Lately I've been working on a site where we have to gather some network information from our customers, including the domain name/IP of their LDAP server, and an LDAP username and password. We want the ability to tell them right away whether the credentials they've typed in are valid, so we offer a test right there on the page. This isn't too hard-- just pass the credentials back to the server via AJAX, run them through CFLDAP, and return the result to the customer. But what's not as easy to do is to handle connections when the LDAP server only allows SSL-protected transactions and uses a self-signed certificate. To enable your server to recognize the custom certificate, you'll need to add it to the list of trusted certs in your server's keystore.
Luckily, there's a tool that's on *nix servers and is also part of every CF for Windows install: keystore. To add a certificate to the keystore for Railo, for instance, use the following code:
<cfexecute timeout="15" variable="execution" name="/usr/bin/keytool"
arguments=" -import -keystore /opt/railo/jre/lib/security/cacerts -file /path/to.ssl.crt
-alias #someuniqueID# -storepass changeit -noprompt" />
It's important to pass the -noprompt attribute so that keytool doesn't try to ask the CF server for confirmation that it should go ahead with the import, which would make the process timeout or hang. Make sure to choose a unique value for the alias so that you can refer to it if you ever need to use keystore to access or delete the same certificate.
To remove an unneeded cert from the keystore, pass the -delete argument instead of -import, using the same unique ID you imported with earlier:
<cfexecute timeout="15" variable="execution" name="/usr/bin/keytool"
arguments=" -delete -keystore /opt/railo/jre/lib/security/cacerts
-alias #someuniqueID# -storepass changeit" />
Post a comment