I have recently had a weird problem with CFML templates caching and uncaching themselves (presumably via the compiled class files), specifically custom error pages which have been deleted, but which seem to mysteriously come back and intercept CF errors every so often. Charlie Arehart sent me a link to an article he did a while back which I thought was worth posting, altho it takes some getting your head round. http://cfmxplus.blogspot.com/2002/11/alert-when-cf-will-fail-to-auto.html

I am often seeing posts about this topic on lists, and have been asked to document it a few times, so here goes.

NB: this is tested on windows 2003 servers running ColdFusion 7 only, and presumes knowledge of windows server administration.
For details of creating new instances with ColdFusion MX 6 please see http://www.bpurcell.org/macromedia/coldfusion/multiple_instances.cfm

For creating multiple instances using APACHE, see http://nil.checksite.co.uk/index.cfm/2006/5/2/CFMX-MultiServer-Set-up

Deploying a new instance of JRUN/CFMX from the ColdFusion administrator is easy, but you need to take extra steps if you truely want to isolate those instances from each other and make them secure.

It is important to note that any changes you make to the default [cfusion] instance will be replicated to any new instance you create from the ColdFusion enterprise manager as it simply copied the [cfusion] instance. So any DSN's, mappings etc will be duplicated.
If you do not want this to happen, then do not ever makes any changes to the default instance via the ColdFusion Administrator. Keep it as a base template and stop the service when you are not using it. when you want to create a new instance, start the [cfusion] instance and login to the CFAMDIN.

• Create the instance

1. Login to the ColdFusion Administrator of the default instance
2. Got to Enterprise manager -> instance manager
3. Add a new instance.
   Server name: enter somehting meaningful here
   Create Windows Service: check this box
   Auto Restart Service: check this box

• Now we need to setup permissions and access for this instance

1. Create a windows security group called "CFMX Instances" from the windows computer manager.
2. Give this group FULL access to your JRUN installation path, plus any other paths that ColdFusion will need global access to, such as the SMTP mail drop folder (if you are using the windows SMTP service), temp windows folders, the fonts folder (required for cfdocument) etc.
3. Now create a new windows user for this instance, preferably using the instance name or clients username
   Set password to never expire
   Remove remote desktop/terminal services access
   make user a member of the group "CFMX Instances" that you created above
4. Create a folder for this customer/instance on your data drive, all web sites for this instance will go here.
   E.G. " D:\wwwroot_instance_name"
5. Edit permissions for this folder, and give the user created in step 3 FULL permissions.
6. Edit the windows service that coldfusion will have created (e.g “Macromedia CFMX AS Instance Name ”, and set it to Log On as the user created in step 3.
7. Copy the CFIDE folder from the default instance (E.G. C:\inetpub\wwwroot\CFIDE) to this new folder, E.G. "D:\wwwroot_instanceName\CFIDE", and delete the folders "administrator" and "AdminAPI" from within this folder. This should be used as the CFIDE virtual directory for any sites created on this instance.

I have however noticed that Flash Remoting doesn't work unless you use the default CFIDE folder, so this may be an issue for you. In which case you will need to give the "CFMX Instances" group access to the default c:\inetpub\wwwroot\CFIDE folder as well.

By doing the above, each instance will now only have access to the specified folder
E.G. " D:\wwwroot_instance_name"
and each web site for this instance should be created inside this folder
E.G.the home directory for a site would be " D:\wwwroot_instance_name\domainName.com\wwwroot"

So web sites for this instance will not be able to access files/folders above " D:\wwwroot_instance_name". And if you implement sandbox security, this will further restrict CFML code from being able to access files/fodlers above its home directory.

• Enabling sandboxing
  By default sandboxes will not work in multiserver mode, so if you require this we need to enable this.
  
1. make a backup of the jvm.config file :\jrun4\bin\jvm.config
2. Edit jvm.config and replace the arguments section with the following. Copy and paste this exactly there should be no additional spaces or carriage returns.
   
   For the default jvm.config
   
   
   # Arguments to VM
   java.args=-Xms512m -Xmx512m -Dsun.io.useCanonCaches=false -Djava.security.manager -Djava.security.policy={application.home}/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/coldfusion.policy -Djava.security.auth.policy={application.home}/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/neo_jaas.policy
   For additional instances with their own JVM.config
   Replacing [instance name] with the name of your instance.
   
   
   # Arguments to VM
   java.args=-Xms512m -Xmx512m -Dsun.io.useCanonCaches=false -Djava.security.manager -Djava.security.policy={application.home}/servers/[instance name]/cfusion.ear/cfusion.war/WEB-INF/cfusion/lib/coldfusion.policy -Djava.security.auth.policy={application.home}/servers/[instance name]/cfusion.ear/cfusion.war/WEB-INF/cfusion/lib/neo_jaas.policy
   
   some additional info on creating custom jvm.config files can be found here
   http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_18206
   
   
• Updating windows services for custom jvm.config files
  If you have given a jrun instance its own config file then we now need to edit the windows services for those instances to use this new config file.
1. run REGEDIT
2. Edit the following KEY. HKEY_LOCAL_MACHINE/system/CurrentControlSet/Services
   
3. Select the service “Macromedia JRUN [instance name] Server”
4. Edit the Parameters attribute, if it does not exist, create it (add new string value). Set the value of this to “-JVM_[instance_name].config” or whatever you name your new config file.
   
5. Repeat this step of each Coldfusion service that has it’s own config file.
6. Test that sand boxing works.
• From the default CFAMDIN, go to the instance manager and launch the CFADMIN for the instance you just added. It will have the same password by default.
  The sandbox settings get copied over from the default instance if you made any changes, so disable sand boxing and remove anything that shouldn't’t there. Do the same for mappings, data sources, custom tag paths, verity collections etc.
  Now change the cfadmin password.

You should only ever restart any instance that has its own config file from the windows service manager. If you restart the instance from the CFADMIN or the JMC it will be started using the default jvm.config file.

 

Configuring IIS to use your new instance

CF is enabled at the master level in win2k3 by a wildcard mapping in the IIS master properties. This will be applied to all new sites.
For sites added to a dedicated instance, you need to edit the wildcard mapping to point to the correct jrun_iis6_wildcard.dll connector for that instance.
The default for example will be

:\JRun4\lib\wsconfig\1\jrun_iis6_wildcard.dll

The \1\ Is connected to the instance number (sort of). A new folder (connector) is created after you use the web server configuration tool to link an instance to a site, so you may end up with more connectors than instances, I have never figured out why this happens and why the WSCONFIG doesn't just use an existing connector.
Run the web site configuration tool (start/programs/macromedia/coldfusion mx), and use this to apply the instance to a TEST site in IIS. (note this requires shutting down the WWW server service). A new connector will have been created in the wsconfig folder as above.
You can then view that web sites application mappings to see where the wildcard mapping points to. You can also open the wsconfig.properties file which will now also have an entry for the new instance/connector showing which path to use.
Stick a sample CFM page in the test site to make sure it is working. If it works, you should then STOP the instance you just created, the page should then no longer work, proving that the test site is using that instance.
Take note of the connector number and the path to the .dll as you will need this if you want to manually map any future sites to this instance rather than using the config tool .

For any new sites you create which you want to use this instance, just copy the above ISAPI filter mapping. you can use the wsconfig tool again to do this, but I find it gets confusing when you have too many connectors and do not know which one applies to which instance. If you only use the WSCONFIG tool once for each instance, then you will only have one connector file/folder for each instance.

The manual creation of web sites and assigning them to specific instances and making sure they are in the correct folders and using the correct mappings can be an arduous task and prone to error, so if you host a lot of web sites I highly recommend the use of the HELM hosting control panel, which we (CFMX Hosting) use to completely automate this process.

The default installation of CFMX/JRUN is not especially secure. For example the JMC password is stored as plain text, so if you do not have security sandboxes enabled and have cffile enabled, any user on the server could easily extract this password.

So first we need to secure the JRUN Admin.

1. Login to the JRUN management console.
2. From left menu select the ADMIN server.
3. Now select Services and security
4. In the right panel, click “Edit Users”
5. Check the box “Encrypt Passwords”
6. Now add a new user called “administrator”, with roles “admin” and “jcmadmin”, and assign the current default password that you are using for the JRUN Admin Console and/or coldfusion administrator.
7. Now default the “admin” user that you are currently logged in with.
8. Close the browser window, and now run the JRUN Admin console again and login as “administrator” to test that it works.

NOTE: Some passwords appear to not work, so try to avoid using special characters. Just user upper/lower case letters and numbers.

If for any reason you find you are unable to login to the JRUN Management Console, you can reset the password as follows.

Open the following file in notepad.

<install path>:\JRun4\servers\admin\SERVER-INF\jrun-users.xml

Change this line

<encryption>true</encryption>

To

<encryption>false</encryption>

Then edit the following

And type a new password between the <password></password> tags.
Now perform the previous steps again.

For added security on a shared server you may also want to totally disable the CFEXECUTE and REGISTRY tags.

Edit the following file.

<install path>:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cftags\META-INF\taglib.cftld

Find the following two sections and comment them out like this. The first <name> attribute identifies the tag,

<!--     <tag>         <name>execute</name>         <tagclass>coldfusion.tagext.lang.ExecuteTag</tagclass>         <bodycontent>JSP</bodycontent>         <info>Executes a command in a separate process on the server.</info>         <attribute>             <name>name</name>             <required>true</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>arguments</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>outputfile</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>timeout</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>variable</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>     </tag> --> <!--     <tag>         <name>registry</name>         <tagclass>coldfusion.tagext.lang.RegistryTag</tagclass>         <bodycontent>empty</bodycontent>         <info>this tag invokes Java CFX's that implement the  CustomTag interface.  TODO this tag should probably be in compiler.tagext.lang</info>         <attribute>             <name>attributecollection</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>class</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>branch</name>             <required>true</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>action</name>             <required>true</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>type</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>name</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>sort</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>variable</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>value</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>entry</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>startrow</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>         <attribute>             <name>maxrows</name>             <required>false</required>             <rtexprvalue>true</rtexprvalue>         </attribute>     </tag> -->

If you now want to be clever and replace these tags with something else, just put replacements here.

<install path>:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cftags

create 2 files, execute.cfm and registry.cfm

These files can contain anything you like, just as throwing a custom ColdFusion error to tell users that the tags are disabled.

whenever you create a new instance, the default “cfusion” instances files can be copied, including the ones you have now modified, therefore these tags should now be disabled in all instances. A restart may be required.

NB: The above examples presume you are working on the default [cfusion] instance.
For other instances, the paths are slightly different.

E.G.
<install path>:\JRun4\servers\[instance name]\cfusion.ear\cfusion.war\WEB-INF\cftags

It is also important to note that any changes you make to the default [cfusion] instance will be replicated to any new instance you create from the ColdFusion enterprise manager as it simply copied the [cfusion] instance. So any DSN's, mappings etc will be duplicated.
If you do not want this to happen, then do not ever makes any changes to the default instance via the ColdFusion Administrator. Keep it as a base template and stop the service when you are not using it. when you want to create a new instance, start the [cfusion] instance and login to the CFAMDIN.

 

This is such a common problem, I thought I may as well blog it seeing as I had it again today.

Symptom: When using CFCHART, you will just get a broken image displayed and no chart. Cure: 1. Make sure you have the correct video driver installed on the server, CFCHART uses this. If the default VGA driver is being used, cfchart will not work. I have also seen some gfx cards/drivers simply not work period. 2. Make sure you have the CFIDE and JRunScripts virtual directories setup on the site. Both should have been setup on the "default web site" when you installed CFMX, so you can use these for reference. The JRunScripts vDIR needs "Scripts and executables" permission under the application settings, and neither should have an application name defined (this causes application isolation), remove it if it is. To tell the difference , a basic vDIR will show as just a folder with a globe (this is what you want). Note: you should ideally not use the original CFIDE for all your sites, otherwise the CFADMIN can be accessed from any site. Make a copy of the CFIDE to the location where you store your web sites, E.G. d:\wwwroot, and delete the administrator and adminapi folders from it. Now use this for your virtual directories on all sites EXCEPT the default web site.

In my previous article about about CFMX 7 Multiserver, I mentioned a technote. Well its taken MacroAdobe almost a year to post it since I informed them of the problem, but here it is. CLICK HERE