For secure connections to remote servers over SSL, all current versions of ColdFusion require the remote system's SSL certificate to exist in ColdFusion's certificate truststore. This includes any calls from <cfdocument>, <cfhttp>, <cfldap>, etc. The default truststore is the JRE's cacerts file. This file is typically located in the following places:
- Server Configuration: cf_root/runtime/jre/lib/security/cacerts
- Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/lib/security/cacerts - Sun JDK installation: jdk_root/jre/lib/security/cacerts
- Consult documentation for other J2EE application servers and JVMs
Use the Java keytool (or a GUI wrapper) to import the remote server's SSL certificate into ColdFusion's truststore. The keytool is part of the Java SDK and is typically located in the following places:
- Server Configuration:
cf_root/runtime/bin/keytool - Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/bin/keytool - Sun JDK installation:
jdk_root/bin/keytool - Consult documentation for other J2EE application servers and JVMs
The Java 1.4.2 keytool has the following syntax for an import:
-import [-v] [-noprompt] [-trustcacerts] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-provider <provider_class_name>]
The Java 1.6.0 keytool has the following syntax for an import:
-importcert [-v] [-noprompt] [-trustcacerts] [-protected] [-alias <alias>] [-file <cert_file>] [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg>][-providerpath <pathlist>]
The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format.
To import a remote server's certificate from a certificate file into the JRE's truststore, type the following into a command prompt:
keytool -import -v -alias someServer-cert -file someServerCertFile.cer -keystore JAVA_HOME\jre\lib\security\cacerts -storepass changeit
Example :
C:\JRun4\jre\bin>keytool -importcert -v -alias wa-cert -file C:\temp\test.cer -keystore C:\JRun4\jre\lib\security\cacerts -storepass changeit
JAVA_HOME location can be copied from the jvm.config, which has an argument called "java.home." The "java.home" argument accepts a value of the path to your JRE (Java Runtime Environment).
By default you can find jvm.config at:
Coldfusion Standalone : C:\ColdFusion8\runtime\bin
Coldfusion Multiserver : C:\JRun4\bin
The default password for the cacerts truststore is "changeit". You can confirm the import by using the following single command:
keytool -list -v -keystore JAVA_HOME\jre\lib\security\cacert -alias myServer-cert -storepass changeit
Example :
C:\JRun4\jre\bin>keytool -list -v -keystore C:\JRun4\jre\lib\security\cacerts -alias wa-cert -storepass changeit
Note: If you are using JRun as the underlying J2EE server (either the Server Configuration or the Multiserver/J2EE with JRun Configuration) and have enabled SSL for the internal JRun Web server (JWS), you will need to import the certificate to the truststore defined in the jrun.xml file for the Secure JWS rather than the JRE key store. By default, the file is called "trustStore" and is typically located under jrun_root/lib for the Multiserver/J2EE with JRun configuration or cf_root/runtime/lib for the ColdFusion Server configuration. You use the same Java keytool to manage the trustStore.
Additional information
- ColdFusion MX: Configuring Secure SSL Connection with LDAP Directory Server (TechNote tn_19139)
- Summary of Tools for Java Platform Security
