Okay some more news... but it is still not working. When I try to delete a certificate from the Java KeyStore using the certman CFIDE extension it throws an error. Subsequently I have reverted to using the command line to do the KeyStore maintenance.
Here is what I have done; Imported into the KeyStore the public key used to access our SSL secured website. (I.e the key we would issue to a client so that they could access the site. in code this following line; <cfset remoteLoginService = createObject("component", "my.path.to.cfc.Service").init("https://mydomain/my/path/to/cfc/Service.cfc?wsdl")> causes this error; Unable to read WSDL from URL: https://mydomain/my/path/to/cfc/Service.cfc?wsdl. Error: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated. Now I don't know if this is the same thing or not, but I exported (via Firefox - by clicking on the padlock icon and choosing EXPORT) the certificate at the website. Imported THAT certificate in the Java KeyStore - get the same error as above. I then read on a blog - something about requiring the certificate used to sign the public key and since we signed the key ourselves I added that to the Java KeyStore too. But unfortunately - I still get the same error. The command line confirms that the certs are indeed in the KeyStore - as does the CertMan CFIDE extension. I have restarted the CF service after each certificate installation. It would "seem" I have done everything required - but it still doesn't work. And let me also say that if I place the exact same CFCs and calling code onto a non-SSL path - then the web service is consumed correctly - so am really confident it is not a CFML coding issue. If anyone has any ideas at all - I would be most appreciative - Of course - if I do get it working - I will let everyone know what I did. Gavin. On 05/08/2010, at 11:50 PM, MrBuzzy wrote: > Yeah I agree the default CF9 jvm should be a-o-k. But ya never know. > > I guess you're back to the challenge of importing it correctly. Or there's > some other issue going on. > > Sent from my iPhone > > On 05/08/2010, at 11:21 PM, Gavin Beau Baumanis <b...@palcare.com.au> wrote: > >> I don't get a cert warning in the browser because I have "that" cert and >> only that cert installed in the browser already. >> >> Our staging sites have all been confired to allow the same developer's >> client cert - thus one cert for all staging sites. >> >> Thus only have one cert installed means you don't even get the prompt for >> the cert it's just automatically applied by firefox - after the first run of >> course... >> >> Well - at least that's what I am putting it (the working in the browser) >> down to anyway. >> >> As for the JVM that we're using - to be honest - I wouldn't have a clue... >> but since we're running CF9 - would it not be using whatever CF9 gets >> bundled with? >> >> >> Gavin. >> >> >> >> On 05/08/2010, at 10:38 PM, MrBuzzy wrote: >> >>> What I find interesting is your browser does not give any certificate >>> warnings when viewing the wsdl over https. That usually means you wont need >>> to import the certificate or issuing authority in to the JVM. >>> >>> Is it possible you are using any early-ish JVM, like version 1.4.2? >>> If you can, upgrade the CF JVM to the latest 1.6.x. verslon. You will need >>> to modify jvm.config once you have installed the new JVM and give CF a >>> restart. >>> >>> On 5 August 2010 20:29, Gavin Beau Baumanis <b...@palcare.com.au> wrote: >>> >>> On 05/08/2010, at 7:26 PM, MrBuzzy wrote: >>> >>> > Annoying isn't it :) >>> > >>> Yup sure is. >>> >>> >>> > When you view the https wsdl in a browser what warnings (if any) do you >>> > get? >>> > >>> None. >>> >>> The WSDL looks identical to that produced when using a non-https URL. >>> Apart from the namespace addresses etc being different because of the >>> different URL >>> >>> >>> >>> > Also if you're going commando (command line hehe) just check that you are >>> > working on the same jvm or jdk that is specified in ColdFusion's >>> > jvm.config file. >>> > >>> Ahh righteo.... >>> I didn't consider that.... but thanks. >>> >>> It still doesn't work though.... bummer.... >>> >>> Anyone got anything further I could try? >>> Or is it simply a fact that importing the server cert into the java >>> keystore - should see it working? >>> And if that is the case - does the alias used when importing the cert, >>> matter any? >>> >>> Thanks again.... >>> >>> >>> >>> > Sent from my iPhone >>> > >>> > On 05/08/2010, at 4:50 PM, Gavin Baumanis <beauecli...@gmail.com> wrote: >>> > >>> >> Hi Everyone, >>> >> >>> >> I have been trying to get this to work for the past few days and have >>> >> finally decided I should ask for some help. >>> >> I have a service that runs on a server using the https protocol. >>> >> >>> >> Sunsequently - when I try to use that service I get the folling error; >>> >> Unable to read WSDL from URL: blah/blah.cfc?wsdl. Error: >>> >> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated. >>> >> >>> >> All the items I read seemed to say that all I needed to do was to add >>> >> the certificate to java keystore. >>> >> Which have done using this; >>> >> http://certman.riaforge.org/ >>> >> >>> >> I even tried using the command line - just in case there was some >>> >> "odd" issue with the Certificate Manager extension to CF Admin. >>> >> >>> >> But still no dice. >>> >> >>> >> I have added the server cert and also tried by adding in the client >>> >> cert too - but I still receive that error. >>> >> Interestingly enough - I can successfully see the WSDL via the browser >>> >> and https. >>> >> >>> >> If I place the code on a non-ssl connection - everything works as >>> >> expected - so I know that my CFCs/code etc is working correctly. >>> >> >>> >> If anyone has any ideas - I would be most appreciative. >>> >> >>> >> >>> >> Gavin. >>> >> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> >> Groups "cfaussie" group. >>> >> To post to this group, send email to cfaus...@googlegroups.com. >>> >> To unsubscribe from this group, send email to >>> >> cfaussie+unsubscr...@googlegroups.com. >>> >> For more options, visit this group at >>> >> http://groups.google.com/group/cfaussie?hl=en. >>> >> >>> > >>> > -- >>> > You received this message because you are subscribed to the Google Groups >>> > "cfaussie" group. >>> > To post to this group, send email to cfaus...@googlegroups.com. >>> > To unsubscribe from this group, send email to >>> > cfaussie+unsubscr...@googlegroups.com. >>> > For more options, visit this group at >>> > http://groups.google.com/group/cfaussie?hl=en. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "cfaussie" group. >>> To post to this group, send email to cfaus...@googlegroups.com. >>> To unsubscribe from this group, send email to >>> cfaussie+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/cfaussie?hl=en. >>> >>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "cfaussie" group. >>> To post to this group, send email to cfaus...@googlegroups.com. >>> To unsubscribe from this group, send email to >>> cfaussie+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/cfaussie?hl=en. >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "cfaussie" group. >> To post to this group, send email to cfaus...@googlegroups.com. >> To unsubscribe from this group, send email to >> cfaussie+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/cfaussie?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "cfaussie" group. > To post to this group, send email to cfaus...@googlegroups.com. > To unsubscribe from this group, send email to > cfaussie+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/cfaussie?hl=en. -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaus...@googlegroups.com. To unsubscribe from this group, send email to cfaussie+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en.