Entries Tagged as 'ColdFusion'

You may run into issues if you are using a non-administrator user account to install ColdFusion updates manually, or if an installation is attempted from the ColdFusion administrator console when ColdFusion service is running with a non-administrator account. In such cases, the update may not install successfully. and may complete with errors.

The Windows user account used by the ColdFusion service should have the privileges to start and stop the ColdFusion service. The updater needs to stop the ColdFusion service, so that it can replace the class files used by the service. After the update is installed, the updater starts up the ColdFusion service. Similarly if the updater packages any updates related to the other ColdFusion services, such as ColdFusion Add-On/Jetty service or ColdFusion .NET service or ColdFusion ODBC service, it would stop and start these services as well.

To avoid running into the issue above, one can take either of the following 2 approaches: 

 - Stop the ColdFusion service manually before running the updater jar. Restart the service, once the update is installed. This, of course, would need to be done every time you install an update; or

 - Assign the ColdFusion user account the privileges to start/stop the service. This would be a one-time fix.

If you are using Windows 2003 server, XP you can follow this blog post, to assign start/stop privileges to the ColdFusion service user account. But, if you are on a later edition of Windows such as Windows 7 or Windows 2012 server, you can keep on reading.

Windows Service Controller command can be used to set permissions on a Windows service. We will be using the following 2 variants of the command :

SDSHOW : To display the permissions on a service. 

syntax : sc [<ServerName>] sdshow <ServiceName> <ServiceSecurityDescriptor>

SDSET : To set the permissions on a service.

syntax : sc [<ServerName>] sdset <ServiceName> <ServiceSecurityDescriptor>

The security descriptors in the syntax above are represented by what is known as "Security Descriptor Definition Language" (SDDL). An SDDL descriptor has it's own syntax and formatting conventions which, at first, may seem a bit intimidating, and I might add, somewhat bland. But we will just dwell on the elementary details that are relevant to our purpose. If you want to get into the nuances of the Language you can check out the resources referenced at the end of this post.

Before modifying the permissions to a service , it would be a good idea to view the permissions first. To do that run the following command:

sc SDSHOW "ColdFusion 2016 Application Server"

You can find out the name of the service from the service properties in the Services window. The output should be something similar to the following :

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;SU)

I'll break down the output above into subsections and try to describe them.

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;SU)

The prefix D is for discretionary access control list (DACL) permissions. it identifies users or groups that are allowed or denied access to a secured object.

S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The prefix S is for system access control list (SACL) which controls how access is audited. It enables administrators to log attempts to access a secured object in security event logs. This section is not pertinent to our interest, and hence will not be discussed further. 

Each segment enclosed by parentheses such as "(A;;CCLCSWRPWPDTLOCRRC;;;SY)", is an ACE or "Access Control Entry". It describes the permissions to a specific user or group.

The first letter in the ACE specifies the ACE type. 'A' here denotes "Allow". Similarly a 'D' would denote "Deny".

The next set of letters ("CCLCSWRPWPDTLOCRRC") denote the permissions. It is a combination of sets of 2 letters that specify the nature of permission. I'll list out the components below :

CC : SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration

DC : Delete All Child Objects

LC : SERVICE_QUERY_STATUS

SW : SERVICE_ENUMERATE_DEPENDENTS

RP : Read all properites

WP : Stop the service

DT : SERVICE_PAUSE_CONTINUE

LO : SERVICE_INTERROGATE

CR : SERVICE_USER_DEFINED_CONTROL

SD : Delete

RC : READ_CONTROL – read the security descriptor on this service.

WD : Modify permissions

WO : Modify owner

 

The last code in ACE denotes the trustee. Some of the values it can take are:

SY : Local system

BU : Built-in users

IU : Interactively logged-on user

BA : Built-in administrators

If the intent is to modify the permission for a specific user and not a group, then you should rather use the SID associated with that user account. Suppose the ColdFusion Application service is running with a non-administrator account called "cfuser". To get the security identifier (SID) for "cfuser" account, you can execute the following WMIC command :

wmic useraccount where name='cfuser' get sid

That should output something similar to the following:

SID

S-1-5-21-464414946-3681088821-1826911322-1510

To enable start/stop permission for "cfuser" on ColdFusion Application service, you can use the output generated in the SDSHOW command and append an ACE element for "cfuser" with the desired permission set, as follows : 

SC SDSET "ColdFusion 2016 Application Server" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-464414946-3681088821-1826911322-1510)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

And, of course, you should run the command with administrator privileges.

