To access a data service over HTTPS from a Flex application that is served over HTTP

When accessing a data service over HTTPS from a Flex application that is served over HTTP, there are extra configuration steps you need take. Please see flex doc for details.

However, sometimes one may still have problems making this work after following the doc. Here I will explain a little more about each step to show the common mistakes, and the cause of some common error messages.

Configuration:
1. you must set the protocol property of the <mx:RemoteObject> tag, <mx:HTTPService> tag, or <mx:WebService> tag to https.
a). This means you have to set protocol=”https” in your data service tag if you are using the flex proxy.
b). However, if you are not using flex proxy, then do not set protocol=”https” in your tag. Flex will throw an error if you set it in the tag.
c). To verify if you are using flex proxy or not, check the <proxy-use-policy> setting in your flex-config.xml. The data service is not going through the proxy when either the useProxy property in the <mx:HTTPService> or <mx:WebService> tag is set to false or the <proxy-use-policy> tag in the <http-service-proxy> tag or <web-service-proxy> tag in the flex-config.xml file is set to never

2. Set the HTTPS URL in flex-config.xml:
a). For remote object services, you must set the <amf-https-gateway> tag in the <remote-objects> tag of the flex-config.xml file to the absolute HTTPS URL of the AMF gateway.
b). For HTTP services and web services, you must set the <https-url> tag in the <http-service-proxy> tag or <web-service-proxy> tag to the absolute HTTPS URL of the Flex proxy.

3. Put crossdomain.xml under the web root / :
<cross-domain-policy>
<allow-access-from domain=”*” secure=”false” />
</cross-domain-policy>
a). You need to set secure=”false” in the crossdomain.xml.
b). It is very important to put the crossdomain.xml file in the right location.
— When using flex proxy, it must be in the web root of the server that the Flex application is contacting. For example, if you are using IIS, then it should be under your inetpub/wwwroot.
— when not using flex proxy, the crossdomain.xml file must be on the endpoint server. For example, under your flex web app root.

Common Error messages and How to avoid them:
1. HTTPService Fault: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpathSunertPathBuilderException: unable to find valid certification path to requested target.

This means you are using a self-signed certificate for your HTTPS. You need to set
<allow-lax-ssl>true</allow-lax-ssl> in the flex-config.xml.

2. HTTPService Fault: java.lang.RuntimeException: Invalid URL – can not access HTTPS URLs when accessing proxy via HTTP

This means you are using the flex proxy, but you didn’t set “protocol=”https”

3. HTTPService Fault: Can’t retrieve data

This means the crossdomain.xml is not setup correctly. See step 3 above.