CFMX7 Installation and Web Server Configuration Tool fails with JNDI ports blocked

ColdFusion 9 Comments »

This is a problem I have had a few times in the past, but last night was probably the most drastic action I have had to take so far to get it working. So I thought I would document the procedure, this is the cut down version as it actually took me 4+ hours to resolve the problem.

Client had ColdFusion MX 7 running fine for 2 weeks, then mysteriously it stopped working. Turns out the CFIDE folder had gone, so had all the JRUN connector files (<cfroot>/runtime/lib/wsconfig/1).

On attempting to re-install, the installer could not complete, reporting that ports may be blocked by a firewall or some other 3rd party application.  This was of course not the case, as there was no firewall on the server.

The only part of the installation left to complete is the final part where the connectors are created and you open the CFADMIN, the ODBC services are created, and the final CF site of the setup occurs.

So I tried to create the connectors using WSCONFIG, and got this error (the same one showing in the logs as well)

Could not connect to any Jrun/ColdFusion servers on host localhost.
Possible causes:
Server not running
-Start Macromedia JRun4 or ColdFusion MX server
Server running
-JNDI listen port in jndi.properties blocked by TCP/IP filtering or firewall on server
-host restriction in security.properties blocking communications with server

 

So I use "netstat -an" command to see what ports are open and listening.
The JNDI port 2920 was there, but the proxyservice port  51011 was not, indicating that it is not open and listening.

So I opened the <cf-root>\runtime\servers\coldfusion\SERVER-INF\web.xml file and changed the default proxyservice port. See code below.


Change "deactivated" to false
Change "port" to a new value of your choice

<service class="jrun.servlet.jrpp.JRunProxyService" name="ProxyService">
    <attribute name="activeHandlerThreads">8</attribute>
    <attribute name="minHandlerThreads">1</attribute>
    <attribute name="maxHandlerThreads">1000</attribute>
    <attribute name="mapCheck">0</attribute>
    <attribute name="threadWaitTimeout">300</attribute>
    <attribute name="backlog">500</attribute>
    <attribute name="deactivated">true</attribute>
    <attribute name="interface">*</attribute>
    <attribute name="port">51011</attribute>
    <attribute name="timeout">300</attribute>
    <!-- set this to false for multi-hosted sites -->
    <attribute name="cacheRealPath">false</attribute>
    <!--
    <attribute name="keyStore">{jrun.rootdir}/lib/keystore</attribute>
    <attribute name="keyStorePassword">changeit</attribute>
    <attribute name="trustStore">{jrun.rootdir}/lib/trustStore</attribute>
    <attribute name="socketFactoryName">jrun.servlet.jrpp.JRunProxySSLServerSocketFactory</attribute>
    -->
  </service>

The new port I had entered now showed up in netstat so I knew it was listening and not blocked.

WSCONFIG would still however not locate JRUN and connect to it. Then I found the below info over at brandon  Purcell's blog , which I have slightly modified here to apply to a standard CFMX7 installation.

When wsconfig first runs it does a port scan from 2900-3000 to list any JRun servers that are running.  In some cases it will hang when the port scan occurs.  In the GUI this occurs when you click the add button.  In the command line version it occurs when it searches for the servers and the prompt never returns.  To test if this is the problem try the following command

wsconfig -host localhost -list  (using the executable version)
C:\CFusionMX7\runtime\jre\bin\java -jar C:\CFusionMX\runtime\lib\wsconfig.jar -host localhost -list

This command should provide a listing of all running servers if it does not return to the command prompt and hangs then you can follow the procedure below

By narrowing the ports that are scanned by wsconfig you can prevent the hang.  By default CFMX7 uses port 2920 for the jndi port.  This port can be found in C:\CFusionMX7\runtime\servers\coldfusion\SERVER-INF\jndi.properties under the entry java.naming.provider.url=localhost:2920. If you are running multiple instances of JRun then you can look in each servers SERVER-INF\jndi.properties file for the range of jndi ports to scan.