If you are using other ColdFusion services, such as ColdFusion Add-on Services, ColdFusion .NET Service, ODBC Agent and ODBC server, you can follow the same steps as above to change permissions to them.

 

References:

https://msdn.microsoft.com/en-in/library/windows/hardware/ff563667(v=vs.85).aspx

https://blogs.technet.microsoft.com/askds/2008/05/07/the-security-descriptor-definition-language-of-love-part-2/

This post is to announce the release of updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB 16-16, upgrade the Tomcat engine and contain other bug fixes. 

ColdFusion 2016 Update 1

ColdFusion (2016 release) Update 1 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 8.0.32. This update includes several important bug fixes for security, core language features, server, and other areas.

For details, refer this technote.

ColdFusion 11 Update 8

ColdFusion 11 Update 8 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes several important bug fixes for security, language, AJAX, and other features.

For details, refer this technote,  

ColdFusion 10 Update 19

ColdFusion 10 Update 19 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes important bug fixes for security and server

For details, refer this technote

With the recent ColdFusion 2016 release we've had a few inquiries as to our backward licensing policies.  We can license one version back for certain types of volume licenses.  Below are the relevant links and contact information to help you navigate the licensing for ColdFusion 11 if needed.

 

FAQ for ColdFusion:

https://helpx.adobe.com/coldfusion/standard/faq.html

 

Backward License Policy:

http://wwwimages.adobe.com/content/dam/Adobe/en/volume-licensing/pdfs/pv_esd_customer_faq.pdf

 

We will update our sales contact information on the web site and update this blog, but for now feel free to contact Kishore@adobe.com if you want to be directed to a ColdFusion sales resource to assist with further information.


Read more...

Last year was the 20th year of ColdFusion and thanks to the enthusiastic participation of the customers it was a great hit. The celebrations culminated at the ColdFusion Summit 2015 which was the largest ColdFusion Summit we had till date.

2016 promises to be great year for ColdFusion with the new release. Some of the activities that we are planning on doing this year are:

1. ColdFusion Champions – We are creating a CF Champions team which would help us with community building, helping us with blogs and some technical articles. We already have Dave Ferguson, Dave Epler and Kev McCabe signed on. Look out for articles from them. If you are interested in joining the Champions team please reach out to me. This team would also help in promoting ColdFusion in some of the developer conferences. This is one of our efforts to rebuild the developer evangelist ecosystem so would appreciate all the help we could get.

2. User Groups – The ColdFusion user group managers have done an awesome job of helping us to keep in touch with our Developer base. UGMs like Dan Fredericks, Giancarlo to name a few have put in a lot of effort in making their groups meet regularly. We would continue to support the User Groups, if you want to create a new User Group in your area or want to find if there are any User Groups are there in your area, let us know we would help you.

3. E-Seminar and Technical articles – We would be having a Developer week in April first week which would talk about the new features of ColdFusion. This would be followed by a technical e-Seminar once every month. I would follow up on the time slot for the meeting very soon. If the community wants to contribute to the Technical articles or blogs on Adobe.com please reach out to me, Elishia or Rakshith. We would love to have you write about ColdFusion and would promote the articles so that it reaches out to our developers.

4. ColdFusion Summit – Last year we had around 500+ attendees for the ColdFusion Summit. This is one of the largest developer events at Adobe. This year the Summit would be held at Mandalay Bay on October 10th – 11th. The pricing for the event would be the same as last year. We hope to see a large participation this year since 95% have rated the quality of session content as above average and 93% have said that they are very likely to recommend this event to their peers.

