Re: cfhttp and SSL ... I/O Exception: peer not authenticated
I did it once long ago when I was still a developer, it was probably on CF5 or 6. I will presume Windows is used here, if not, just translate tot he Unix equivalents. It is basically just a file server, network attached storage, a SAN or whatever you have available. You MAP a drive on your web servers to that NAS. You will need to run CF under a user account (not system) so it has access to mapped drives, but you should be doing this anyway for security. Now you simply have some code in your application.cfc or wherever is convenient which serializes a users SESSION scope to WDDX or JSON and stores it on that mapped drive whenever something changes. Then OnSessionStart, you look for that file (based on the sessionID in the cookie), and load in the session scope and serialize it. This will handle server restarts, crashes and failover to different servers as well as the file will get loaded if it exists. This also allows you to keep your sessions alive for much longer without having to store them in memory, or if you don't want to do that, just have a schedule which deletes any files with last modified times older than your desired session limit. The updating of the session file may be the tricky bit, as you will need to update any code which writes to the session scope. The way I did this back then was to have a custom tag or function which would do the session read/write and then serialize and re-save whenever a write occurs, or if your code is more modern this would be a config bean of some sort. I did load test this solution at the time and it made no noticeable difference to performance. I'm pretty sure I also compared saving to files vs saving to a database as well and saving to files performed better. Although nowadays you could probably use a NOSQL solution such as MongoDB instead. On Mon, Nov 18, 2013 at 3:56 PM, Brian FitzGerald wrote: > > >If you use a centralised storage for all servers in your cluster then it > is > >easy. > > Russ, thanks a lot for your response (somehow I missed it last week). I > read the article you linked to about client variables (good read). Are you > aware of any resources which discuss how one might implement a "centralised > storage" setup like the one you describe? > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357105 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
>If you use a centralised storage for all servers in your cluster then it is >easy. Russ, thanks a lot for your response (somehow I missed it last week). I read the article you linked to about client variables (good read). Are you aware of any resources which discuss how one might implement a "centralised storage" setup like the one you describe? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357104 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
> > Lots of people use sticky sessions to solve this problem. That doesn't > > provide failover, but if you're not doing something extremely critical > > where the user can just go elsewhere (ex: ecommerce) you might not > > need failover. > > With sticky sessions, in the event that one server crashed, the users on that > box would have their sessions killed and > would basically get kicked out of the app and rerouted to the other server, > is that right? That doesnt sound that bad to > me considering were talking about a very rare situation (assuming things are > setup correctly). That's correct, and for most applications I think this is an acceptable risk. The exception tends to be ecommerce applications, where a user might choose to use a competitor if the user's shopping cart is lost, etc. > > Think about this for a minute. The application scope is in memory. So, > > no, it's not going to automatically synchronize with the application > > scope in memory on a different physical machine - even if you use > > session replication. > > Very true. Thanks for helping me get my thinking cap on, as these are just > issues I havent had to mess w/ yet. With that > said, assuming your service objects were singletons and didnt have any > session specific data, I dont see why you couldnt > just have the same objects repeated in the application scope on each machine. > userService, productService, securityService, > etc and then simply pass the data into them as needed... i.e., > userService.saveUser(stickyUser) or > userService.getUserById(2401). Wouldnt this work fine? Yes, it would work - if you had a way to synchronize the data across servers. One way or another, you have to synchronize whatever data you want to use across servers. If your userService is populated at runtime on one server based on a user's authentication, for example, you'd have to have a way to tell the other servers that information. > Thanks again for your insight, it is invaluable to me. You're welcome! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357089 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