To reduce the ports that are scanned use the following java arguments

-DWSConfig.PortScanStartPort=startport -DWSConfig.PortScanCount=portrange

So If I had 1 instance and the JNDI ports are 2920  then I would use the following command to list the jrun instances.

C:\CfusionMX7\runtime\jre\bin\java -DWSConfig.PortScanStartPort=2920 -DWSConfig.PortScanCount=1 -jar C:\JCFusionMX7\runtime\lib\wsconfig.jar -host localhost -list

To run the GUI and only scan those ports enter the following command:

C:\CFusionMX\runtime\jre\bin\java -DWSConfig.PortScanStartPort=2920 -DWSConfig.PortScanCount=1 -jar C:\CfusionMX7\runtime\lib\wsconfig.jar


Modify the ports to your range of JNDI ports and the GUI should work without hanging.

Here are a few other articles that can help with wsconfig debugging
http://www.macromedia.com/support/jrun/ts/documents/tn18287.htm
http://www.macromedia.com/support/coldfusion/ts/documents/connector_install_faq.htm

 

ColdFusion Memory Leaks

ColdFusion No Comments »

I just came across an interesting article by Mike Schierberl that shows that locally scoped variables in your application may not be cleaned up the garbage collection at the end of the request as expected and may persist in memory.

Memory Leaks: Part II - variables scope leak

Mike has also provided some handy information on how to profile your application and identify such memory leaks.

ColdFusion Memory Leaks: Part I - profiler introduction

 

This certainly explains a lot of problems where your application has been eating memory like a fat guy in a cake shop for no reason and I will certainly take note of this issue in my own coding from now on. Unfortunately I don't think it will help me too much on a day to day basis at CFMXHosting as I deal with servers containing hundreds of sites, and I don;t think I could identify this problem for each and every clients site, that would be a lot of profiling.

 

NOTE: This problem appears to related to a JVM bug and will probably only effect people using the same JVM version as Mike. Upgrading your JVM to a new version should cure this issue.

Securing Your ColdFusionMX Installation on Windows

ColdFusion 6 Comments »

This is an article I have done previously for HELM, I thought I may as well move it to my blog. I have removed any HELM specific stuff. The original post can be found HERE if you also want the additional HELM details.

If your running Coldfusion on your server you need to setup certain permissions and folders to have a secure CF installation.

Firstly in order for .cfm files to work, you need to make sure that coldfusion itself has the correct execute permissions.

PROTECTING THE CFADMINISTRATOR

I suggest that you turn off anonymous access on the web site that you have your coldfusion administrator on, or at least turn off anonymous access on the CFIDE folder. this means you need to login twice, once with a windows login, once with the CFADMIN login, or alternately restrict access by IP address.
If you do not do this, you get a lot of hack attempts on your CFIDE/Administrator folder and you give hackers access to certain files they ay be able to use to their advantage if your not secure.
You should also make sure you do not have the CFDOCS or sample applications installed on your live server.

RDS should also be disabled, but you can leave it enabled for your own use, if you have applied the above security.

CFIDE FOLDER

In order for certain java applet tags (cfgrid etc), classes, Coldfusion generated javascript (e.g. CFFORM) and flash forms to work, there has to be a virtual directory on each web site pointing to the CFIDE.

What you need to do is make another copy of the *original* CFIDE folder elsewhere (preferably in the folder where you store your web sites) and DELETE the ' administrator' and ' adminapi' folders from this copy.

Now use this version of the CFIDE when create the virtual directories for new web sites.

SECURING DANGEROUS TAGS

ColdFusion is NOT protected by the windows security or the IIS anonymous user permissions, if you have any of the dangerous tags enabled, customers will be able to read/write files anywhere on the server.
To avoid this problem and still give customers access to these tags you need the enterprise version of coldfusion so that you can deploy sandbox security. This will need to be manually setup for each web site. If you have the standard edition of CFMX you can only disable the tags globally. This version is therefore not really suited for shared hosting.

