3

I've tried to import the certificate from First Data into my ColdFusion 9 setup using the keytool as so:

keytool -importcert -keystore MYCF9Dir\runtime\jre\lib\security\cacerts -trustcacerts -alias firstdata -file FirstData.pem

The import seems to work, however when I access the WSDL via any ColdFusion function or tag it throws a "I/O Exception: Received fatal alert: handshake_failure". Which tells me it can't access the site with the certificates that it has, or can't find it.

So, am I importing the certificate correctly? And if I am, how else can I access this WSDL with ColdFusion?

Shawn Holmes
  • 3,752
  • 22
  • 25
DefconRhall
  • 293
  • 1
  • 9
  • Did you restart the ColdFusion server after importing the certificate? You can also use http://certman.riaforge.org/ to assist with importing certificates – Antony May 26 '11 at 02:54
  • Yes, I restarted the server after I imported the cert – DefconRhall May 26 '11 at 11:37
  • can you cfhttp any content from the site that hosts the wsdl? – Antony May 26 '11 at 12:08
  • Nothing that uses the https, it seems to be a secure server only. Adding the cert to windows lets me get to the site with internet explorer, but not firefox. – DefconRhall May 26 '11 at 12:46
  • I actually had this same problem last week, and was unable to figure it out. Their tech support, while nice, wasn't very helpful. I didn't import using the keytool thing, though. I imported the certificate into windows and used some winhttpcert thing they had mentioned in their instructions. Maybe if you do both steps, it would work? – Jason May 26 '11 at 14:51
  • What does the winhttpcert supposed to do? I even tried the certman utility antony suggested, to make sure I did it right (That is MUCH easier than trying to add them by hand). Still no luck. – DefconRhall May 26 '11 at 15:27
  • Also, this may be a factor, the certs have passwords on them, but keytool and the utility never ask me for them, just the password for the keystore itself. – DefconRhall May 26 '11 at 15:29
  • @defcon - so it's not just a normal SSL certificate? That probably changes things, and I don't have any advice for that, sorry. – Antony May 27 '11 at 02:33

3 Answers3

0

I had a similar issue and just in case someone is facing the same issue, this is how I solved mine. I had a .pem file and this was showing it has imported successfully in the Cacert keystore within ColdFusion but the remote API(server) I was trying to hit was not recognising the certificate for some reasons. So I first of all converted the .pem certificate into a PKCS12 format file using OpenSSL - this link helped:http://cc.in2p3.fr/docenligne/84/en#0.4 (at the bottom). I then used the CFHTTP CF tag like below:

        <cfhttp
        url="https://urlToAPI"
        method="POST"
        clientCert="path to the file (.p12)"
        clientCertPassword="password"
        result="result">

This did it for me. I hope it helps someone.

migarich
  • 95
  • 1
  • 11
0

Have you considered using the .crt file instead of the .pem file? I just used 

keytool -importcert -keystore C:\Coldfusion9\runtime\jre\lib\security\cacerts -trustcacerts -alias myserver -file myserver.crt

And now it works just fine.

Hope this helps.

JimP
  • 1,070
  • 15
  • 26
0

I had the same issue when I was integrating with Java. Though I'm not sure what you would do in ColdFusion but I imagine this can point you in the right direction.

To avoid the issue, you would need to create a SSLContext and present it to the firstdata server manually before you can do anything else.

In Java this is what I did:

KeyStore ksjks = KeyStore.getInstance(KeyStore.getDefaultType());
ksjks.load(new FileInputStream("/path/to/your/p12/file"),"password".toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ksjks, "password".toCharArray());

SSLContext sslContext = SSLContext.getInstance("SSLv3");
sslContext.init(kmf.getKeyManagers(), null, null);

SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

And you would use this context in your client as follows:

URL url = new URL("serverUrl");
HttpsURLConnection urlConn = (HttpsURLConnection) url.openConnection();
urlConn.setSSLSocketFactory(sslSocketFactory);

Hope that helps you. Peace!

Karthic Raghupathi
  • 2,011
  • 5
  • 41
  • 57