>Lots of people use sticky sessions to solve this problem. That doesn't >provide failover, but if you're not doing something extremely critical >where the user can just go elsewhere (ex: ecommerce) you might not >need failover. With sticky sessions, in the event that one server crashed, the users on that box would have their sessions killed and would basically get kicked out of the app and rerouted to the other server, is that right? That doesnât sound that bad to me considering weâre talking about a very rare situation (assuming things are setup correctly). >Think about this for a minute. The application scope is in memory. So, >no, it's not going to automatically synchronize with the application >scope in memory on a different physical machine - even if you use >session replication. Very true. Thanks for helping me get my thinking cap on, as these are just issues I havenât had to mess w/ yet. With that said, assuming your service objects were singletons and didnât have any session specific data, I donât see why you couldnât just have the same objects repeated in the application scope on each machine. userService, productService, securityService, etc⦠and then simply pass the data into them as needed... i.e., userService.saveUser(stickyUser) or userService.getUserById(2401). Wouldnât this work fine? Thanks again for your insight, it is invaluable to me. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357088 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
If you use a centralised storage for all servers in your cluster then it is easy. You save session data to your san disk. And simply reload it if it gets lost due to switching servers. You can also achieve this with replication between local disks too. Remember the session is stored in a cookie just like clientid so that part of the process is the same. On 15 Nov 2013 19:55, "Dave Watts" wrote: > > > I'm hoping it's the former :) I guess that's what I'm getting at > though... I'm sure you've done many applications that run on > > clustered servers, is using sticky sessions a common and accepted > practice for using cfcs in a clustered environment? > > Or do larger applications like this just normally stick to the client > scope and use the workarounds we've mentioned if > > they want to use persistent objects? I've worked at two shops with > clustered servers and both just used client variables > > and did not have persisted cfcs. > > Lots of people use sticky sessions to solve this problem. That doesn't > provide failover, but if you're not doing something extremely critical > where the user can just go elsewhere (ex: ecommerce) you might not > need failover. > > > > I'm not sure where your userService object would live on a cluster of > servers > > > > Shoot. For some reason I was thinking this would be the "easy part" in > the sense that for some reason I was thinking > > the application scope would be available across all the machines and I > could just store my singletons in the application > > scope. i.e. application.userService, application.securityService, etc. > But now that I think about it, will this not work either > > in a clustered environment? Shoot, how do you guys solve this stuff? I > must be missing something because this is the > > way I have learned to design applications... it can't be that it simply > "doesn't hold up" when clustering is introduced, can it? > > Think about this for a minute. The application scope is in memory. So, > no, it's not going to automatically synchronize with the application > scope in memory on a different physical machine - even if you use > session replication. > > > > I'd probably just serialize objects, but I'd want to make sure that > I'm not storing > too much in these objects due to the > > > overhead of this process. > > > > Hmm. So you are saying you would serialize objects that would typically > be stored in the application and session scopes? > > But I need to be careful of storing too much in them... ? Shoot it > sounds fragile, and I'm trying to introduce an updated code > > structure to the organization. I'd hate to bring some ideas in and then > have it turn out that they are fragile or unworkable on > > a clustered server configuration. > > Whether you use serialization and Client variables, or use session > replication, you'll have the same potential problem - that data has to > be transferred from one server to the other servers. So, if you have a > lot of data, it's going to cost you, right? Things that are > inexpensive when you have lots of local, fast storage become expensive > when that storage is no longer local. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357087 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
> I'm hoping it's the former :) I guess that's what I'm getting at though... > I'm sure you've done many applications that run on > clustered servers, is using sticky sessions a common and accepted practice > for using cfcs in a clustered environment? > Or do larger applications like this just normally stick to the client scope > and use the workarounds we've mentioned if > they want to use persistent objects? I've worked at two shops with clustered > servers and both just used client variables > and did not have persisted cfcs. Lots of people use sticky sessions to solve this problem. That doesn't provide failover, but if you're not doing something extremely critical where the user can just go elsewhere (ex: ecommerce) you might not need failover. > > I'm not sure where your userService object would live on a cluster of > > servers > > Shoot. For