This is first time I'm using SOAP.I'm trying to invoke a webservice using cfinvoke which is as follows:
<cfinvoke
webservice="https://xyz/infoLookup.php?wsdl"
method="infoLookup"
returnVariable="info"
>
<cfinvokeargument name="phoneNumber" value="7182973186"/>
<cfinvokeargument name="userName" value="12345"/>
<cfinvokeargument name="password" value="password"/>
</cfinvoke>
<cfdump var="#info#">
And here is a part of the message name from the WSDL :
<message name="infoLookupRequest">
<part name="phoneNumber" type="xsd:string" />
<part name="userName" type="xsd:string" />
<part name="password" type="xsd:string" />
</message>
And here is a part of Operation name from WSDL:
<portType name="vtsInfoLookupPortType">
- <operation name="infoLookup">
<documentation>Get phone number information.</documentation>
<input message="tns:infoLookupRequest" />
<output message="tns:infoLookupResponse" />
</operation>
</portType>
I'm getting the following error:
Unable to read WSDL from URL: https://xyz/infoLookup.php?wsdl.
Error: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
The error occurred in C:\XYZ\A\Soap\soapreq.cfm: line 37
35 : <cfinvokeargument name="phoneNumber" value="7182973186"/>
36 : <cfinvokeargument name="userName" value="12345"/>
37 : <cfinvokeargument name="password" value="password"/>
38 : </cfinvoke>
39 :
I have tried to search for the error online but couldn't figure how what's wrong in my code. Please let me know if I'm doing something wrong
Here are the steps you need to perform in order to install the certificate to the Java keystore for ColdFusion. First, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.
The default truststore is the JRE's cacerts file. This file is typically located in the following places:
Server Configuration:
cf_root/runtime/jre/lib/security/cacerts
Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/lib/security/cacerts
Sun JDK installation:
jdk_root/jre/lib/security/cacerts
Consult documentation for other J2EE application servers and JVMs
In order to install the certificate you need to first get a copy of the certificate. This can be done by using Internet Explorer. Note that different versions of Internet Explorer will behave slightly differently but should be very similar to these steps. For example, earlier versions of IE might save the certificate under a different tab than I mention.
Browse to the SSL URL in Internet Explorer - https://xyz/infoLookup.php?wsdl.
View the certificate by clicking on the lock icon and clicking view certificate
Then click the Install Certificate... button (note: if you do not see this button you must close IE and run it as administrator first)
Click on IE's Internet Options and click the Content tab
Click the Certificates button
Find the server's certificate under the Intermediate Certification Authorities tab, select the cert and click the Export... button
Export using DER format
Copy the exported certificate file to your ColdFusion server (you can delete the cert from IE if you want)
Run cmd prompt as administrator on the ColdFusion server
Make a backup of the original cacerts file in case you run into issues
The keytool is part of the Java SDK and can be found in the following places:
Server Configuration:
cf_root/runtime/bin/keytool
Multiserver/J2EE on JRun 4 Configuration:
jrun_root/jre/bin/keytool
Sun JDK installation:
jdk_root/bin/keytool
Consult documentation for other J2EE application servers and JVMs
To install the cert:
Change directory to your truststore's location (where the cacerts file is located)
Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -import -v -alias your_cert_alias_name -file C:\wherever_you_saved_the_file\cert_file.cer -keystore cacerts -storepass changeit
Type yes at the prompt to "Trust this certificate?"
Note: *your_cert_alias_name* I used above can be whatever you want
Note: *C:\wherever_you_saved_the_file\cert_file.cer* change these values to whatever you use for the server folder and certificate file name
To verify the cert:
Type this command (use current jvm and use current jvm's keytool) "c:\program files\java\jre7\bin\keytool" -list -v -keystore cacerts -alias your_cert_alias_name -storepass changeit
Note: *your_cert_alias_name* use the same name here that you used above to install the cert
Restart the ColdFusion service It will not read the updated cacerts file until you do this.
You can delete the imported certificate file from the server if you wish.
Related
I am working on an asp.net core application, but my project stops running from debug mode(using f5). I need to host it on local IIS to debug the code. When running it locally I am getting this error "Bad Request - Invalid Hostname".
You can try below steps to solve this problem:
Exit the IIS Express instant currently running.
Open IIS Express’s applicationhost.config located at the following path C:\Users\\Documents\IISExpress\config\applicationhost.config
Find the entry for a particular site (e.g “Test” running in port 6306) which you are developing.e.g:
<site name="test" id="1">
<application path="/" applicationPool="gratedAppPool">
<virtualDirectory path="/" physicalPath="" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:6306:localhost" />
</bindings>
</site>
Replace the following bindingInformation=":6306:localhost" with bindingInformation=":6306:*"
Save the file.
