[Looking for Charlie's main web site?]

Come see my online talk, "Migrating or Comparing CF Admin Settings", at noon ET on Aug 13

Just thought I'd share a heads-up here on the blog that I'll be the speaker for the Online ColdFusion Meetup this week, Aug 13, at noon ET, presenting a new talk:

Migrating or Comparing CF Admin Settings, between instances, versions, and engines

You can learn more (including the description, the online meeting URL, where the recording will be posted, and more) at the meetup event page. FWIW, the session name had to be shortened a bit as presented on the meetup site there, and even in the title here. :-)

As a bonus for you, my blog readers, I'll note that I'll be covering the CF migration and CAR features, the Commandbox CFConfig tool (which can be used for more than just "box" instances) and the CF2020 cfsetup tool (which has been shown publicly already), and more.

I'll also have a special surprise for people who "just want to compare the Admin settings of two instances without resorting to command-line tools, or hopping back and forth between browser tabs", using a free cross-platform GUI compare tool (and a simple trick in the CF Admin) which has delighted nearly everyone I've ever shown it to. And the tool can benefit you for far more than this one task. :-)

Why should one be careful about securing ColdFusion ARchive (CAR) files?

You may hear (starting today) about a new admonition (a "strong recommendation") from Adobe that one should be careful to "delete CAR files once they are used". What's that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)

The TLDR is this: If you create (or are given) a CF "CAR" (ColdFusion ARchive) file, you should treat that as a file that contains passwords, as technically it will, if what was exported into it was in fact any CF Admin setting which holds a password (there are several). No, the passwords are not in plain text within the CAR (which is just a zip). But the info needed to decrypt the passwords is in that file, and the CF Admin INTO WHICH such a CAR is imported will now have those passwords enabled within that CF Admin. Perhaps more dismaying, a savvy coder could easily use that info to convert the "encrypted" passwords into plain text in a single line of code. So one SHOULD indeed take care to secure such CAR files (if not delete them after use).

Do I have your attention now? Just a bit more tldr to preface the post...

Is the concern really unique to CAR files alone? And is deleting the CAR files the only way to "secure" them? No, but a difference is that CAR files may be passed around in a way that other "sensitive" CF files would not be. Indeed, what about the process of simply transporting them from one server to another? Should you be as concerned about that? And what if you don't WANT to delete them, because they hold the CF Admin settings of record for an old CF instance you are removing? Should you even be concerned that a colleague also accessing your CF Admin might now use the info identified here to try to obtain a CAR file and use it in ways they should not? And what can you do to limit that? Finally, what about other tools that can save/transfer admin settings, like CFConfig in commandbox?

If you're interested in what's up (and if you or anyone on your server uses the CF Archive mechanism at all, you should be), then do read on. Same if you are not aware what CAR files are used for, as I will explain.

[....Continue Reading....]

How can I keep CF Admin settings in sync between multiple servers or instances?

This question was asked today on the Adobe CF forums. The person had CF instances on multiple servers and lamented having to login to each CF admin to make changes that would apply equally to all instances, in particular creating or changing datasources. They wondered if in fact there was a feature in the CF Admin to "cluster" datasource definitions, like there is (since CF2016) the feature to "cluster" scheduled tasks.

I explained that there was not such a "feature" but that there were at least two options to achieve the goal. The answer was long enough (as is my wont) that I should have probably created a blog post instead. After submitting it, I decided to do just that, here (and I have tweaked here what I said, with some more elaboration and links).

Short answer: there are two tools that can help with this task, the CF Admin API (minimalist and manual), and the CFConfig tool within CommandBox (powerful and automated), as well as some seeming "shortcut" options (copying neo xml files, using symlinks, etc., which I'd advise strong caution against). I also give the CF CAR file feature an honorable mention.

For more on all this, read on.

[....Continue Reading....]

How and why your sites may break, and what to do, after applying March 2020 update to CF2018 or 2016

This is a critical warning to anyone who may apply the recent CF2018 Update 8 or CF2016 Update 14, released Tuesday of this week. To be clear, I do not mean with this warning to suggest that you should NOT apply the update! It implements an important security fix.

Instead, it's that after applying it, your CF web sites served via IIS or Apache WILL likely break initially, until you take one at least and perhaps two extra steps. The good news is that these steps are both easy and documented by Adobe in the update technotes, but they do require that someone do them, if needed. Let me explain.

[Update: I did an abbreviated version of this post on the Adobe CF portal: Three reasons your sites may break, and how to fix them, after applying March 2020 update to CF2018 or 2016. Note I also titled it differently. Just trying many ways to get people's attention. That post may interest some, either to read first (but my TLDR below also tries to abbreviate things also), or especially if you may prefer to give others a link to a post on this matter that is not as "dense" as this one. :-) I do point to this post from there, of course, for the many additional details that some may appreciate.]

Sadly, because many people don't bother to read the CF update technotes (linked to below), and they just apply the CF updates, they are not noticing this issue until they or their users start screaming because their sites are down. There's also a fair bit of "screaming" in the CF community, and folks responding may not know the info that I (or Adobe) have shared, to get things "working again", so I hope this helps bring some calm, and most important the clear solution/s needed.

[....Continue Reading....]

Did you know that CF2018 imports environment vars into the Server scope?

