As a follow up, I have tested a Java class that simply does an http post with our cacerts file. This is being done outside of ColdFusion and works successfully. I have put debugging on and see one step in the working CF9 log that is not present in the not working CF11.
As soon as ColdFusion starts up on the working server, I see a reference to keystore listed below:
keystore is: /opt/coldfusion9/runtime/jre/lib/security/cacerts
found key for: ***alias for cert****
then displays the correct certificate for the server.
In the CF11 log which is not working, there is nothing logged at all about the initializing the keystore at all. It almost appears that ColdFusion does not know about the keystore at all.
Further in both of the logs, both have the entry for truststore and adding the trusted certs.
Is there somewhere in a configuration file for CF11 that you identify where/what the keystore file is? I think that is the part that we are missing in our updgrade to CF11. Bottom line is that the truststore is being read on both servers but the keystore is only being read on CF9. Thanks,
Not sure if this helps but I have not had any compatibility issues between cf9 and cf11 other than the cacerts location is slightly different and the keytool has slightly different syntax. Here is a batch file I use to import certificates:
IF "%1"=="" GOTO Help
IF "%2"=="" GOTO Help
IF NOT EXIST "%1\bin\keytool.exe" GOTO BadPath
IF NOT EXIST "%1\lib\security\cacerts" GOTO BadPath
IF NOT EXIST "%2" GOTO BadCert
IF "%3"=="10" GOTO KeyTool2
IF "%3"=="11" GOTO KeyTool2
"%1\bin\keytool.exe" -import -v -alias "%2" -file "%2" -keystore "%1\lib\security\cacerts" -storepass changeit
"%1\bin\keytool.exe" -importcert -v -alias "%2" -file "%2" -keystore "%1\lib\security\cacerts" -storepass changeit
ECHO Path not found! This indicates that one or both the following were not found:
ECHO Certificate not found!
ECHO Syntax: import-cert [keytool] [certificate] [cfversion, optional]
ECHO jre: Full path to coldfusion jre
ECHO certificate: certificate.crt
ECHO cfversion: Optional - 9, 10 or 11 - default 9 -- used to specify keytool version 1.4.2 or greater (CF10 or 11)
ECHO Example CF9:
ECHO import-cert d:\coldfusion9\runtime\jre example.crt
ECHO Example CF11:
ECHO import-cert d:\coldfusion11\jre example.crt 11
Steve, Ron Boy is apparently on Unix. The corresponding paths are something like
We have solved the problem. It appears that adding the following statements to the jvm.config file corrected it. The best that I can figure is that CF needed to be directed to the keystore file in addition to the truststore file. From my reading, the keystore file contains the certs that the client (us in this case) uses to send to the server to authenticate. This is what we are doing in the case of the cfhttp with an external server. The truststore contains the certs of the servers that we trust. The truststore and keystore can be in the same file but based on the logs, we never saw the keystore being initiated. Once we added the following commands, we saw the keystore being loaded and the cfhttp tag worked perfectly!!! thanks for everyone's help.