Specifying the trustStore and keyStore properties

I've written a topic on enabling SSL and another topic which talks about debugging SSL, but what if you don't want to use the default cacerts or keystore (trustStore) files? Or, what if you have to install a new jvm for DST compliance, but don't want to share certificate stores among Java apps? What if you have a centralized file you want all of your Java apps to use to enable SSL. In these cases you can use the Java system properties to configure these files at runtime.

[More]

Troubleshooting SQL Server connection

Here's a checklist for checking connectivity to SQL Server. Replace 1433 in the following steps with the TCP port bound by your SQL Server:

  1. Verify SQL Server configuration:
    • Ensure SQL Server has started. Sounds simple but this is often overlooked.
    • Ensure the TCP protocol is installed on the SQL Server and verify TCP/IP connectivity to it remotely.
      • Ensure firewalls and proxies allow connections on port 1433.
    • Ensure TCP protocol is enabled for SQL Server and verify the listening port(s).
    • Verify the SQL Server instance name(s).
    • Check the SQL Server ERRORLOG to verify the protocols, addresses, and ports to which SQL Server is listening:
      view plain print about
      12006-10-12 11:31:18.06 server SQL server listening on 10.7.241.212: 1433.
      22006-10-12 11:31:18.06 server SQL server listening on 192.150.23.103: 1433.
      32006-10-12 11:31:18.06 server SQL server listening on 127.0.0.1: 1433.
      42006-10-12 11:31:19.60 server SQL server listening on TCP, Shared Memory, Named Pipes, Rpc.
    • Ensure installed Service Packs do not break connectivity:

    [More]

Errors connecting to SQL Server on TCP 1433

Some people are having issues connecting to SQL Server on the default TCP port 1433. This is not an issue with Adobe products (Breeze, CF, JRun, etc.). You have to go beyond enabling TCP/IP in the Server Network Utility (2000) or Network Configuration Manager (2005). The first step is to check the SQL Server error log ($sql_root\log\ERRORLOG). It will tell you what protocols SQL Server is listening at startup, and to which IP addresses and ports:

view plain print about
12006-10-12 11:31:18.06 server SQL server listening on 10.7.241.212: 1433.
22006-10-12 11:31:18.06 server SQL server listening on 192.150.23.103: 1433.
32006-10-12 11:31:18.06 server SQL server listening on 127.0.0.1: 1433.
42006-10-12 11:31:19.60 server SQL server listening on TCP, Shared Memory, Named Pipes, Rpc.
52006-10-12 11:31:19.62 server SQL Server is ready for client connections
If your ERRORLOG does not list TCP and you do not see 1433, then its not listening/bound to TCP port 1433.

[More]

More on Enabling SSL

About a month ago I posted my Enabling SSL entry for instructions on importing SSL certificates into Adobe (formerly Macromedia) server software. Last week a colleague had an issue where the customer swore they imported the correct certificate into CFMX, but <cfldap> was not working over SSL. I pointed my colleague to my blog entry and she was able to debug the JVM stack trace and verify the serial numbers and certificate subjects did not match. Not only that, the customer had several certificates from which to choose and the cert subjects all had varying case syntax.

I also had a military customer who had certificates for multiple servers which needed importing into CFMX in order for the servers to properly integrate with each other on their secured network. I had the customer identify two computers to test with and then use the debugging technique to validate the handshake in the JVM stack trace. It turned out there was a descrepancy in the host names used in the certificate and the web site.

My recommendation for both scenarios is to import the signing certificate authority's (CA) certificate into the JVM trust store. When you import the CA cert ensure you specify the -trustcacerts option so that any certificates signed by this CA are trusted. Your certificates should also use a consistent naming scheme -- i.e. same case syntax (usually lower case), alphanumerics, etc.

More Entries