Okay some more news... but it is still not working.
When I try to delete a certificate from the Java KeyStore using the certman
CFIDE extension it throws an error.
Subsequently I have reverted to using the command line to do the KeyStore
maintenance.
Here is what I have done;
Imported into the KeyStore the public key used to access our SSL secured
website. (I.e the key we would issue to a client so that they could access the
site.
in code this following line;
<cfset remoteLoginService = createObject("component",
"my.path.to.cfc.Service").init("https://mydomain/my/path/to/cfc/Service.cfc?wsdl";)>
causes this error;
Unable to read WSDL from URL: https://mydomain/my/path/to/cfc/Service.cfc?wsdl.
Error: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
Now I don't know if this is the same thing or not, but I exported (via Firefox
- by clicking on the padlock icon and choosing EXPORT) the certificate at the
website.
Imported THAT certificate in the Java KeyStore - get the same error as above.
I then read on a blog - something about requiring the certificate used to sign
the public key and since we signed the key ourselves I added that to the Java
KeyStore too.
But unfortunately - I still get the same error.
The command line confirms that the certs are indeed in the KeyStore - as does
the CertMan CFIDE extension.
I have restarted the CF service after each certificate installation.
It would "seem" I have done everything required - but it still doesn't work.
And let me also say that if I place the exact same CFCs and calling code onto a
non-SSL path - then the web service is consumed correctly - so am really
confident it is not a CFML coding issue.
If anyone has any ideas at all - I would be most appreciative - Of course - if
I do get it working - I will let everyone know what I did.
Gavin.
On 05/08/2010, at 11:50 PM, MrBuzzy wrote:
> Yeah I agree the default CF9 jvm should be a-o-k. But ya never know.
>
> I guess you're back to the challenge of importing it correctly. Or there's
> some other issue going on.
>
> Sent from my iPhone
>
> On 05/08/2010, at 11:21 PM, Gavin Beau Baumanis <b...@palcare.com.au> wrote:
>
>> I don't get a cert warning in the browser because I have "that" cert and
>> only that cert installed in the browser already.
>>
>> Our staging sites have all been confired to allow the same developer's
>> client cert - thus one cert for all staging sites.
>>
>> Thus only have one cert installed means you don't even get the prompt for
>> the cert it's just automatically applied by firefox - after the first run of
>> course...
>>
>> Well - at least that's what I am putting it (the working in the browser)
>> down to anyway.
>>
>> As for the JVM that we're using - to be honest - I wouldn't have a clue...
>> but since we're running CF9 - would it not be using whatever CF9 gets
>> bundled with?
>>
>>
>> Gavin.
>>
>>
>>
>> On 05/08/2010, at 10:38 PM, MrBuzzy wrote:
>>
>>> What I find interesting is your browser does not give any certificate
>>> warnings when viewing the wsdl over https. That usually means you wont need
>>> to import the certificate or issuing authority in to the JVM.
>>>
>>> Is it possible you are using any early-ish JVM, like version 1.4.2?
>>> If you can, upgrade the CF JVM to the latest 1.6.x. verslon. You will need
>>> to modify jvm.config once you have installed the new JVM and give CF a
>>> restart.
>>>
>>> On 5 August 2010 20:29, Gavin Beau Baumanis <b...@palcare.com.au> wrote:
>>>
>>> On 05/08/2010, at 7:26 PM, MrBuzzy wrote:
>>>
>>> > Annoying isn't it :)
>>> >
>>> Yup sure is.
>>>
>>>
>>> > When you view the https wsdl in a browser what warnings (if any) do you
>>> > get?
>>> >
>>> None.
>>>
>>> The WSDL looks identical to that produced when using a non-https URL.
>>> Apart from the namespace addresses etc being different because of the
>>> different URL
>>>
>>>
>>>
>>> > Also if you're going commando (command line hehe) just check that you are
>>> > working on the same jvm or jdk that is specified in ColdFusion's
>>> > jvm.config file.
>>> >
>>> Ahh righteo....
>>> I didn't consider that.... but thanks.
>>>
>>> It still doesn't work though.... bummer....
>>>
>>> Anyone got anything further I could try?
>>> Or is it simply a fact that importing the server cert into the java
>>> keystore - should see it working?
>>> And if that is the case - does the alias used when importing the cert,
>>> matter any?
>>>
>>> Thanks again....
>>>
>>>
>>>
>>> > Sent from my iPhone
>>> >
>>> > On 05/08/2010, at 4:50 PM, Gavin Baumanis <beauecli...@gmail.com> wrote:
>>> >
>>> >> Hi Everyone,
>>> >>
>>> >> I have been trying to get this to work for the past few days and have
>>> >> finally decided I should ask for some help.
>>> >> I have a service that runs on a server using the https protocol.
>>> >>
>>> >> Sunsequently - when I try to use that service I get the folling error;
>>> >> Unable to read WSDL from URL: blah/blah.cfc?wsdl. Error:
>>> >> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
>>> >>
>>> >> All the items I read seemed to say that all I needed to do was to add
>>> >> the certificate to java keystore.
>>> >> Which have done using this;
>>> >> http://certman.riaforge.org/
>>> >>
>>> >> I even tried using the command line - just in case there was some
>>> >> "odd" issue with the Certificate Manager extension to CF Admin.
>>> >>
>>> >> But still no dice.
>>> >>
>>> >> I have added the server cert and also tried by adding in the client
>>> >> cert too - but I still receive that error.
>>> >> Interestingly enough - I can successfully see the WSDL via the browser
>>> >> and https.
>>> >>
>>> >> If I place the code on a non-ssl connection - everything works as
>>> >> expected - so I know that my CFCs/code etc is working correctly.
>>> >>
>>> >> If anyone has any ideas - I would be most appreciative.
>>> >>
>>> >>
>>> >> Gavin.
>>> >>
>>> >> --
>>> >> You received this message because you are subscribed to the Google
>>> >> Groups "cfaussie" group.
>>> >> To post to this group, send email to cfaus...@googlegroups.com.
>>> >> To unsubscribe from this group, send email to
>>> >> cfaussie+unsubscr...@googlegroups.com.
>>> >> For more options, visit this group at
>>> >> http://groups.google.com/group/cfaussie?hl=en.
>>> >>
>>> >
>>> > --
>>> > You received this message because you are subscribed to the Google Groups
>>> > "cfaussie" group.
>>> > To post to this group, send email to cfaus...@googlegroups.com.
>>> > To unsubscribe from this group, send email to
>>> > cfaussie+unsubscr...@googlegroups.com.
>>> > For more options, visit this group at
>>> > http://groups.google.com/group/cfaussie?hl=en.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "cfaussie" group.
>>> To post to this group, send email to cfaus...@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> cfaussie+unsubscr...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/cfaussie?hl=en.
>>>
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "cfaussie" group.
>>> To post to this group, send email to cfaus...@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> cfaussie+unsubscr...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/cfaussie?hl=en.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "cfaussie" group.
>> To post to this group, send email to cfaus...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> cfaussie+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/cfaussie?hl=en.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "cfaussie" group.
> To post to this group, send email to cfaus...@googlegroups.com.
> To unsubscribe from this group, send email to
> cfaussie+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/cfaussie?hl=en.
--
You received this message because you are subscribed to the Google Groups
"cfaussie" group.
To post to this group, send email to cfaus...@googlegroups.com.
To unsubscribe from this group, send email to
cfaussie+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/cfaussie?hl=en.