Start a command prompt in administrator mode and run the following command.
netsh http add urlacl url=http://*:6306/ user=Everyone
Now debug the site again and you should be able to access the url using host name.
I am using Liberty 16.0.0.4
I am trying to call xxxx SOAP services, but i got the following errors
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=xxxx, was sent from the target host. The signer might need to be added to local trust store serverHome/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I used next command to generate certificate
openssl s_client -connect xxxxURL:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > xxx.cert
Then injecting it into liberty jks default file with next command
keytool -import -trustcacerts -alias xxxSigner -file xxx.cert -keystore *pathToHomeServer/resources/security/key.jks* -storepass Liberty -storetype jks
Also this is my server.xml tags related to that
<featureManager>
<feature>webProfile-7.0</feature>
<feature>jaxb-2.2</feature>
<feature>concurrent-1.0</feature>
<feature>javaMail-1.5</feature>
<feature>localConnector-1.0</feature>
<feature>jaxws-2.2</feature>
<feature>apiDiscovery-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" location="${server.config.dir}/resources/security/key.jks" password="{xor}EzY9Oi0rJg==" type="jks" />
<keyStore id="defaultTrustStore" location="${server.config.dir}/resources/security/key.jks" password="{xor}EzY9Oi0rJg==" type="jks" />
<sslDefault sslRef="defaultSSLConfig" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.2"/>
<httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9443">
<sslOptions sslRef="defaultSSLConfig"></sslOptions>
</httpEndpoint>
So what is the problem my side which
Not sure why your approach is not working, but another way to go about it is to use a browser to retrieve the certificate and then keytool to add it, as described here (see the 8/5/2015 comment at the bottom of the article): developer.ibm.com/wasdev/docs/single-sign-google-liberty
Does it work if you explicitly add the signer itself, shown at the bottom of the stack of certs when you append -showcerts to your openssl command?
I'm having a major pain getting my new SSL certificate to work with GlassFish 3.1.2.2. My current SSL certificate is due to expire soon, so I ordered a renewal at GlobalSign.
With my current SSL certificate I get following response (this is done through SoapUI for testing purposes):
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0 JSP/2.2 (Oracle GlassFish Server 3.1.2.2 Java/Oracle Corporation/1.7)
Server: Oracle GlassFish Server 3.1.2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Mon, 11 Jan 2016 13:38:32 GMT
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..(xmlresponse)..</xml>
However, with the new SSL certificate active, I get following message:
SoapUI:
Error getting response; javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake.
Browser:
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to again. If this error persists, contact your site administrator.
The only thing I changed in the config of glassfish is the following:
Configurations > server-config > HTTP Service > Http Listeners > http-listener-2 > SSL tab
The Certificate NickName field from my old alias (mydomain) to my new alias (mydomain.net), which matches the alias of my private key in the keystore
The Key Store field value (file name) from the old keystore (server.keystore) to my new keystore (ssl_mydomain_net.jks)
Both new and old keystores are inside the C:\glassfish3\glassfish\domains\mydomain\config folder.
Old SSL settings:
New SSL settings:
I already had contact with GlobalSign support and we verified that the keystore is correctly generated.
When I run keytool -list -keystore ssl_mydomain_net.jks I get following output which should be correct:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Jan 8, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): <...>
intermediate, Jan 8, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): <...>
<mydomain>.net, Jan 8, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): <...>
As far as I concluded, it has something to do with Glassfish. Does anyone have any idea because I'm out of options here...
Update January 13th, 2016
I upgraded from Glassfish 3.1.2.2 to Payara 4.1 (which is basicly Glassfish 4.1). I created a new fresh domain and noticed that by default the following jks files were in the mydomain/config folder:
cacerts.jks
keystore.jks
I added my own jks (ssl_mydomain_net.jks) to this folder and adjusted the settings for the http-listener-2 as above in the new SSL image. This gave me the same result as mentioned at the start of this post.
What am I missing? Do I have to adjust something to the default jks files? Do I have to create a csr from the keystore.jks instead of my own made keystore?
What do I need?
A GlobalSign SSL Certificate
Windows server with IIS installed
Payara instance
Getting your certificate from GlobalSign
Order or renew your SSL certificate at the GlobalSign website. During the process, choose the option Order with AutoCSR. The password of the new certificate will exist out of a password that you have to give during the creating process added by an extra string created by GlobalSign. Please remember this password as you will need it in the next phases.
Once your order is complete, you should be receive a PFX file. Copy this file to the Windows server where IIS is running.
