Web service call with v3 client cert in CF8

Report · Nov 18, 2008

I'm trying to call an external web service which requires a v3 client certificate be installed on our end. Our code platform is CF8, which I understand supports v3 certs. I've imported the external party's client cert into the CF server's cert store (cacerts) via keytool, and confirmed it's there. I've restarted the CF server. How do I attach the certificate to the cfhttp call to the external web service? I figure I can use a cfhttpparam, but am not sure what type to use, and what the value should be. Thanks in advance.

Report · Nov 22, 2008

DrewBlah wrote:
> I'm trying to call an external web service which requires a v3 client
> certificate be installed on our end. Our code platform is CF8, which I
> understand supports v3 certs. I've imported the external party's client cert
> into the CF server's cert store (cacerts) via keytool, and confirmed it's
> there.

You should not import the client certificate, but the server certificate:
http://www.talkingtree.com/blog/index.cfm/2004/7/1/keytool
http://jochem.vandieten.net/2008/02/28/cfhttp-and-client-certificates/

> I've restarted the CF server. How do I attach the certificate to the
> cfhttp call to the external web service? I figure I can use a cfhttpparam, but
> am not sure what type to use, and what the value should be. Thanks in advance.

The certificate for the HTTP call should be on the filesystem in PKCS#12
format. Then use the following code:

<cfset variables.certificatePath = ExpandPath("certificate.pkcs") />
<cfset variables.certificatePass = "fillOutYourOwnPassword"/>
<cfset variables.webserviceURL = "https://server/service" />

<cfsavecontent variable="theSoap">
<soapenv:Envelope
xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns="https://server/service">
<soapenv:Header/>
<soapenv:Body>
<ns:GetXXX>
<xxx>YYY</xxx>
</ns:GetXXX>
</soapenv:Body>
</soapenv:Envelope>
</cfsavecontent>

<cfhttp
url = "#variables.webserviceURL#"
clientCert = "#variables.certificatePath#"
clientCertPassword = "#variables.certificatePass#"
method = "get"
port="443"
>
<cfhttpparam type="header" name="Connection" value="Keep-Alive">
<cfhttpparam type="header" name="SOAPAction" value="service">
<cfhttpparam type="xml" value="#theSoap#">
</cfhttp>

<cfdump var="#XMLParse(cfhttp.filecontent)#">

Jochem

--
Jochem van Dieten
Adobe Community Expert for ColdFusion

Report · Jan 27, 2009

Did this work? I was told by CF support that CF 8 does NOT support SSL v3. But we are having the same problem with SSL v2.

There are many threads started on this topic, but none with a resolution. Has any one ever gotten Coldfusion to consume a web service with https ??

Report · Jan 28, 2009

quote:

Originally posted by: gdemaria
Did this work? I was told by CF support that CF 8 does NOT support SSL v3. But we are having the same problem with SSL v2.

There are many threads started on this topic, but none with a resolution. Has any one ever gotten Coldfusion to consume a web service with https ??

Yes, it did work, after a bit of trial and error. The critical thing was, as Jochem pointed out, to use the external party's server certificate not the client cert. I guess CF8 needs both the public key and the private key. Once the external party hosting the web service (who needed the cert to be included in the call to them) had provided me with the server certificate in a ".pfx" format file I was able to just save it onto the server in a folder and point CF8 to it via the CFHTTP clientCert and clientCertPassword attributes. I didn't need to do anything with the server's certificate store in the end. Works fine now. Best of luck with your endeavors.