The following tags and functions should be disabled on a shared server. All these allow files to be read/written or both anywhere on the server.

  • TAGS
    • CFFILE
    • CFDIRECTORY
    • CFEXECUTE (never enable)
    • CFCONTENT
    • CFHTTP
    • CFOBJECT
    • CFREGISTRY (never enable)
    • CFFTP
    • CFPOP
    • CFLDAP
    • CFMAIL ( this may also be an issue for you, as it allows customers to attach any file on the server to an email)
  • FUNCTIONS
    • GetProfileString
    • SetProfileString
    • CreateObject

      the functions marked as "never enable" will not be affected with a security sandbox and should never be enabled on a live shared server.
      The other tags and functions you can enable in each customers sandbox and they will restrict file access to the root specified in the sandbox files/directories tab.

SANDBOX (cf enterprise edition only)

For each sandbox you setup, you need to add the following paths for each client in the files/dir's tab. Your paths may of course be different than below.
My examples presume a directory configuration thus:-

HomeDir (ftp root, non web accessible)
d:\wwwroot\mydomain.com\
Webroot
d:\wwwroot\mydomain.com\wwwroot

Sandbox paths

\ (e.g. d:\wwwroot\mydomain.com\)
\- (e.g. d:\wwwroot\mydomain.com\-)
NB: The following are for the temp folder to allow file uploads via forms, and to embed fonts using cfdocument
c:\CFusionMX7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
c:\CFusionMX7\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\-
c:\windows\fonts\

Correct the first two with the correct path to the clients FTP root (or web root if you do not have a
Correct the last two with the path to your coldfusion installation. These last two paths are required for file uploads to work as the cfusion temp folder is used. Make sure you use LOWER CASE drive letters.

SQL Server and MySQL databases should NOT have the username/password setup in the DATASOURCE in the CFADMIN, so will be safe as the customer only has this info and passes it in their code. If the customer asks for the username/password to be added in the datasource, then this is at their own risk as other clients will be able to run queries against their database if they know or guess the DSN.

On the CFTAGS and FUNCTIONS tabs, simply enable whichever tags and functions you want to allow, excluding the ones I told you to never enable
I suggest that you also do not enable CFOBJECT and CreateObject(java) by default, see Java security section below for why.

The Server/Ports tag should not need any changes.


JAVA SECURITY

Because ColdFusionMX is built on java and runs on a J2EE compliant server, JRUN by default there is absolutely no java security whatsoever from within CF. You customers can do just about anything they want via Java. Including Accessing the Java service factory, which allows them to manipulate all the CFADMINISTRATOR settings. You can even find documentation online how to do this.
Your customers will usually instantiate java classes using the CFOBJECT tag or the CREATEOBJECT(java) function, thus why I said do not enable these by default. Make your customers ask for it, and then ask them why they want it.
Unfortunately these 2 tags/functions are required by some people for CFC's, so some of your customers will need them.
Even without these tags/functions it is possible to instantiate and use java classes, but does require more java programming knowledge than most coldfusion developers are going to have.

CFOBJECT can also be used to call windows COMponents, so make sure you do not have anything installed they can take advantage of or at least have your server locked down with appropriate permissions.

Your only path for having a more secure CFMX is to run a separate instance of coldfusion for each site, which requires you to install the coldfusion for j2ee (multi server) configuration and not the standalone server configuration.
This of course is not very suitable for many sites it requires a lot of manual work plus a huge amount of memory on your server.

Another suggestion is to run the Coldfusion service as a separate user account with limited permissions rather than under the SYSTEM account which has full system access. The new user should only have access to Coldfusion installation itself, the webroot where your sites are located, and and other systems paths which are required, such a windows temp folder, fonts folder etc.

One other possibility is Blue Dragon from new Atlanta, which is another application server that supports the Coldfusion CFML language. You would still need a separate instance for each site, but the footprint is smaller, so is the price.

