Secure communication between Flex app and CFC

Hi I would like to make secure communicatoin between Flex app and CFC. I am not sure what is the whole process? I would appreciate any help. I have seen this in the Coldfusion Administrator, but i don't know do i need it and how to use it? Enable RMI over SSL for Data Management Lets you use Secure Socket Layer (SSL) encryption for the RMI communication between Flex and ColdFusion. This is not required unless you are transmitting authentication information or confidential data between Flex and ColdFusion over an unsecured network. You must provide a keystore file and keystore password. For instructions on how to create a keystore file, see the online Help Thank you in advance!

----- Excess quoted text cut - see Original Post for more ----- Are you just invoking CFCs from your Flex app via RemoteObject or WebService? If so, all you need to do is put those CFCs behind SSL - there's no switch in the CF Admin for this, you just configure your web server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite

Hi Dave Thank you for your answer! That it nice, then the flex app i have is already secured. But i would like to ask why should one set in services-config: <add-no-cache-headers>false</add-no-cache-headers> and remoting-config: <channel ref="my-cfamf-secure"/> ?  I read about this in many places. Thanks!

> Thank you for your answer! > That it nice, then the flex app i have is already secured. > > But i would like to ask why should one set in services-config: <add-no-cache-headers>false</add-no-cache-headers> and > remoting-config: <channel ref="my-cfamf-secure"/> ?  I read about this in many places. If you're using RemoteObject, you need to have a corresponding channel that uses the HTTPS port (typically TCP/443). You should already have that channel defined by default ("my-cfamf-secure"). If you're using WebService, you don't need to define a channel at all. I thought that the add-no-cache-headers setting was set to false by default now, but I could be wrong about that. Again, though, that only affects RemoteObject, not WebService. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite

Hi Dave Thank you very much again! Very helpfull answer for me! I am using remoteobjects. So i did what you said. And it looks working. But i don't know how can i be secure that the communication is secure. I mean, is there some way to verify that the communication is secure? Where/How i can verify it when i have done it? Thank you!

> I am using remoteobjects. So i did what you said. > And it looks working. But i don't know how can i be secure that the communication is secure. I mean, is there some way to verify > that the communication is secure? Where/How i can verify it when i have done it? Sure, you can verify that you're connecting on the SSL port instead of the plaintext port. You can do this in several places, but the easiest is probably just to add TraceTarget to your application and look at your console. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

Hi Dave I have tried that but i don't have a clue how to see if the channel is secured. Would you help me wiht it? Thank you so much for all ur answers! ----- Excess quoted text cut - see Original Post for more -----

> I have tried that but i don't have a clue how to see if the channel is secured. Put TraceTarget into your declarations, then debug your application. The console should then show you how you're connecting, among other things. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

Hi Still no luck :( I was searching the logs and i found this: java.lang.NullPointerException   at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:285)   at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)   at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)   at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)   at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) Any ideas? Thank you!

----- Excess quoted text cut - see Original Post for more ----- That could mean almost anything. It doesn't look like it has anything to do with SSL, though. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training

Hi I have no luck still. I've been searching in the logs for some info, and i found this: java.lang.NullPointerException   at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:285)   at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)   at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)   at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)   at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)   at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)   at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) Any ideas? Thank you!