This is a hidden gem that I never saw documented anywhere: CF2018 now imports environment variables into the CF "server" scope, specifically:

server.system.environment

and java system properties into:

server.system.properties

(Thanks to Sean C for catching a mistake in the initial post.)

I learned of it last year when Pete F tweeted about it, and I assumed someone else would do a post about it, but the topic came up in a discussion today and I was surprised to not be able to find any mention of it, other than that and his mention of it in his cfdocs.org site.

And yes, Lucee had it first (as proposed initially in 2015). :-)

The feature can be useful, whether you're setting such vars when running a (Docker) container, or via JVM args, etc., and you want to be able to access them within CFML.

Solving metaspace errors, once and for all

I have a really simple solution to offer here, for a problem that has been nagging people running ColdFusion for the past few years. (I've also just filed a bug report asking Adobe to address this.) This post may also benefit those NOT running CF, especially if they have found confusing/conflicting information about the Java metaspace error and jvm argument that relates to it.

Perhaps you're getting errors referring to "metaspace" or "OutOfMemoryError: Metaspace", whether in your web sites, error logs, or even the CF Admin, and you wonder "what to do". Or you may be getting odd occurrences of blank pages, and if you look in your coldfusion-error.log you are finding such metaspace errors.

TLDR; In all these cases, the solution is simple (and may seem contrarian to some ears): REMOVE the maxmetaspace element from your JVM arguments. Indeed, I would go so far as to say everyone should simply remove it, even BEFORE you may get errors.

In the post that follows, I will explain how to remove it, including how you need to be VERY careful when doing that. You may also wonder why I recommend removing it, versus raising it. I cover that, as well as that bug report, below.

Update: I also created an abbreviated version of this post, on the Adobe CF portal, if that may interest some readers.

[....Continue Reading....]

Join me and Mikey on a Youtube Live FusionReactor 8.3 webinar, Feb 11 at 2p US Eastern

Come learn what's new about FusionReactor 8.3 in the first of what are planned to be a series of Youtube Live webinars from the folks behind FusionReactor. In this first episode, FR Technical Support Engineer Michael (Mikey) Flewitt and I will be teaming up to introduce FusionReactor 8.3.0, which should be released very soon.

Join us on Feb 3 at 2p US EST (and set a reminder/subscribe) here: https://www.youtube.com/watch?v=f0TKfnhIE24

Besides discussing and demonstrating what's new in the 8.3.0 release (which includes several features), we will of course be open to your questions. That's the whole point of going to the Youtube Live format!

What to expect in future episodes

And again, this is the first of what are planned to be a series, with future episodes addressing not only FR feature changes but reviewing FR features you might have missed, and as important: how to use FR to solve important problems in CF, Lucee, and Java servers. We're also open to addressing broader issues related to such technologies, in an "ask me anything" format.

So come along, and do subscribe, and bring your questions and comments. We're trying to make it a resource that will benefit many. Of course, it's our first, so we will iron out the kinks as we go!

How to solve failing "api" URLs, in CF2016 and 11 (not a problem in CF2018)

If you're trying to run a request against CF 2016 (or perhaps 11), and the URL you're using has a path which starts with /api, you may find that the request fails to run (it may give a blank page). What gives? (It was related to the CF2016 API Manager, not CF's REST services feature.)

And what can you do about it, if you are on CF2016 or 11, and you want to use /api for your URLs? There are are two choices, depending on your needs: in brief, you can either:

  • change your /api folder to a new name (which I realize may not appeal to all to some)
  • or change the CF configuration, to STOP it treating /api specially for the API Manager's use. You would do this by editing two CF config files, urlworkermap.properties and web.xml (but this will break the ability of the API Manager to introspect REST services in CF2016 or CF11, though not CF2018)

TLDR; if you're bold and a risk taker, you can jump to the bottom to see my list of changes to make for that second option. As is often the case, there is risk in making changes in a cavalier fashion. There are various things to consider, and I warn of them below--but the good news is that this is a change that may take only minutes to do, once you've been careful to read about how to do it effectively.

Read on for more, including pros and cons of each choice, what to change and where, why this problem NO LONGER happens from CF2018 onward, and more.

(And if you are not familiar with the CF Enterprise API Manager, which is installed separately from CF, you can read about it here.)

[....Continue Reading....]

ColdFusion 2018 update 7 released today...do you "need" it?

Adobe released update 7 for CF2018 today, and as it includes a security fix, some might think I'd say everyone should apply it.

But note first that the security aspect applies only to those running CF on Windows (and even then not ALL users of CF on Windows, as I will explain).

Then again, the update also includes a bug fix to a CF Admin, for a UI issue (related to updates, in fact), and if you need that, then you do want the fix (regardless of your OS).

So who needs it? If you need a little more guidance, I offer some clarification, as well as links from Adobe for more.

[....Continue Reading....]

When and how to upgrade CF web server connector, easier since CF2016

Did you know that when you update ColdFusion, there is often a need to also update the web server connector (for IIS and/or Apache)? In this post, I discuss how you can know when to do it (Adobe makes that easier since CF2016), as well as how to do it (also easier since CF2016), and why it's important.

[....Continue Reading....]

More Entries

Copyright ©2020 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting