Joshua Jacobs
Introduction
PayPal is depracating their old PayFlowPro API’s and so we needed to upgrade to the new SDK. Despite PayPal’s efforts, this is not a simple task.
First I reviewed PayPal’s docs: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/gateway_update_custom_dev . The PayPal link walks you through determining if you need to upgrade, and then directing you to the correct SDK.
Required Files
For ColdFusion, you will need the PayFlow_SDK_for_Java_v4.32 or later.
You will also need a Cold Fusion client. I decided to try the CFXPayFlowPro_v4.01. It’s a CFX tag that talks to the java SDK.
Installation
Installation for these SDK’s are included in the ReleaseNotes.txt and Readme.txt of each package, respectively.
In order to get these files installed, I had to do this:
- unpack the zip files
- copy the following files into your cold fusion’s <cfroot>/wwwroot/WEB-INF/lib: payflow.jar, xml-apis.jar, xercesImpl.jar
- copy into your <cfroot>/wwwroot/WEB-INF/classes/: CFXPayFlowPro.class
- open your CFADMIN browser, and register the CFX tag
Configuration
If you haven’t configured CFX tags, here are the steps:
- open CFADMIN browser
- navigate to Extensions/CFX Tags
- select “Register JAVA CFX”
Tag Name: CFX_PAYFLOWPRO
Class Name: CFXPayFlowPro
Description: PayPal integration
Testing
The CFX package comes with a test file, PFProCFXtest.cfm. Copy it to your webroot, edit it with the correct user credentials and finally open it in a browser.
Fixing SSL Cert Errors
Your installation may just work. Mine didn’t. Looking in the the payflow logs (configured in the tag declaration), I was able to locate this error:
2009-08-03 17:20:03 EDT – Fatal – paypal.payflow.PaymentConnection.SendToServer(String): Caught Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275)
at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA12275)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA12275)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(DashoA12275)
at paypal.payflow.p.b(Unknown Source)
at paypal.payflow.a.b(Unknown Source)
at paypal.payflow.g.j(Unknown Source)
at paypal.payflow.PayflowAPI.submitTransaction(Unknown Source)
at CFXPayFlowPro.processRequest(CFXPayFlowPro.java:139)
at coldfusion.tagext.CfxTag.doStartTag(CfxTag.java:102)
at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1915)
at cfPFProCFXtest2ecfm605041190.runPage(E:\mandala-sites\shambhala\003\internet\www\_unit_test\PFProCFXtest.cfm:35)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349)
at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:225)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:51)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:69)
at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:115)
at coldfusion.CfmServlet.service(CfmServlet.java:107)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204)
at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426)
at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:264)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
at sun.security.validator.Validator.validate(Validator.java:202)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA12275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
… 41 more
Download New VeriSign Certs
The problem relates to VeriSign certificates that need to be installed. I don’t know why these need to be installed, but I think it has to do with a VeriSign screwup a while back where they released a weak cert. The details are not that interesting to me. You can download the certs here.
Install the Certs in CFMX
Once downloaded you need to install the certs into CFMX’s JRE. I’m not sure if you need to install all four, but I did. Here’s the example command:
cd <cfroot>
cd runtime/jre/bin
./keytool.exe -import -keystore ../lib/security/cacerts -file facacbc6.cer -alias verisignfacacbc6
Repeat this three more times, changing the *.cer and alias. As far as I could tell, the alias value is not that important, though it should probably be unique. The important thing is that the cacerts file must be the one in <cfroot>/runtime/jre/lib/security.
Rerun your test CFM and hopefully it will now work. I hope this saves you some time. Please comment and let me know.
If you enjoyed this article, please consider sharing it!
While installing the Certs in CFMX using
cd
cd runtime/jre/bin
./keytool.exe -import -keystore ../lib/security/cacerts -file facacbc6.cer -alias verisignfacacbc6
it asks for a password. How do you obtain these?
This is a good question. I’m used to using the password “changeit” from managing tomcat servers. That’s what I used. I have a feeling any password might work, but certainly “changeit” did the trick.
Let me know if that works.
I’m sure there’s a legitimate reason for requiring passwords, but I imagine that requiring passwords that are not really securing anything is by design an insecure practice. Proliferation of passwords creates noise. Increasing the noise to signal ratio makes things harder to understand, manage and secure.