|By Jeffrey Bouley||
|October 20, 2005 01:45 PM EDT||
CF 7 has proven that it's an excellent way to rapidly create various Web Services at a given internal or external tier when working toward creating a Service Oriented Architecture (SOA).
Folks who have used CF 7 like this have experienced the efficiencies associated with exposing CFC methods as Web Services, allowing any number of applications and their related Web Service-supporting frameworks to call into methods declared "remote." This article isn't going to start with the basics associated with creating a Web Service with CF 7, but will address the possible challenges associated with securing them with SSL and Windows Authentication.
Once a Web Service has been created and tested one may want to apply a layer of security to it. Some options used to do this are encryption through SSL and integrating Windows Authentication with IIS to force a user or calling application to pass login credentials to a given NT domain.
So where to start?
Assuming the initial setup was executed on a development machine with no registered certificates, one must start by creating a certificate to implement SSL and then register the certificate in CF's java keystore. A keystore is a password-protected database that holds key and certificate information. Keystores are implemented in the Java runtime to validate certificates outside the Web server.
Before creating a certificate, we might suggest that a non-Microsoft-based certificate-generation tool be used since there's an issue with the Java implementation digesting and validating Microsoft-generated certificates for storage. This problem may have been resolved before this article was published, but be advised of possible problems with Microsoft-generated certificates (i.e., "Makecert") and CF 7 or J2EE application servers. I have used IBM's Keyman on several projects to create certificates. With a bit of practice, this tool will have you generating keys and certificates in no time. Keyman is free once you register and can be downloaded from www.alphaworks.ibm.com/tech/keyman.
To work with Keyman you must first generate a request in IIS that will be passed to Keyman. To do that, go to the properties of your Web site in IIS and select the directory security tab.
Now click on the server certificate button on the screen. Many prompts will follow; be sure to select "create a new certificate" and change such attributes as name if necessary. In the site name entry form make sure that the domain name is entered (i.e., www.yourdomain.com). This is an important step. If the domain name isn't entered correctly the certificate won't be valid after registering in the keystore and won't connect to the Web Service over https.
Don't forget to make a note of where the request text file was created; either copied in memory or stored on the hard drive. Next, open Keyman and select new token.
On development and test machines I use the default settings. Once the token has been created a key has to be generated. Go to "Actions" in the main menu and select generate key, accept the default selections. Now that the key has been generated, go to Actions again and select "create certificate." Select "self-signed certificate." This will create the private certificate needed to generate the certificate for the IIS request. Now go to "Actions" again and select "create certificate." Select "sign a PKCS#10 request" and browse to where the certificate request from IIS was saved or select load from the clipboard if it was stored there. Then save the generated certificate. The certificate has been created.
The certificate must now be imported into IIS. Open IIS and click on the server certificate again. Select "process the pending request and install the certificate." Browse to the certificate and submit. You should now be able to access the site over https. At this point it's imperative that you browse to the virtual directory where the Web Services reside in IIS and set it to require SSL. This is done by going to the properties of the directory through IIS and again selecting the directory security tab. Click edit in the secure communications area. The screen shown in Figure 3 will be presented. Pick the selections shown.
To turn on domain authentication go to the Directory Security tab in IIS and select the edit button. Select uncheck anonymous access and check basic authentication; enter the default domain and realm if necessary. I usually leave them blank and specify login parameters with CF 7.
Now that the directory has been secured with NT Authentication another layer of security is added to access the Web Services. Note that though the warning from the basic authentication option says, "Password is sent in clear text," it won't be. It'll be encrypted by enabling "Requiring secure channel" and "128-bit encryption" in the virtual directory holding the Web Services. There are only a few more steps to complete to secure our Web Service before it can be tested. At this point a certificate has been created for use with IIS and the virtual directory has been locked down with SSl; all that's left to do is register the generated certificate in CF 7's keystore to enable access to the Web Services.
The keytool command-line application that installs with CF 7 can be used to support this or the KeyTool GUI application. The KeyTool GUI application can save time in registering certificates since it's a well-thought-out interface. A good reference for the keytool command and registering certificates in a keystore can be found at http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html and www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_19139.
I have a copy of KeyTool GUI 1.7, which is available under the GNU Public License and is free to distribute (www.strikefish.com/download/ktg-17-setup.zip). So I'll cover the GUI.
After installing the KeyTool GUI, run the program and open up the keystore installed with CF 7. If running in CF 7 in the J2EE configuration, the keystore is located at drive:\JRUN4\runtime\jre\lib\security\cacert and if standalone at drive:\CFusionMX7\runtime\jre\lib\security\cacert. Browse to the right location and select "All Files" in the "Files of Type" dropdown since the file doesn't have an extension. See Figure 5.
Once the cacerts file has been initialized KeyTool GUI will prompt for a password. The default password for the CF 7 install is changeit. Changing the password when you register the first certificate is a best practice and will add another layer of security when accessing the file separately from what the operating system provides. This can be done with the GUI by selecting the "Set KeyStore Password" option. Now that the keystore is opened, select the import trusted certificate option and browse to the certificate on the hard drive. A warning will pop up saying that a trust couldn't be established with the certificate. This is all right and is happening because the certificate isn't associated with a certificate authority. Again we note that the examples directly related to certificate generation are for development and test environments. Production servers should have certificates associated with a trusted certificate authority such as Verisign.
After registering the certificate into the keystore browse to the certificate in the list and view its properties by right-clicking and selecting "certificate details." Now save the change to cacerts and exit the KeyTool GUI. The Web Service is ready to be tested, but before you do don't forget to RESTART THE CF 7 and JRUN SERVICES!!!! I can't stress this enough. It's the single most common point of failure. The keystore is loaded by the JVM on startup and won't notice the additional certificate unless restarted.
A final step involves invoking the Web Service with CF 7 for a quick test. Figure 7 shows the tag editor used to enter the proper attributes to connect to the Web Service with the cfinvoke tag.
SSL and Windows Authentication when used together provide excellent security for your Web Services. Security has become paramount given the spiraling threat of hacking and online thievery. The techniques discussed in this article are provided straight out-of-the-box and can be configured and implemented in minutes. I wish all of you good luck in your quest to secure your servers and welcome any questions at my blog at http:www.strikefish.com or e-mail at firstname.lastname@example.org.
|aahx489 06/12/09 07:11:00 PM EDT|
This is a really nice tutorial!
Is there a way that this can be done in Flex by when calling a webservice?
|ColdFusion Developer's Journal News Desk 10/20/05 01:57:37 PM EDT|
Securing SOA Web Services With Ssl. Iis & Windows Authentication in ColdFusion 7.0. CF 7 has proven that it's an excellent way to rapidly create various Web Services at a given internal or external tier when working toward creating a Service Oriented Architecture (SOA).
|ColdFusion Developer's Journal News Desk 10/20/05 01:17:09 PM EDT|
Securing SOA Web Services With Ssl. Iis & Windows Authentication in ColdFusion 7.0 CF 7 has proven that it's an excellent way to rapidly create various Web Services at a given internal or external tier when working toward creating a Service Oriented Architecture (SOA).
- Where Are RIA Technologies Headed in 2008?
- The Next Programming Models, RIAs and Composite Applications
- AJAX World RIA Conference & Expo Kicks Off in New York City
- Constructing an Application with Flash Forms from the Ground Up
- Building a Zip Code Proximity Search with ColdFusion
- Personal Branding Checklist
- CFEclipse: The Developer's IDE, Eclipse For ColdFusion
- Has the Technology Bounceback Begun?
- Adobe Flex 2: Advanced DataGrid
- i-Technology Viewpoint: We Need Not More Frameworks, But Better Programmers
- Web Services Using ColdFusion and Apache CXF
- Passing Parameters to Flex That Works