Setting/Changing the master password for Payara
The password of the certificate which will contain your private and public key will have to match the master password of Payara (This can be freely chosen, this is NOT the password of your certification request at GlobalSign). You can change the master password by running following command:
asadmin change-master-password –savemasterpassword=true mydomain
Installing the certificate
Right click the PFX file and choose Install PFX
At the welcome screen, click Next
At the File to import screen, click Next as the PFX file location should be in there by default.
Enter the password. Remember, this is the password you gave up at the certificate creation extended by the string GlobalSign created.
Select the Mark this key as exportable. option.
Select the Include all extended properties. option.
Click Next
In the Certificate Store window, choose the Place all certificates in the following store option.
Click the Browse button.
Choose the Personal store.
Click OK
Click Next
Click Finish
Export the public and private key
Open the Microsoft Management Console (Start > Run > mmc > OK)
Click File > Add/Remove Snap-ins
Choose Certificates under the Available snap-ins list
Click the Add button
In the next window, choose the My user account option
Click Finish
Click OK
In the management console, expand Certificates - Current User > Personal > Certificates. If all want correct, you should see 3 certificates: GlobalSign Domain Validation CA, GlobalSign Root CA and mydomain.net.
Right click the mydomain.net entry
Choose All Tasks > Export...
In the welcome screen, press Next
Choose Yes, export the private key option
Click Next
In the Export File Format window, Choose Personal Information Exchange - PKCS # 12 (.PFX) and select the Include all certificates in the certification path if possible and Export all extended properties options.
Click Next
In the Password window, enter your Payara master password (this has to match!)
Click Next
Select the location were you want to put the export PFX file (e.g. mydomain.pfx) and click Next.
Click Finish
Getting the alias name
Run the following command to find out the generated alias name:
keytool -list -storetype pkcs12 -keystore mydomain.pfx
You will have to enter your keystore password, which should be the same as your Payara master password (see step 29).
When this command runs succesful, you should see your alias on the first line of the export. This looks like a long string of text (e.g. {fa2ebfd3-z11b-492d-2c73-f5z199732p2k}) followed by the date. Copy this string of text as we will need it later.
Adding the certificate to Payara
These are the two important steps that I was missing. We have to add the certificate to the cacerts.jks and keystore.jks who is located in the payara_install_folder/glassfish/domains/mydomain/config. This can be done by following two commands:
keytool -importkeystore -deststorepass <payara masterpassword> \
-destkeypass <payara masterpassword> -destkeystore cacerts.jks \
-srckeystore mydomain.pfx -srcstoretype PKCS12 \
-srcstorepass <payara masterpassword> \
-alias mydomain_alias_name //in our example this would be {fa2ebfd3-z11b-492d-2c73-f5z199732p2k}
keytool -importkeystore -deststorepass <payara masterpassword> \
-destkeypass <payara masterpassword> -destkeystore keystore.jks \
-srckeystore mydomain.pfx -srcstoretype PKCS12 \
-srcstorepass <payara masterpassword> \
-alias mydomain_alias_name //in our example this would be {fa2ebfd3-z11b-492d-2c73-f5z199732p2k}
Setting http-listener in Payara
Open your Payara admin console (normally this would be http://localhost:4848)
Go to Configurations > server-config > HTTP Service > HTTP Listeners > http-listener-2
Enable Security on the General tab
On the SSL tab, Enable SSL3 and TLS
In the Certificate NickName enter mydomain_alias_name (in our case {fa2ebfd3-z11b-492d-2c73-f5z199732p2k})
In the Key Store field, enter keystore.jks
Press the Save button
Restart your domain
Test if it works! :)
Thanks a lot to GlobalSign support and Max Lam who created a guide How To Install Comodo SSL Certificate Chain On Payara / Glassfish 4.x. Combining all this knowledge made me come up with the solution.
There is probably a way to replace the Installing the certificate and Export the public and private key part by running keytool commands. But as I'm not a 100% familiar with certificates, I left those out. If someone can tell me the right commands, let me know and I'll update the answer.
Add your new certificate to the truststore of the JVM that your server is using. If you take a look to your output when list the certificates of your keystore, you could see that your new certificate is not a trustedCertEntry.
I'm running a ASP.NET MCV 4 project in VS2012 on a windows 7 virtual machine using VMWare. I want to be able to access the site from my mac.
I've done all the steps stated in this question. Restarted IIS, turned off windows firewall, changed the application config file and granted remote access to the ACL and I still get a 503 error in my mac.
Any steps I could have missed?
application config file is the following:
<site name="prototype" id="2">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\Users\Igor Popov\Desktop\myapp\prototype" />
</application>
<bindings>
<binding protocol="http" bindingInformation=":50438:192.168.0.9" />
</bindings>
</site>
1.Editing applicationhost.config file, your site bindings should look like below;
<binding protocol="http" bindingInformation="*:50438:localhost" />
2.Run your VS as administrator.
