Wednesday, October 21, 2009

Getting Your CF Server to Trust Another Server

I am creating all my new apps to use Central Authentication Services (CAS) for the authentication portion of login.  When I did this for the first app, I didn't have a good understanding of SSL, and my server administrator didn't have a good understanding of the ColdFusion and CAS parts of the process.  It was the blind leading the blind down many wrong paths!  Once we got it working, I simply breathed a sigh of relief and started taking care of all the things I had been ignoring while madly trying to go live with that project.

Roll the clock forward to Sept 2009 and we're trying to upgrade to ColdFusion 8.  Everything is going great except for the communication with CAS.  I use a <cfhttp> with an https address containing the ticket I'm validating in the url attribute.  I expect cfhttp.filecontent to contain an XML file with user information.  Instead I get a connection error.  I remember this connection error from the previous experience.  This time I am determined to understand!

First I post the wrong question to Twitter.  Nevertheless, @iotashan provides me with this article that really helped clarify SSL for me. http://www.webapper.com/blog/index.php/2007/02/09/troubleshooting-javaxnetsslsslhandshakeexception/
I recognize one error that I made before that helped to confuse the issue even more--the host name didn't match the common name provided by the certificate.  Won't make that one again.

The part that seems to be most tricky is into which CA list to import the certificate.  The pertinent one is the one used by the ColdFusion JVM.  I found mine at the default location of C:\ColdFusion8\runtime\jre\lib\security with the default filename of cacerts.  I used the keytool (found at C:\ColdFusion8\runtime\jre\bin) to modify the cacerts file.  There are some good instructions for doing so here: http://www.herongyang.com/crypto/jca_keytool.html.

2 comments:

  1. A similar post with a bit more detail about the install.
    http://tannock.net/?p=1878
    (Installing the cert, importing the cert, and modifying the keytool [as I have used the term above] are all the same)

    ReplyDelete
  2. Hi Sarah, just browsing some of your blog entries to see how you got started here...

    Well, just wanted to post a related topic on updating the CA list in certificate stores:

    http://www.talkingtree.com/blog/index.cfm/2004/7/1/keytool

    ReplyDelete