Post for more ----- sont strictement confidentielles et reservees a l'usage de la (des) personne(s) a qui il est adresse. Si vous n'etes pas le destinataire, soyez avise que toute divulgation, distribution, copie, ou autre utilisation de ces informations est strictement prohibee.  Si vous avez recu ce document par erreur, veuillez s'il vous plait communiquer immediatement avec l'expediteur et detruire ce document sans en faire de copie sous quelque forme. > > WARNING: > ------------------------------- > The information contained in this document and attachments is confidential and intended only for the person(s) named above.  If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution, or any other use of the information is strictly prohibited. If you have received this document by mistake, please notify the sender immediately and destroy this document and attachments without making any copy of any kind.

NO I believe it's only for specific instances...in my case, whenever I browse an internal site in development or QA using SSL I get prompted to explicitly say whether or not I trust the site (Sorry I don't have the technical explanation as to the differences with a normal certificate, maybe it's expired?)...so I think this is what's causing the problem...I don't believe you'll see any issues with typical SSL communications over the net. If this is indeed a requirement, then this seems like a large barrier to use of SSL connections.  What that basically means is that you have to know in advance every SSL server with which you want to connect.   Does that also mean that you will have to manually re-import the certificates when they expire and they are re-issued?  This could be a major pain in the butt. Kevin >>> Stacy.Young@sfcommerce.com 07/10/02 02:52PM >>> This may or may not be in the docs but I haven't seen any references to it yet aside from a technote concerning CFLDAP and SSL communication. I'm finding that for most of our internal SSL sites I need to manually import each web servers SSL certificate into the keystore for the JRE used by CFMX in order to enable HTTPS communication either by CFHTTP of CFLDAP. I think this needs to be highlighted *somewhere* because with CF5 this was not the case...this had me believing there was a bug in CFMX throughout the entire beta testing cycle and has caused me to waste countless hours !!!  :-( Here's what to do if you're having SSL com problems: *  Goto a page on the SSL server in question *  Double click on the lock icon *  Goto details tab *  Click on COPY TO FILE *  Choose base64 option and save the file *  Copy the CER file into  C:\CFusionMX\runtime\jre\lib\security  (or whichever JRE CFMX is using) *  Run this commandline in that same directory (keytool.exe is located in C:\CFusionMX\runtime\jre\bin) keytool -import -keystore cacerts -alias giveUniqueName -file filename.cer *  Default password is "changeit" or "change it" *  Upon successful import restart CFMX and now CFHTTP and CFLDAP over SSL will work with that particular site Stacy Young System Integration Specialist, Architecture Surefire Commerce http://www.sfcommerce.com <http://www.sfcommerce.com> (p) 514-380-2700 ext: 3234 (f) 514-380-2760 AVIS IMPORTANT: ------------------------------- Les informations contenues dans le present document et ses pieces jointes sont strictement confidentielles et reservees a l'usage de la (des) personne(s) a qui il est adresse. Si vous n'etes pas le destinataire, soyez avise que toute divulgation, distribution, copie, ou autre utilisation de ces informations est strictement prohibee.  Si vous avez recu ce document par erreur, veuillez s'il vous plait communiquer immediatement avec l'expediteur et detruire ce document sans en faire de copie sous quelque forme. WARNING:   ------------------------------- The information contained in this document and attachments is confidential and intended only for the person(s) named above.  If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution, or any other use of the information is strictly prohibited. If you have received this document by mistake, please notify the sender immediately and destroy this document and attachments without making any copy of any kind.

So I am new to this forum... found you trying to solve a problem... I seem to be having the same problem as described in these posts included below... can't get CFHTTP to work on an SSL site.  I keep getting a Connection Failure. Since I don't host my site and will have to work through my hosting service to get them to implement this solution, I wanted to check if the recommended solution here was still current since these posts are a few years old.   Any suggestions on how to solve this without having to get my hosting service involved or is there a more current solution?? Thanks Mark ----- Excess quoted text cut - see Original Post for more ----- > > > Here's what to do if you're having SSL com problems: > ----- Excess quoted text cut - see Original Post for more ----- > > > keytool -import -keystore cacerts -alias giveUniqueName -file filename. > cer > > > > *  Default password is "changeit" or "change it" > *  Upon successful import restart CFMX and now CFHTTP and CFLDAP over > SSL will work with that particular site > > > > > ----- Excess quoted text cut - see Original Post for more ----- ----- Excess quoted text cut - see Original Post for more -----

Regarding the need for documentation on using SSL with LDAP:   ColdFusion TechNote   Configuring Secure SSL Connection with LDAP Directory Server   http://www.macromedia.com/go/tn_19139 Regarding using SSL with CFHTTP:   http://www.talkingtree.com/blog/index.cfm/2004/7/1/keytool The CFHTTP, CFLDAP, and CFINVOKE tags (and createObject type webservice) in ColdFusion MX 6/7/7.01 only support the common SSL v2 protocol and do not support the uncommon  SSL v3 protocol where a client certificate is required in addition to a server certificate. -- Steven Erat http://www.talkingtree.com/blog/ -- ----- Excess quoted text cut - see Original Post for more -----

This is probably unnecessary to ask, but just in case:  You folks who can't connect are using the proper port specification on your cfhttp call, yes?  As in using the cfhttp port parameter and specifying the url as just a plain "https://domain.com/page.cfm"? --Matt Robertson-- Janitor, MSB Web Systems http://mysecretbase.com

----- Excess quoted text cut - see Original Post for more ----- > > > Here's what to do if you're having SSL com problems: > ----- Excess quoted text cut - see Original Post for more ----- > > > keytool -import -keystore cacerts -alias giveUniqueName -file filename. > cer > > > > *  Default password is "changeit" or "change it" > *  Upon successful import restart CFMX and now CFHTTP and CFLDAP over > SSL will work with that particular site > I cannot get this to work,  when I run it from that dir it get file not found. If I copy the keytool to the security dir I get a java error.  Please contact me 570-686-2300 or support@onlinecorp.com to help. > > > ----- Excess quoted text cut - see Original Post for more ----- ----- Excess quoted text cut - see Original Post for more -----