CFHTTP with Client Certificate -- Help
in [Advanced Techniques]
|
Next: mySQL and cftransaction
From: sqlguy on 18 Jan 2006 00:19 I have been racking my brain all day about this problem. I am trying to make a web services call (through any method I can manage) to a server using WSDL. Problem is that I am required to use a client certificate that was provided by the server administrators of the target web service. I can't find any way to use CFHTTP to make this work, as it does not appear to have the ability to send a Client Certificate like CFLDAP does. I have converted the Client Certificate to just about every form I can think of. I have used the "keytool" tool in Java to import it... BUT... I am now thinking that it was not the way to go. /opt/coldfusion/jre/bin/keytool -import -keystore /opt/coldfusion/jre/lib/security/cacerts -alias costco_ssl3 -file vendorcert2006_base64.cer Does anyone know of a work-around that would allow me to hit this secure web service using a Client Certificate? If the server owner were not Costco, I would be asking to remove the necessity to send this client certificate.... but, as you can imagine, they are not going to be flexible. Thank you in advance!
From: MikerRoo on 18 Jan 2006 00:57 Unless you received an error while importing the certificate, it should work. Try posting your EXACT error message here. Also, make sure that the certificate really is imported properly. Please do the following: Change to the store directory and run all commands from there. This can be important. cd /opt/coldfusion/jre/lib/security/ Import the cert using the recommended syntax: /opt/coldfusion/jre/bin/keytool -import -keystore cacerts -file vendorcert2006_base64.cer -alias costco_ssl3 -storepass changeit Verify the import: /opt/coldfusion/jre/bin/keytool -list -keystore cacerts -alias costco_ssl3 -storepass changeit -v Restart Java/JRE and coldfusion
From: sqlguy on 18 Jan 2006 01:08 Thank you for the repy... I did exactly as you specified... and the cert was imported correctly. I still can't hit the site with the CFHTTP call. I simply get this message: "The page requires a client certificate" So, it is not using the client certificate that is should be using. Am I supposed to use the URL of the domain as the ALIAS? Here is the code that I am using to call the site.... <cfhttp url="https://costcovendor.costco.com" method="get" username="USERNAME(a)costco.com" password="PASSXXXXX" /> <cfdump var="#cfhttp#"> <cfoutput>#cfhttp.filecontent#</cfoutput> Now, this is a very simplified version that I ended up striping down to, after all the expected processes were failing... But, I would hope that it would at least not return the error about the missing Client Certificate. I appreciate the help! -Mark
From: sqlguy on 18 Jan 2006 01:13 "HTTP 403.7 - Forbidden: Client certificate required Internet Information Services" Is the full error message that I get...
From: MikerRoo on 18 Jan 2006 01:34
Forgot to ask... What version of CF are you using? Are you running on JRun by any chance? Anyway, add port=443 to your CFHTTP tag. Next, browse to the secure sight yourself using a browser that is running on your CF server (if at all possible). Check for the following: More than one certificate installed / used? Costco redirects to different servers/IP's/domain? Cert info in browser matches info from the import verification, above? Cert is Base64-encoded X.509 format? Proxy-server information used/needed by browser (if any) matches proxy statements of <cfhttp> tag? |