I am often seeing posts about this topic on lists, and have been asked to document it a few times, so here goes.
NB: this is tested on windows 2003 servers running ColdFusion 7 only, and presumes knowledge of windows server administration.
For details of creating new instances with ColdFusion MX 6 please see http://www.bpurcell.org/macromedia/coldfusion/multiple_instances.cfm
For creating multiple instances using APACHE, see http://nil.checksite.co.uk/index.cfm/2006/5/2/CFMX-MultiServer-Set-up
Deploying a new instance of JRUN/CFMX from the ColdFusion administrator is easy, but you need to take extra steps if you truely want to isolate those instances from each other and make them secure.
It is important to note that any changes you make to the default [cfusion] instance will be replicated to any new instance you create from the ColdFusion enterprise manager as it simply copied the [cfusion] instance. So any DSN's, mappings etc will be duplicated.
If you do not want this to happen, then do not ever makes any changes to the default instance via the ColdFusion Administrator. Keep it as a base template and stop the service when you are not using it. when you want to create a new instance, start the [cfusion] instance and login to the CFAMDIN.
- Create the instance
- Login to the ColdFusion Administrator of the default instance
- Got to Enterprise manager -> instance manager
- Add a new instance.
Server name: enter somehting meaningful here
Create Windows Service: check this box
Auto Restart Service: check this box
- Now we need to setup permissions and access for this instance
- Create a windows security group called "CFMX Instances" from the windows computer manager.
- Give this group FULL access to your JRUN installation path, plus any other paths that ColdFusion will need global access to, such as the SMTP mail drop folder (if you are using the windows SMTP service), temp windows folders, the fonts folder (required for cfdocument) etc.
- Now create a new windows user for this instance, preferably using the instance name or clients username
Set password to never expire
Remove remote desktop/terminal services access
make user a member of the group "CFMX Instances" that you created above - Create a folder for this customer/instance on your data drive, all web sites for this instance will go here.
E.G. " D:\wwwroot_instance_name" - Edit permissions for this folder, and give the user created in step 3 FULL permissions.
- Edit the windows service that coldfusion will have created (e.g “Macromedia CFMX AS Instance Name ”, and set it to Log On as the user created in step 3.
- Copy the CFIDE folder from the default instance (E.G. C:\inetpub\wwwroot\CFIDE) to this new folder, E.G. "D:\wwwroot_instanceName\CFIDE", and delete the folders "administrator" and "AdminAPI" from within this folder. This should be used as the CFIDE virtual directory for any sites created on this instance.
- Enabling sandboxing
By default sandboxes will not work in multiserver mode, so if you require this we need to enable this.
- make a backup of the jvm.config file :\jrun4\bin\jvm.config
- Edit jvm.config and replace the arguments section with the following. Copy and paste this exactly there should be no additional spaces or carriage returns.
For the default jvm.config
# Arguments to VMFor additional instances with their own JVM.config
java.args=-Xms512m -Xmx512m -Dsun.io.useCanonCaches=false -Djava.security.manager -Djava.security.policy={application.home}/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/coldfusion.policy -Djava.security.auth.policy={application.home}/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/neo_jaas.policy
Replacing [instance name] with the name of your instance.
# Arguments to VM
java.args=-Xms512m -Xmx512m -Dsun.io.useCanonCaches=false -Djava.security.manager -Djava.security.policy={application.home}/servers/[instance name]/cfusion.ear/cfusion.war/WEB-INF/cfusion/lib/coldfusion.policy -Djava.security.auth.policy={application.home}/servers/[instance name]/cfusion.ear/cfusion.war/WEB-INF/cfusion/lib/neo_jaas.policy
some additional info on creating custom jvm.config files can be found here
http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_18206
- Updating windows services for custom jvm.config files
If you have given a jrun instance its own config file then we now need to edit the windows services for those instances to use this new config file. - run REGEDIT
- Edit the following KEY. HKEY_LOCAL_MACHINE/system/CurrentControlSet/Services
- Select the service “Macromedia JRUN [instance name] Server”
- Edit the Parameters attribute, if it does not exist, create it (add new string value). Set the value of this to “-JVM_[instance_name].config” or whatever you name your new config file.