Hope this helps

Tip for running Coldfusion Professional more securely

If you cannot afford to run the enterprise version for the sandboxing facility, then here is another option.
As mentioned previously, Instead of running coldfusion under the System account, which is the default, create a custom windows user, and run coldfusion under this.

This will still allow customers to access each others files if you enable those dangerous tags, but at least will not give them access to your server and system files so that they can crash the server.

You can also replace the dangerous tags with your own custom tags as wrappers (as I used to do prior to CFMX). In your wrapper tags you call the original tags (as the custom tags folder will still have access to them) and pass the arguments, you can then control which paths they have access to.

More benefits for those who come the FusionDebug/FusionReactor class the day after London CFDevCon

ColdFusion No Comments »
If you've been on the fence about attending the day-long class Charlie Arehart is doing (on FusionDebug and FusionReactor), the day after the CFDevCon in London (and Munich), here's good news and even more reason it's a great value.

First, while the original offer was that attendees would get a free license for FusionDebug for attending (basically making the day of training free), some have asked if they could have FusionReactor instead. Since they're about the same price, Intergral has agreed that you can have a license to FusionReactor instead, if you'd like. Many thanks to them! This applies to both the Munich and London classes, and you can choose which you will have on the day.

Second, regarding the London class specifically, if you've not yet registered for the CFDevCon itself the day before, here's better news: those who sign up now will get a free ticket to the conference as well. (Sorry, no refund available if you've already purchased your ticket.)

That said, if you have any questions or concerns about these two offers, please direct them to David Tattersall.

Also if you plan to take advantage of the FREE ticket offer, please also register at CFDevCon so that I have your postal details.

All ColdFusion Developers are impotent adolescent pervs don't you know

Jibber Jabber 1 Comment »

"You may possibly have seen an article recently written by Guy Kewney, did I say all those things, of course not. so lets lets try the authors same techniques here."

It seems journalist Guy J Kewney doesn't like ColdFusion developers very much, especially ones who are not heterosexual. Here is what he had to say in a recent article.

Guy says:-
"The next Cold Fusion developer conf in Croydon, just South of London, will be attended by 99.9% heterosexual males, that's official"

Quite a bold statement, or is that just wishful thinking from someone that doesn't like queer folk, he then goes on to say.

"One developer (married, straight) wrote to suggest that some people (grownups?) might find the evening entertainment not entirely to their taste."

Is that because .1% of the attendees are queer according to you Guy, surely your not that shallow minded?. Guy also thinks that all us developers are a bunch of sleazy perverts judging by this statement. Oh Guy, you really shouldn't judge others by your own standards.

"all Cold Fusion developers would find an opportunity to "chat up tequila girls"

As if that wasn't bad enough, he then goes on to imply that we are all impotent.

"male programmers might not necessarily be "licensed to shag"

Not content with this Guy then moves on to a bit more queer bashing, this chap really doesn't like homosexuals does he.

"if you don't want to grope a Tequila Slammer Girl, there's a simple and unavoidable explanation: you're queer:"

And he is sexist as well as a queer basher it seems.

" if you don't want to get pissed and make a Pratt of yourself leering at the chest of a rent-a-boobs gurly, there's only one explanation: you're a horrid poof."

Lets not leave it there says guy as he continues with a bit more developer bashing, supposedly we all wish we were teenagers. Sorry guy been there, done that, and he also throws in a bit of racial discrimination for good measure.

"Adult males are all sexually rampant and alcohol-fuelled. Muslims only pretend to be uninterested in getting drunk, and Real Programmers are either adolescent, or wish they were."

I am starting to wonder if Guy is actually a closet homosexual that hasn't yet had the courage to come out and uses queer bashing as a way to hide his sexuality. Come on Guy own up, homosexuals are people too.

---

If you have read Guys original article, you will know this is in fact not what it says at all. But this is an example how easy it is to twist words and take things out of context to make someone look bad, something journalists do all the time. This is of course what has been done to the original article about me.

Powered by Mango Blog. Design and Icons by N.Design Studio
RSS Feeds