5. ColdFusion Government Summit – Since most of our Government customers were not able to travel to Vegas we are having an one-day ColdFusion Summit for Government on March 9th in Washington DC at Washington Hiltion . We are also planning on having an event at our India office for the ColdFusion customers in India in Q3. 

6. Sponsorships – We would be at our usual events like NC Dev con and CF Camp this year. We are also looking at other events where we could meet the decision makers and prospective new developers, so the list of events that we sponsor might increase.

7. Customer Outreach – We have been having 1:1 discussion with some of our large customers to let them know about what are the features in the new version of ColdFusion and working with them in case they have any issues. If you want us to have the Roadmap discussion with your organization please let us know.

These are some of the activities that have been planned for this year. If you have any other ideas about how best to increase ColdFusion presence do reach out to me Kishore@adobe.com


Many a time, ColdFusion application code is deployed on a network path when your ColdFusion deployments are of large-scale and mandated to use network paths.

After setting up the server for the first time, if there is any performance hit, as the first thing you would want to cross-check few things. One of the things to determine is if there is any network latency.

Though you would have got same network within your organization same as earlier, your OS version also would have changed.

 

Follow the steps below to see if the performance hit is due to network latency-

When the server is under moderate or full load(with at least 8-10 requests under process), take 2 or 3 thread dumps with 30 seconds interval.

It is not appropriate to take thread dump when the server has negligible load and anlyze that as there may not be any in-process requests.

If you are not sure how to take thread dump, you can simply follow the following blog.

( Taking Thread Dumps From ColdFusion Server Programmatically )

Open the thread dump file:

Under moderate or full load server conditions, if you see more than 5-8% of running ColdFusion threads containing “WinNTFileSystem” in the thread’s stack trace --> It means that there is lot of time being spent in trying to resolve the application file paths.

Following are the sample threads having WinNTFileSystem in its dump.

"ajp-bio-8014-exec-6861" Id=13898 in RUNNABLE
 java.lang.Thread.State: RUNNABLE
 prio=5 blockedtime=28963 blockedcount=6819 waitedtime=421762 waitedcount=115
    at java.io.WinNTFileSystem.getBooleanAttributes(Native Method)
    at java.io.File.isFile(File.java:876)


"ajp-bio-8014-exec-6861" Id=13898 in RUNNABLE (running in native)
 java.lang.Thread.State: RUNNABLE
 prio=5 blockedtime=28961 blockedcount=6814 waitedtime=421762 waitedcount=115
    at java.io.WinNTFileSystem.canonicalize0(Native Method)
    at java.io.Win32FileSystem.canonicalize(Win32FileSystem.java:414)
    at java.io.File.getCanonicalPath(File.java:618)


(Note: ColdFusion threads can be identified by the name starting with "ajp-" )

For Example, if there are 50 threads with thread name starting "ajp-bio-" in the thread dump, if you see WinNTFileSystem in more than 2-3 threads, it is the time you start looking at minimizing the network latency.

 

Once you know there is latency, you would want to know how much is the latency when compared to the application existing locally.

Created a very basic network latency test program to validate this.

You can take the jar from here.

And run it from command prompt as follows:

> C:\ColdFusion11\jre\bin\java -jar <Path of NetworkPathsTest.jar> <Network or Local Directory Path >

If the network path (Ex:- \\orgserver\d$) is accessible only to the ColdFusion service user, open command prompt as that user ( runas /user:<cfserviceaccount domainname>\cfserviceusername CMD )

Examples:

Path Arguments can be one or more. More Path arguments is a good measure to see the difference clearly.

C:\ColdFusion11\jre\bin\java -jar C:\ColdFusion11\NetworkPathTest.jar \\orgserver\d$\deploy\cfm\

C:\ColdFusion11\jre\bin\java -jar C:\ColdFusion11\NetworkPathTest.jar \\orgserver\d$\deploy\cfm\ \\orgserver\d$\deploy\cfm\api\

Try the same paths keeping the content same on the local machine and see the time differences.

For the same paths on local and remote, the difference in time should not be exponential.

These tests are to be performed on your ColdFusion server machine.

Once you have validations and found any latencies, it is the time to call for network optimization expertise.