some reason I was thinking this would be the "easy part" in the > sense that for some reason I was thinking > the application scope would be available across all the machines and I could > just store my singletons in the application > scope. i.e. application.userService, application.securityService, etc. But > now that I think about it, will this not work either > in a clustered environment? Shoot, how do you guys solve this stuff? I must > be missing something because this is the > way I have learned to design applications... it can't be that it simply > "doesn't hold up" when clustering is introduced, can it? Think about this for a minute. The application scope is in memory. So, no, it's not going to automatically synchronize with the application scope in memory on a different physical machine - even if you use session replication. > > I'd probably just serialize objects, but I'd want to make sure that I'm not > > storing > too much in these objects due to the > > overhead of this process. > > Hmm. So you are saying you would serialize objects that would typically be > stored in the application and session scopes? > But I need to be careful of storing too much in them... ? Shoot it sounds > fragile, and I'm trying to introduce an updated code > structure to the organization. I'd hate to bring some ideas in and then have > it turn out that they are fragile or unworkable on > a clustered server configuration. Whether you use serialization and Client variables, or use session replication, you'll have the same potential problem - that data has to be transferred from one server to the other servers. So, if you have a lot of data, it's going to cost you, right? Things that are inexpensive when you have lots of local, fast storage become expensive when that storage is no longer local. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357086 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
Hey Dave, Thanks a lot for your response. Please see some comments inline below: > Are you using clustering to support a larger number of users than a > single server? Or are you using it to provide failover in case a > server fails? Or both? The clustering is mainly for supporting a large number of users to route traffic to the less busy boxes. I think the failover you mention is also in place, but I don't think that's the primary reason for the cluster. > If the former, there's nothing wrong with using sticky sessions, and > you won't have to change your code. I'm hoping it's the former :) I guess that's what I'm getting at though... I'm sure you've done many applications that run on clustered servers, is using sticky sessions a common and accepted practice for using cfcs in a clustered environment? Or do larger applications like this just normally stick to the client scope and use the workarounds we've mentioned if they want to use persistent objects? I've worked at two shops with clustered servers and both just used client variables and did not have persisted cfcs. > I'm not sure where your userService object would live on a cluster of servers Shoot. For some reason I was thinking this would be the "easy part" in the sense that for some reason I was thinking the application scope would be available across all the machines and I could just store my singletons in the application scope. i.e. application.userService, application.securityService, etc. But now that I think about it, will this not work either in a clustered environment? Shoot, how do you guys solve this stuff? I must be missing something because this is the way I have learned to design applications... it can't be that it simply "doesn't hold up" when clustering is introduced, can it? > I'd probably just serialize objects, but I'd want to make sure that I'm not > storing > too much in these objects due to the overhead of this process. Hmm. So you are saying you would serialize objects that would typically be stored in the application and session scopes? But I need to be careful of storing too much in them... ? Shoot it sounds fragile, and I'm trying to introduce an updated code structure to the organization. I'd hate to bring some ideas in and then have it turn out that they are fragile or unworkable on a clustered server configuration. Thank you for any additional thoughts you are willing to share. Brian ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357085 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
Hey Bobby, thanks for the reply. It turns out this is a CF9 bug. Ray Camden outlines it well here, with a workaround that is working for me: http://www.coldfusionjedi.com/index.cfm/2011/1/12/Diagnosing-a-CFHTTP-issue--peer-not-authenticated Here is the bug report Jason Dean filed: http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html#bugId=85815 Thank you again for the feedback, I just wanted to post again to direct future visitors to where I found the workaround. Best, Brian ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345391 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: cfhttp and SSL ... I/O Exception: peer not authenticated
