CF2016/2018 Datasource SSL configuration

March 8, 2019
Newbie 1 posts
Followers: 0 people
6

CF2016/2018 Datasource SSL configuration

Newbie 1 posts
Followers: 0 people
March 8, 2019

Hello,

When trying to pass EncryptionMethod=SSL in datasource conenction string, we are getting the below errors:

1- ValidateCertificate=false:

“Connection verification failed for data source: CDXTEST
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]SSL handshake failed: Unknown named group ID: 29
The root cause was that: java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]SSL handshake failed: Unknown named group ID: 29”

2- ValidateCertificate=true:

“Connection verification failed for data source: CDXTEST
java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]SSL handshake failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The root cause was that: java.sql.SQLNonTransientConnectionException: [Macromedia][SQLServer JDBC Driver]SSL handshake failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”

Below are the steps done to enable SSL:

1-Create Self Signed Certificate on MSSQL server (Windows Server 2016)

2- Grant MSSQL service account read privileges on the certificate

3- Configure MSSQL to use the certificate using MSSQL COnfiguration Manager by pointing it to the created certificate and Restart MSSQL service.

4-Copy the certificate to Coldfusion server and import it to the keystore

5- Restart Coldfusion Service and verify the datasource. Connection String set to:

EncryptionMethod=SSL;TrustStore=C:ColdFusion2018jrelibsecuritysqlstore.jks;TrustStorePassword=xxxxxxx;ValidateServerCertificate=true;HostNameInCertificate=xxxxxxxx

Would youplease advise if there is anything missing and must be done to solve the issue.

P.S: the issue is occuring on both version of CF 2016 and 2018.

Thank you

Comments (6)
2019-05-09 18:24:08
2019-05-09 18:24:08

Is there anyway to get the original adobe_drivers.jar file?  We just moved from CF11 to CF2018 Update 3.   The installer includes Update 2 which has the same adobe_drivers.jar file as Update 3.  The one in the hf_updates folder is the same one as in the cfusion\lib folder, but we tried it anyways.

Our issue is actually with an LDAPS connection to a server that presents a wildcard certificate.  Everything is still working fine on our CF11 server and we’ve tried everything with the cacerts file, including pointing CF2018 to the Java 8 and cacerts file we’re using with CF11.

Like
(2)
>
George Alsobrooks
's comment
2019-05-10 14:50:38
2019-05-10 14:50:38
>
George Alsobrooks
's comment

George, I realize you’re scrambling to find a solution, but you’re reaching here, in wondering if this post and its proposed solution would relate to your problem. The adobe_drivers.jar relates only to datasources, not ldap calls.

I hear you saying you have “tried everything”, which is what leaves you grasping at straws. But maybe you have missed something. It would be hard to go over here (in the blog comments) all the things you should check–plus, since it’s off-topic, it would be inappropriate here.

You can help that perhaps someone from Adobe would reach out to help, and they may, but if you need to get this resolved sooner, I will just propose that helping solve that kind of problem is what I do all day each day with CF folks, via a remote screenshare. You can learn more about my approach, rates, satisfaction guarantee, and more at https://www.carehart.org/consulting. We might solve this in as little as 15 mins (zeroing in on the problem, as we assess and rule out various things). Totally your call.

Like
>
Charlie Arehart
's comment
2019-05-14 12:21:41
2019-05-14 12:21:41
>
Charlie Arehart
's comment

Charlie,   Thanks for the response and information.   I noticed a couple LDAP related classes when I ran “jar -tf adobe_drivers.jar” so I was hopeful it was the same problem.  Unfortunately due to our environment we’d probably be on ColdFusion 2020 before I got through all the hoops to get support from Carehart, but I will keep it in mind.

Like
2019-03-12 07:41:09
2019-03-12 07:41:09

DataSource SSL Encryption broken with CF2016 Update 8/9/10 and CF2018 Update 3:https://tracker.adobe.com/#/view/CF-4204087

Like
2019-03-12 01:27:51
2019-03-12 01:27:51

And if that’s not it, please confirm if in step 4 you are importing the cert into the cacerts of the jvm cf is set to use–which may not be the one in cf’s jre folder.

Second, confirm the jvm cf is using.

Both are shown in the cf admin settings summary page, in its jvm section.

Like
(1)
2019-03-12 00:06:00
2019-03-12 00:06:00

Was this after installing CF2016 Update 8/9/10? or CF2018 Update 3?

If so, they updated the macromedia_drivers.jar (CF2016) and adobe_drivers.jar (CF2018) for the database drivers as part of the hotfix.

A work-around from Adobe is to copy the backed-up version of the file from the hf_updates directory back into cfusion\lib.

I can provide more detail if necessary.

Like
Add your comment