- Repeat this step of each Coldfusion service that has it’s own config file.
- Test that sand boxing works.
- From the default CFAMDIN, go to the instance manager and launch the CFADMIN for the instance you just added. It will have the same password by default.
The sandbox settings get copied over from the default instance if you made any changes, so disable sand boxing and remove anything that shouldn't’t there. Do the same for mappings, data sources, custom tag paths, verity collections etc.
Now change the cfadmin password.
I have however noticed that Flash Remoting doesn't work unless you use the default CFIDE folder, so this may be an issue for you. In which case you will need to give the "CFMX Instances" group access to the default c:\inetpub\wwwroot\CFIDE folder as well.
By doing the above, each instance will now only have access to the specified folder
E.G. " D:\wwwroot_instance_name"
and each web site for this instance should be created inside this folder
E.G.the home directory for a site would be " D:\wwwroot_instance_name\domainName.com\wwwroot"
So web sites for this instance will not be able to access files/folders above " D:\wwwroot_instance_name". And if you implement sandbox security, this will further restrict CFML code from being able to access files/fodlers above its home directory.
You should only ever restart any instance that has its own config file from the windows service manager. If you restart the instance from the CFADMIN or the JMC it will be started using the default jvm.config file.
Configuring IIS to use your new instance
CF is enabled at the master level in win2k3 by a wildcard mapping in the IIS master properties. This will be applied to all new sites.
For sites added to a dedicated instance, you need to edit the wildcard mapping to point to the correct jrun_iis6_wildcard.dll connector for that instance.
The default for example will be
:\JRun4\lib\wsconfig\1\jrun_iis6_wildcard.dll
The \1\ Is connected to the instance number (sort of). A new folder (connector) is created after you use the web server configuration tool to link an instance to a site, so you may end up with more connectors than instances, I have never figured out why this happens and why the WSCONFIG doesn't just use an existing connector.
Run the web site configuration tool (start/programs/macromedia/coldfusion mx), and use this to apply the instance to a TEST site in IIS. (note this requires shutting down the WWW server service). A new connector will have been created in the wsconfig folder as above.
You can then view that web sites application mappings to see where the wildcard mapping points to. You can also open the wsconfig.properties file which will now also have an entry for the new instance/connector showing which path to use.
Stick a sample CFM page in the test site to make sure it is working. If it works, you should then STOP the instance you just created, the page should then no longer work, proving that the test site is using that instance.
Take note of the connector number and the path to the .dll as you will need this if you want to manually map any future sites to this instance rather than using the config tool .
For any new sites you create which you want to use this instance, just copy the above ISAPI filter mapping. you can use the wsconfig tool again to do this, but I find it gets confusing when you have too many connectors and do not know which one applies to which instance. If you only use the WSCONFIG tool once for each instance, then you will only have one connector file/folder for each instance.
The manual creation of web sites and assigning them to specific instances and making sure they are in the correct folders and using the correct mappings can be an arduous task and prone to error, so if you host a lot of web sites I highly recommend the use of the HELM hosting control panel, which we (CFMX Hosting) use to completely automate this process.
Better security for JRUN in a J2EE or multi server installation of Coldfusion
ColdFusion 1 Comment »The default installation of CFMX/JRUN is not especially secure. For example the JMC password is stored as plain text, so if you do not have security sandboxes enabled and have cffile enabled, any user on the server could easily extract this password.
So first we need to secure the JRUN Admin.
- Login to the JRUN management console.
- From left menu select the ADMIN server.
- Now select Services and security
- In the right panel, click “Edit Users”
- Check the box “Encrypt Passwords”
- Now add a new user called “administrator”, with roles “admin” and “jcmadmin”, and assign the current default password that you are using for the JRUN Admin Console and/or coldfusion administrator.
- Now default the “admin” user that you are currently logged in with.
- Close the browser window, and now run the JRUN Admin console again and login as “administrator” to test that it works.