"I'm pretty sure it's related to the fact that I'm trying to make a secure request (SSL), and maybe since I'm on my local development machine and thus don't have a local SSL setup on my end as well it's causing problems (maybe?)." Yes, most likely. If you have a self signed cert, you can add it to the java keystore on the CF server to have CFHTTP make successful SSL calls to a page using that cert. Your other options are to use a real, valid cert and some hosts file magic to make the request remain local but use the real domain (that the cert was issued to) Or... just stop using SSL for testing. .:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Brian FitzGerald [mailto:bmfitzgera...@yahoo.com] Sent: Thursday, June 16, 2011 2:33 PM To: cf-talk Subject: cfhttp and SSL ... I/O Exception: peer not authenticated Hey all, I'm trying to make a cfhttp call to a secure url (the API for http://spreedly.com) and this is what I keep getting back: ErrorDetail I/O Exception: peer not authenticated Filecontent Connection Failure Mimetype Unable to determine MIME type of file. Statuscode Connection Failure. Status code unavailable. I'm pretty sure it's related to the fact that I'm trying to make a secure request (SSL), and maybe since I'm on my local development machine and thus don't have a local SSL setup on my end as well it's causing problems (maybe?). I've been Googling around on it and this seemed like the most relevant article: http://australiansearchengine.wordpress.com/2011/01/19/cfhttp-io-exception-p eer-not-authenticated-error/#comment-1860 I did what he suggested by downloading and placing their cert in my CF9 directory structure, but no luck. Seen anything like this? Thanks! Brian http://www.spanishwizards.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345390 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
> You'll need to download the certificate and install it in your JVM's > keystore. Google "java keystore keytool coldfusion" for instructions. Hi Dave, Thank you for the reply. Only thing is that I've already downloaded the certificate through Google Chrome, and imported it via the keytool as described by Steven Erat[1]. I've even downloaded a KeyStore Explorer GUI[2] and used it to confirm that the cert is indeed shown in the keystore, which is appears to be as you can see in this screenshot (spreedlyCert is the one I created): http://fitzgeraldmedia.net/images/keystoreShot.jpg I have also restarted CF9 via the windows services panel. So for me, the thing that came to mind was maybe CF was using a different JRE, but I checked in the CF9 admin settings, and I see that Java Home is indeed listed as: C:\ColdFusion9\runtime\jre which is where imported the cert. C:\ColdFusion9\runtime\jre\lib\security. I'm still getting the same error. Is there anything else you can think of I may be overlooking? Thanks, Brian [1] http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=25AA75A4-45A6-2844-7CA3EECD842DB576 [2] http://www.lazgosoftware.com/kse/index.html [3] ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345389 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfhttp and SSL ... I/O Exception: peer not authenticated
> I'm trying to make a cfhttp call to a secure url (the API for > http://spreedly.com) and this is what I keep getting back: > > ErrorDetail I/O Exception: peer not authenticated > Filecontent Connection Failure > Mimetype Unable to determine MIME type of file. > Statuscode Connection Failure. Status code unavailable. > > I'm pretty sure it's related to the fact that I'm trying to make a secure > request (SSL), and maybe since I'm on my local development machine and > thus don't have a local SSL setup on my end as well it's causing problems > (maybe?). > > I've been Googling around on it and this seemed like the most relevant > article: http://australiansearchengine.wordpress.com/2011/01/19/cfhttp-io- > exception-peer-not-authenticated-error/#comment-1860 > > I did what he suggested by downloading and placing their cert in my CF9 > directory structure, but no luck. Seen anything like this? You'll need to download the certificate and install it in your JVM's keystore. Google "java keystore keytool coldfusion" for instructions. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, onli ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345370 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
cfhttp and SSL ... I/O Exception: peer not authenticated
Hey all, I'm trying to make a cfhttp call to a secure url (the API for http://spreedly.com) and this is what I keep getting back: ErrorDetail I/O Exception: peer not authenticated Filecontent Connection Failure Mimetype Unable to determine MIME type of file. Statuscode Connection Failure. Status code unavailable. I'm pretty sure it's related to the fact that I'm trying to make a secure request (SSL), and maybe since I'm on my local development machine and thus don't have a local SSL setup on my end as well it's causing problems (maybe?). I've been Googling around on it and this seemed like the most relevant article: http://australiansearchengine.wordpress.com/2011/01/19/cfhttp-io-exception-peer-not-authenticated-error/#comment-1860 I did what he suggested by downloading and placing their cert in my CF9 directory structure, but no luck. Seen anything like this? Thanks! Brian http://www.spanishwizards.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345369 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm