5 Replies Latest reply on Jul 2, 2017 10:24 PM by Ryan11

    Coldfusion 11 - Web Sockets via SSL

    cgjazinski@upta.edu

      Help!

       

      I can't seem to figure out how to handle WSS (Websockets over SSL). I have a cert that has already been sent/received by verifier. I have a cert and an intermediate cert. I've been looking at documentation and from what I've gathered i need to add the certs to the "keystore". I issued a command like this ->>>  D:\CF11\jre\bin\keytool -import -v -alias myCert-cert -file myCert.cer -keystore D:\CF11\jre\lib\security\cacerts -storepass changeit <-- I see the cert is added. And if list the keystore i see the number of certs increased by one. I then enable the SSL WS, use default port (built in server.. not proxied), and point it to the keystore D:\CF11\jre\lib\security\cacerts and for pass i simply use the default changeit.... I've modified my cfcode to have the secure="true" attribute. So I think everything is setup correctly ....but...  when i goto the webpage the web socket will try to connect then simply not connect (Firebug says the connection was refused) (The code works fine removing the secure attribute and accessing via http) ... So i guess i'm not sure exactly what i should be doing. Can i use the same cert that I had created via IIS. The cert looks valid. Also further more i see nothing showing up in the log files.. I see a log called WebSocket.log but the size is 0 and nothing is being thrown in the exception log either.. I'm completely confused.

        • 1. Re: Coldfusion 11 - Web Sockets via SSL
          Sharma Nimit Adobe Employee

          Hi,

           

          If you are trying to configure WebSocket over SSL using self-signed certificate, then ColdFusion server should also be running over SSL using the same certificate.

           

          To configure ColdFusion server over SSL follow below mentioned steps:

           

          1. Create Keystore:

                Keytool -genkey -keyalg RSA -keystore websocket.crt -storepass changeit -alias wss -keypass changeit -validity 365

           

          2. Configure ColdFusion to run over SSL port:

           

          1. Uncomment "<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"  maxThreads="150" scheme="https" secure="true"   clientAuth="false" sslProtocol="TLS" />" this section in server.xml file available at <cf_home>/cfusion/runtime/conf.
          2. Change value of "Protocol" attribute from "HTTP/1.1" to "org.apache.coyote.http11.Http11NioProtocol" in the Connector tag.
          3. Add these attributes to above mentioned tag:
            1. keystoreFile
            2. keystorePass
          4. Save Changes.
          5. Restart ColdFusion service.
          6. Access ColdFusion administrator console using URL: https://127.0.0.1:8443/CFIDE/administrator/index.cfm

          3. Configure Websocket to run over SSL port:

          1. Access ColdFusion administrator console.
          2. Navigate to ColdFusion Administrator > Server Settings > WebSocket.
          3. Check "SSL Port" checkbox.
          4. Enter keystore location and password [which we created in step #1 Create Keystore ].
          5. Submit Changes.
          6. Restart ColdFusion service.

          4. Create a sample CFML template to verify the configuration.

           

          Application.cfc

           

               component

               {

                   this.name = "sample";

                   this.wschannels = [{name="demo"}];

               }

           

          SAMPLE.cfm

               <html>

               <head>

                    <title>Websocket Example</title>

                    <script>

                           //messagehandler recieves all the messages from websocket

                           function mycbHandler( messageobj)

                           {

                                    var message = ColdFusion.JSON.encode(messageobj);

                                    var txt=document.getElementById("myDiv");

                                    txt.innerHTML +=message  +"<br>";

                           }

               

                           //openhandler is invoked when socket connection is

                           function openHandler()

                           {

                                  var txt=document.getElementById("myDiv");

                                   txt.innerHTML +="open Handler invoked <br>";

                           }

                    </script>

               </head>

               <cfwebsocket name="mywsobj" onMessage="mycbHandler" subscribeTo="demo" onOpen="openHandler" secure="true"/>

               <div id="myDiv"></div>

               </html>

           

          5. Try to access this CFML template using ColdFusion over SSL port using Chrome web browser or any other browser with debugging capability.

           

          6. In my case, it is Google chrome.  Press F12 and navigate to the Network section to check whether websocket request is being served over SSL or not.

           

          If you find any difficulty in following above mentioned steps, you can contact me at nimsharm@adobe.com

           

          Regards,

          Nimit

          • 2. Re: Coldfusion 11 - Web Sockets via SSL
            Prem Radhakrishnan

            Hi Nimit,

            I am trying to follow the same instructions presented here with little success, I was directed here by my developer who is trying to implement WebSocket over SSL on ColdFusion 11. We are running ColdFusion 11 on Windows Server 2012 and IIS 8. We are using a GoDaddy certificate and not a self-signed certificate, should the process be the same?

             

            Basically, I have used the keytool as described and made the changes in server.xml and restarted the server but I cannot access the page on port 8443 or on just HTTPS. It just says waiting and eventually times out. I can access the regular coldfusion admin on HTTP. Could you please help me troubleshoot this ? I am looking at the logs and cant find anything helpful.

            Regards

            Prem

            • 3. Re: Coldfusion 11 - Web Sockets via SSL
              kevinwagoner

              Hi Sharma,

               

              I also sent you a note directly via email (see below). I am having a similar issue to Prem without resolution.

               

              Our CF11 server configuration:

              Windows 2012 Server R2

              IIS 8

               

              We have a *.balboadigital.com registered RapidSSL certificate installed on our server which resolves to https://dev.balboadigital.com on this particular development box. I've been unable to locate any online resources which would show me how to utilize this certificate for websockets within CF11. Due to this, I was happy to find your reference to try a self-signed certificate. I followed your instructions. Here is the breakdown:

               

              1. I generated the keystore per your instructions which created the websocket.crt file.

               

              2. The CF server XML was uncommented and updated to:

              <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
                             maxThreads="150" scheme="https" secure="true"
                             clientAuth="false" sslProtocol="TLS"
                              keystoreFile="C:\ColdFusion11\jre\bin\websocket.crt" keystorePass="[my password]"/>

               

              3. I restarted the  CF11 Application Windows service.

               

              4. The "Use Built-In WebSocket Server" radio button was selected with PORT: 8575 for non-SLL and PORT: 8543 for SSL as defaults. The KeyStore was set to "C:/ColdFusion11/jre/bin/websocket.crt" and the KeyStore Password to "[MyPassword]" and changes posted.

               

              5. I restarted the  CF11 Application Windows service.

               

              6. I then ran a test web page: https://dev.balboadigital.com/admin/websocket/index_withssl.cfm (this is live for you to test)

              Application.cfc
              <CFCOMPONENT>
                  <CFSCRIPT>
                  this.name = "balboa";
                  this.wschannels = [{name="phone"}];
                  </CFSCRIPT>
              </CFCOMPONENT>

               

              index_withSSL.cfm
              <script type="text/javascript">
                  function mymessagehandler(atoken)
                  {
                      if (atoken.data != null) {
                          var message = ColdFusion.JSON.encode(atoken.data);
                          var txt = document.getElementById("myDiv");
                          txt.innerHTML += message + "<br>";
                      }
                  }
                  function publishmessage()
                  {
                      var msg = document.getElementById("message").value;
                      mycfwebsocketobject.publish("phone.4",msg );
                  }
                 
              </script>
              <cfwebsocket name="mycfwebsocketobject"  onmessage="mymessagehandler" subscribeto="phone" secure="true">
              "Phone" Message: <input id ="message" type="text" > <input type="button" onclick="publishmessage();" value="Publish Message"><br />
              <cfdiv id="myDiv"></cfdiv>

               

              The test fails and returns the following from the Google Chrome Console:
              WebSocket connection to 'wss://dev.balboadigital.com:8543/cfusion/cfusion' failed: WebSocket opening handshake was canceled

               

              7. The script was copied and modified to eliminate SSL as follows: http://dev.balboadigital.com/admin/websocket/index_nossl.cfm (this is live for you to test)

              index_nossl.cfm
              <script type="text/javascript">
                  function mymessagehandler(atoken)
                  {
                      if (atoken.data != null) {
                          var message = ColdFusion.JSON.encode(atoken.data);
                          var txt = document.getElementById("myDiv");
                          txt.innerHTML += message + "<br>";
                      }
                  }
                  function publishmessage()
                  {
                      var msg = document.getElementById("message").value;
                      mycfwebsocketobject.publish("phone",msg );
                  }
                
              </script>
              <cfwebsocket name="mycfwebsocketobject"  onmessage="mymessagehandler" subscribeto="phone">
              "Phone" Message: <input id ="message" type="text" > <input type="button" onclick="publishmessage();" value="Publish Message"><br />
              <cfdiv id="myDiv"></cfdiv>

               

              This test passes and works as expected, but no SSL.

               

              Please advise as our application absolutely requires that SSL is working for us.

               

              Thanks,

               

              Kevin

              • 4. Re: Coldfusion 11 - Web Sockets via SSL
                kevinlopez

                Hi everyone, I just want to share this information in case someone else is having problems with ColdFusion 11 and WebSockets through SSL.

                We had this issue with this configuration:

                 

                - ColdFusion 11 (Update 2)

                - IIS 7.5

                - Windows Server 2008

                - WebApp Running over https

                 

                These are some points to consider before getting to know what is wrong.