3.Visite the site with "localhost:50438" in your mac.
I have installed AppFabric on the server. I have created a cluster of a single computer . I have also create a cache named "Gagan".
used the following commands in order
Use-CacheCluster -Provider xml -ConnectionString \NB-GJANJUA\Cache
Start-CacheCluster
Result is that the cache service is up and running ..so far so good.
I then setup my web.config file like below
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="dataCacheClient"
type="Microsoft.ApplicationServer.Caching.DataCacheClientSection,
Microsoft.ApplicationServer.Caching.Core, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
allowLocation="true"
allowDefinition="Everywhere"/>
</configSections>
<!-- cache client -->
<dataCacheClient>
<!-- cache host(s) -->
<hosts>
<host
name="NB-GJANJUA.com"
cachePort="22233"/>
</hosts>
</dataCacheClient>
<system.web>
<compilation debug="true" targetFramework="4.0" >
<assemblies>
<add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="Microsoft.ApplicationServer.Caching.Client, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add assembly="Microsoft.ApplicationServer.Caching.Core, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</assemblies>
</compilation>
<sessionState mode="Custom" customProvider="SessionStore" cookieless="true">
<providers>
<add name="SessionStore" type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider" cacheName="Gagan" />
</providers>
</sessionState>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
But as soon as I launch my site , it comes up with this error
Parser Error Message: ErrorCode:SubStatus:There is a temporary failure. Please retry later. (One or more specified Cache servers are unavailable, which could be caused by busy network or servers. Ensure that security permission has been granted for this client account on the cluster and that the AppFabric Caching Service is allowed through the firewall on all cache hosts. Retry later.)
Source Error:
Line 44: <sessionState mode="Custom" customProvider="SessionStore" cookieless="true">
Line 45: <providers>
Line 46: <add name="SessionStore" type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider" cacheName="Gagan" />
Line 47: </providers>
Line 48: </sessionState>
Is there something that I am missing ?
Note : I have already referenced the
Microsoft.ApplicationServer.Caching.Client and the
Microsoft.APplicationServer.Caching.Core assemblies
THanks for your time and patience
With Regards
Gagan Janjua
I was also having this error. Just to test client in development I switched off security by using AppFabric Power Shell command
Stop-CacheCluster
Set-CacheClusterSecurity -SecurityMode None -ProtectionLevel None
Start-CacheCluster
Also set following in client application in web.config
<dataCacheClient>
<securityProperties mode="None" protectionLevel="None"/>
</dataCacheClient>
This is not production scenario but the above error disappear when these settings are applied.
I had a similar issue, running IIS 7.5 on Windows Server 2008 R2. I resolved it by issuing the following commands in PowerShell (started from the Windows AppFabric folder in Start, All Programs):
New-Cache -CacheName NameOfCacheAsSetInWebConfig -TimeToLive 30
Grant-CacheAllowedClientAccount "IIS AppPool\NameOfAppPoolRunningSite"
Once I did that, I was all set.
Have you granted access to the cache for whatever user your website is running as?
Grant-CacheAllowedClientAccount Gagan
I solved this problem as follows:
Launch Windows Task manager and notice under what User Name your w3wp.exe is running?
In my case it was: ASP.NET v4.0
Launched Start -> All Programs -> Windows Server App Fabric -> IIS manager
In IIS , select Machine name and then Application Pools on top left handside.
In Application Pools..Verify that ASP.net v4.0 exists under Application Pools.
Launched Start -> All Programs -> Windows Server App Fabric -> Caching Administration Windows Power Shell
Type the following command on the prompt: Grant-CacheAllowedClientAccount "ASP.NET v4.0"
restarted the web application and following error went away:
ErrorCode<ERRCA0017>:SubStatus<ES0006>:There is a temporary failure. Please retry later. (One or more specified Cache servers are unavailable, which could be caused by busy network or servers. Ensure that security permission has been granted for this client account on the cluster and that the AppFabric Caching Service is allowed through the firewall on all cache hosts. Retry later.)
I had this problem and it was just that the Cache Cluster was down after a reboot. I didn't realize that you have to manually switch the service to start automatically in the services. Detailed information on that is here.
Commenting out the following in the config fixed it for me:
<sessionState customProvider="AppFabricCacheSessionStoreProvider" mode="Custom" timeout="90">
<providers>
<add name="AppFabricCacheSessionStoreProvider" type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider" cacheName="Session" sharedId="SharedApp" />
</providers>
</sessionState>
By default the worker processes will be setup as an iis user, those users need access. In your Caching Administration Windows Powershell type the following
Grant-CacheAllowedClientAccount IIS_IUSRS