NOTE: Some passwords appear to not work, so try to avoid using special characters. Just user upper/lower case letters and numbers.
If for any reason you find you are unable to login to the JRUN Management Console, you can reset the password as follows.
Open the following file in notepad.
<install path>:\JRun4\servers\admin\SERVER-INF\jrun-users.xml
Change this line
<encryption>true</encryption>
To
<encryption>false</encryption>
Then edit the following
<user-name>administrator</user-name>
<password>encrypted password here </password>
<description />
</user>
And type a new password between the <password></password> tags.
Now perform the previous steps again.
For added security on a shared server you may also want to totally disable the CFEXECUTE and REGISTRY tags.
Edit the following file.
<install path>:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cftags\META-INF\taglib.cftld
Find the following two sections and comment them out like this. The first <name> attribute identifies the tag,
<!-- <tag> <name>execute</name> <tagclass>coldfusion.tagext.lang.ExecuteTag</tagclass> <bodycontent>JSP</bodycontent> <info>Executes a command in a separate process on the server.</info> <attribute> <name>name</name> <required>true</required> <rtexprvalue>true</rtexprvalue> </attribute> <attribute> <name>arguments</name> <required>false</required> <rtexprvalue>true</rtexprvalue> </attribute> <attribute> <name>outputfile</name> <required>false</required> <rtexprvalue>true</rtexprvalue> </attribute> <attribute> <name>timeout</name> <required>false</required> <rtexprvalue>true</rtexprvalue> </attribute> <attribute> <name>variable</name> <required>false</required> <rtexprvalue>true</rtexprvalue> </attribute> </tag> --> <!-- |
If you now want to be clever and replace these tags with something else, just put replacements here.
<install path>:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cftags
create 2 files, execute.cfm and registry.cfm
These files can contain anything you like, just as throwing a custom ColdFusion error to tell users that the tags are disabled.
whenever you create a new instance, the default “cfusion” instances files can be copied, including the ones you have now modified, therefore these tags should now be disabled in all instances. A restart may be required.
NB: The above examples presume you are working on the default [cfusion] instance.
For other instances, the paths are slightly different.
E.G.
<install path>:\JRun4\servers\[instance name]\cfusion.ear\cfusion.war\WEB-INF\cftags
It is also important to note that any changes you make to the default [cfusion] instance will be replicated to any new instance you create from the ColdFusion enterprise manager as it simply copied the [cfusion] instance. So any DSN's, mappings etc will be duplicated.
If you do not want this to happen, then do not ever makes any changes to the default instance via the ColdFusion Administrator. Keep it as a base template and stop the service when you are not using it. when you want to create a new instance, start the [cfusion] instance and login to the CFAMDIN.
I own one of these awsome cruisers, a yamaha vstar 1100 Silverado, and I love it. So I think I am going to dedicate a section of my blog to my bike.
For those that don't know, the stock exhausts that generally come with bikes (especially cruisers) are generally a bit pants. they don't have a very good sound to them and hinder the potential performance. Expect perhaps the Harley Davidsons, which generally sound better.
So I decided to take the plunge and do an upgrade. I put a pair of vance and hines classic II slip-ons onto my bike, and all I can say is WOW! what a difference.
It now has a nice loud rumble that made the bike sound like a hairdryer before, it sounds far more healthy in all gears and at all speeds, the vibrations are reduced at higher speeds, and the performance boost was definitely noticable, I felt I was riding a new more powerful bike. You will find pulling away from lights and hill starts much easier.
For for those of you thinking about replacing your exhausts, do it now, you will not regret it. Many bikers say that you need a FULL EXHAUST system to get the real benefit, well I had a full set of vance and hines on my old bike (vulcan 1600), and these slips-ons are just as good I think. They are certainly just as loud.
Be warned though, the volume increase is substantial, so your neighbours may not be quite so impressed when you roll home at 2AM. You also should be warned about the grin factor, because when you ride your bike out of the shop with your new growlers, you wont stop grinning all the way home.
Recent Comments