                 

                • CF 11 Update 2 seems to have problem using a Keystore different than JKS (We were using PFX keystore file, it doesnt support pkcs12 format),

                 

                 

                • When using a Keystore that is not supported (like pfx, or just a crt file) ColdFusion seems to start the WebSockets SSL Service, but when trying to connect it fails in the SSL HandShake when trying to switch protocol from https to wss (secure websocket), you can notice this if you get Error message on console like " SSL HandShake Aborted" , "Connection refused by Server", "OSStatus Error -9806: connection closed via error"(safari), and other similar errors depending on web browser.

                 

                • When using a self-signed certificate (not working in production) you must add an exception rule to your browser so it can "trust" the certificate used in the configuration.

                 

                • The KeyStore File must have all the Certificate Chain in order to work in production, this means it must contain:
                  • Your domain Certificate (Signed by a CA, e.g. GeoTrust, VeriSign, etc).
                  • The Intermediate Certificate
                  • The Root Certificate of the Organization who signed your domain Certificate
                  • The Private Key

                 

                How to get this working?

                 

                1. First, if you're using a web server like apache or IIS and currently running over https and you want to configure your certificate with coldfusion, the way to know if your certificate (in a keystore) works fine in CF is to configure a Connector with SSL and test the https connection directly to ColdFusion through the SSL port configured in the connector (default is 8443).

                 

                How do I create a keystore in JKS format from a cer, crt or pem file?

                As I mention before the keystore must have the complete certificate chain. You can find out how here (java - Adding certificate chain to p12(pfx) certificate - Stack Overflow).

                 

                Important tip:

                If you already have your IIS Running with https you must have a certificate and private key for your site, so you can get a working KeyStore based on this. To make a JKS based on the Certificate used in IIS follow this steps:

                     - Export a PFX file which contain the Private Key and Certificate (How to export a certificate from Microsoft IIS 7 )

                     - (optionally) Add the root certificate of your CA to the PFX file

                     - Convert the PFX file to a JKS Keystore (java - How to convert .pfx file to keystore with private key? - Stack Overflow)

                 

                Now to configure the connector you'll have to edit the <cf_root>/cfusion/runtime/conf/server.xml file and add the following configuration:

                 

                    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"

                           maxThreads="150" scheme="https" secure="true"

                           clientAuth="false" sslProtocol="TLS"

                           keystoreFile="/path/to/file/keystore.jks"

                           keystorePass="yourKeystorePass"

                           keystoreType="JKS" />

                 

                2. Restart coldfusion server and load your administrator via the configured port (e.g https://yourdomain.com:8443/CFIDE/administrator) if you manage to load this page without any certificate/security warnings or error thats a good sign and you're almost done.

                 

                To be sure if the certificate is correctly configured you can use this online tool writing your site url with the ssl port: SSL Certificate Checker

                If everything is okay you'll see something like this in the bottom of the page:

                Captura de pantalla 2015-01-16 a la(s) 12.53.55.png

                3. If you got to this point now the final step is to configure the KeyStore for SSL WebSockets (Navigate to ColdFusion Administrator > Server Settings > WebSocket.) writing the same KeyStore file Path and Password as in the Server.xml file.

                 

                4. Restart ColdFusin server.

                 

                Best Regards,

                Kevin Lopez

                • 5. Re: Coldfusion 11 - Web Sockets via SSL
                  Ryan11 Level 1

                  Hi Guys,

                   

                  I am running CF2016 on windows server 2008  R2 and using IIS7.5. I am hosting a number of sites on the server.

                   

                  Recently I purchased a GeoTrust SSL certificate (which was installed by my VPS server host) for one of the websites that I am hosting. The site runs perfectly on https, except for a few pages that use websockets since the browsers require a ssl websocket connection if viewing the page over https. As there is no documentation that I could find on how to implement websocks over SSL in CF2016, I followed the instructions in this thread for CF11, specifically the last post by kevenlopez.

                   

                  I have followed all the steps but can't seem to get it working:

                   

                  1. I exported the certificate file (pfx) from IIS and created a .jks keystore from it.

                   

                  2. I selected the SSL option in the administrator and pointed to the keystore location (C:/ColdFusion2016/jre/bin/geotrust_cert.jks) and entered the password. I also unselected the non-ssl option.

                   

                  3. I modified the server.xml file to contain the following:

                           <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"

                             maxThreads="150" scheme="https" secure="true"

                             clientAuth="false" sslProtocol="TLS"

                             keystoreFile="C:\ColdFusion2016\jre\bin\geotrust_cert.jks"

                             keystorePass="mypassword"

                             keystoreType="JKS" />

                   

                  4. I restarted the server.

                   

                  When I visit the webpage with the websockets, if I f12 and view the console comment, it waits a while and then times out and does not form the connection.

                   

                  I was wondering if anyone could think of something that I may be doing wrong?  Perhaps because I have a domain specific (just for one of my sites) SSL certificate?

                   

                  I am not very proficient with Coldfusion and any help or links to further relevant resources would be really appreciated. Thanks!, Ryan.