0 Replies Latest reply on Jan 7, 2014 7:46 AM by Garth@DST

    CF 10 HMAC Function

    Garth@DST

      HMAC(msg,key,algorithm(optional),encoding(optional))

       

      I'm using the following HMAC(msg,key,algorithm)

       

      I’ve run into a situation where on one CF 10 server the algorithm parameter within the function works fine, while on another CF 10 server it does not. I can still use the HMAC function, but have to leave out the algorithm parameter using the default algorithm parameter of HMAC-MD5. 

       

      I created a test script using all of the acceptable algorithms for the function. Works fine on one server, but none work on the other (outside of the default if none are specified in the function).

       

      I’ve gone through checking the server settings on both CF 10 servers. They match 100% from what I can see within the CF admin tool.

       

      The exception log for the CF 10 server not working correctly with the HMAC function has the following entry :

       

      java.security.NoSuchAlgorithmException: Algorithm HMAC-MD5 not available

      at javax.crypto.Mac.getInstance(DashoA13*..)

      at coldfusion.security.SecurityUtils.hmac(SecurityUtils.java:319)

      at coldfusion.runtime.CFPage.HMac(CFPage.java:4892)

      at coldfusion.runtime.CFPage.HMac(CFPage.java:4871)

      at cftestHMACScript2ecfm455145200.runPage(D:\Web\willfile\Garth\test_fun ctions\testHMACScript.cfm:21)

      at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:244)

      at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:444)

      at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)

      at coldfusion.filter.IpFilter.invoke(IpFilter.java:64)

      at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:422 )

      at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.ja va:48)

      at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)

      at coldfusion.filter.PathFilter.invoke(PathFilter.java:112)

      at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94)

      at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:7 9)

      at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePers istenceFilter.java:28)

      at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)

      at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)

      at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)

      at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)

      at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)

      at coldfusion.CfmServlet.service(CfmServlet.java:219)

      at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:8 9)

      at sun.reflect.GeneratedMethodAccessor54.invoke(Unknown Source)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25)

      at java.lang.reflect.Method.invoke(Method.java:597)

      at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274 )

      at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:271 )

      at java.security.AccessController.doPrivileged(Native Method)

      at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)

      at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:3 06)

      at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil. java:166)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:299)

      at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicatio nFilterChain.java:57)

      at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt erChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt erChain.java:189)

      at java.security.AccessController.doPrivileged(Native Method)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:188)

      at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringS ervletFilter.java:42)

      at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46 )

      at sun.reflect.GeneratedMethodAccessor39.invoke(Unknown Source)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25)

      at java.lang.reflect.Method.invoke(Method.java:597)

      at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274 )

      at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:271 )

      at java.security.AccessController.doPrivileged(Native Method)

      at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)

      at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:3 06)

      at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil. java:246)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:239)

      at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicatio nFilterChain.java:57)

      at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt erChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt erChain.java:189)

      at java.security.AccessController.doPrivileged(Native Method)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:188)

      at coldfusion.filter.ClickjackingProtectionFilter.doFilter(ClickjackingP rotectionFilter.java:75)

      at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46 )

      at sun.reflect.GeneratedMethodAccessor39.invoke(Unknown Source)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25)

      at java.lang.reflect.Method.invoke(Method.java:597)

      at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274 )

      at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:271 )

      at java.security.AccessController.doPrivileged(Native Method)

      at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)

      at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:3 06)

      at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil. java:246)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:239)

      at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicatio nFilterChain.java:57)

      at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt erChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt erChain.java:189)

      at java.security.AccessController.doPrivileged(Native Method)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:188)

      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:224)

      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:169)

      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica torBase.java:472)

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:168)

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:98)

      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: 928)

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:118)

      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:414)

      at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:204)

      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process( AbstractProtocol.java:539)

      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin t.java:298)

      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExec utor.java:886)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor .java:908)

      at java.lang.Thread.run(Thread.java:662)

       

      Researching the error above lead me to check to see that 'sunjce_provider.jar' was in the right location. Which it was... I checked the working CF 10 server as well. Same location.

       

      Also, I've checked to see that the below line of code was present in the java.security file.

       

      security.provider.4=com.sun.crypto.provider.SunJCE

       

      Same location on both servers as well.

       

      I created a test script using all of the acceptable algorithms for the function. Works fine on one server not the other .

       

      I’ve asked the network guys if there have been any changes to either server. They claim that there Identical.

       

      Both are:

      Version -  CF 10,283649 

      Edition - Standard

      OS - Windows Server 2008 R2

      Java Version - 1.6.0_29

       

       

       

      Does anybody have any thoughts or insight into what could be causing the issue on one server, but not the other?

       

      Thanks in advance for the help.