[Looking for Charlie's main web site?]

When and how to upgrade CF web server connector, easier since CF2016

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Did you know that when you update ColdFusion, there is often a need to also update the web server connector (for IIS and/or Apache)? In this post, I discuss how you can know when to do it (Adobe makes that easier since CF2016), as well as how to do it (also easier since CF2016), and why it's important.

I cover:

While the update process is indeed simpler since CF2016, I'll note that the technotes for CF2016 and 2018 still don't currently point out the easier process for upgrading, so what I share below may be a big (and nice) surprise even for those who diligently read the update technotes.

Knowing when a connector update is needed

The need to update the connector is a relatively new phenomenon, starting mostly with CF10, with its being the first release where CF was based on Tomcat (and the underlying Tomcat web server connector, which Adobe modifies to support some functionality needed by some CF users). There were rare occasions that the old JRun-based connector needed updating.

And ever since CF10 also introduced the new automated update mechanism (available in the CF Admin or via the command line), each update's technote has indicated whether that update required a connector update, though sometimes one had to read the whole technote to find the wording indicating if a connector update was required.

Before CF2016

A problem with that approach (of it being indicated only in the technote of any CF update that required a connector upgrade) is that if you skipped some CF updates, you then needed to know to look at the technote for EACH skipped update, to see if its technote indicated if THAT update required a connector update. Then you could do the connector update after that latest update you did.

Since CF2016

Thankfully, since CF2016, Adobe has included a table at the bottom of each update technote indicating which previous updates may have required a connector update. So now one can easily consult that each time (or if you missed it when applying the update, to consider if you now need to update the connector.)

How to apply the connector update, via gui or commandline

First, note that the wsconfig tool can be run either as a GUI or as a commandline tool. Also, there are helper scripts that even make working from the command line easier.

And good news (for those who use the wsconfig GUI) is that in CF2016 and above, it's far simpler to update the connector than it had been with CF11 and 10.

Upgrading connectors via GUI in CF2016 and later

Many may not notice it, but there is a new "upgrade" button in the wsconfig tool UI (to go with the -upgrade option in the wsconfig command-line tool that has long been available). One need merely run the wsconfig UI, choose an existing connector (from the list of them, such as might say localhost:cfusion), and then click "upgrade".

Note that you do need to do that for each connector.

And note that the tool will restart the web server on each upgrade. Sadly, you cannot prevent that web server restart. Indeed, it happens regardless of whether you click the "ok" button on the prompt indicating that, or if try to click the "x" on that prompt window.

Upgrading connectors via commandline

Whether you are working on a headless implementation of CF (no GUI) or just prefer to better automate/script things, note again that you CAN run the upgrade process by using the wsconfig tool from the command line instead. There are actually a couple of options for this.

First, the wsconfig tool itself can be found (as an exe in Windows or script in Linux) in the cfusion/runtime/bin folder (not cfusion/bin). And while you can get help from the tool itself at the command line (using --help), you can also find its args documented here: helpx.adobe.com/coldfusion/configuring-administering/web-server-management.html#Usingthecommandlineinterface.

Second, there are also helper scripts (bat files for Linux, sh files for Linux) that further facilitate performing connector operations, including simply upgrading all connectors. See those in the cfusion/bin/connectors folder (and mentioned only briefly in that last docs page.)

What updating the web server connector actually does

Usually, all the upgrade process will do is update the connector file (isapi_redirect.dll for IIS, or mod_jk.so for Apache), as typically found in the coldfusion config/wsconfig directory and the numbered folder associated with the selected connector (for Apache, the numbered folders may exist elsewhere, as your conf file references to ColdFusion will indicate).

As an aside, you may want to even look at the date of the .dll or .so file, in your connector folder, to see what date it is. This is how you can know if the file is out of date. Again, per the discussion above, many CF updates DO call for an update to the connector. If you have skipped that, you may find that your dll or so file is quite dated, which could be the cause of some problems you experience with CF. For CF2018, as of the current update 6 as I write this post (or CF2016, as of the current update 13), the file should have a Nov 2019 date. If it does not, that's confirmation that you need to update the connector (after applying the latest CF update.)

As a tip, if you do have multiple connectors to update, you could copy this one updated .dll file (for IIS, or .so file for Apache) into the other folders, and then restart the web server to effect the change in all of them. (Technically, the connector update may do more than just change that file, so this work-around should be used with caution.)

Note also that if you may have tweaked your setup to point the web server config at a different location than CF would use by default (as some do with Apache in Linux), you may need to copy the updated connector file to that new location.

Upgrading connectors via GUI for CF11 and 10

As a follow-up to my earlier discussion about how the wsconfig GUI now offers an "upgrade" button, back "in the old days", it was indeed more tedious. You would have had to REMOVE and then RE-ADD the connector (with the wsconfig tool). I discussed that (and the need to update the connector) in a 2013 post, "CF911: Why/when you MUST update the web server connector for ColdFusion 10/11 and may have missed it", and a follow-on post to that.

That process of removing/re-adding the connector was sometimes trivial, but sometimes a nightmare--especially if you had "tuned the connector" settings, or if you had manually tweaked some other aspect of the connector configuration. Those would be lost in the "remove" and you'd have to re-add the settings after the "re-adding".

Sadly, even folks using CF2016 and above don't know about the new upgrade button, so are still removing/re-adding the connector the "old-fashioned way", which is tedious and more error-prone.

Conclusion

This new upgrade button approach should be a great relief for them to learn about. (And I hope Adobe will please improve their ColdFusion update technotes to clarify the availability of this upgrade button for folks.)

If you need help with any of the above, I welcome questions here, of course, but I can also help you do the updates or connector upgrades, or other updates (such as the JVM or FusionReactor) via my short-term remote consulting, with satisfaction guaranteed.

(I wanted to get the info out, especially with the news of today's "preview" of the Nov 2019 CF updates, which include in fact a fix to the web server connector, which would need to be applied using this upgrade feature, after applying the preview update.)

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Charlie Arehart, you are a CF lifesaver. Thank you for the post, for your concise information, for being there! I've appreciated your work since CF Developer magazine.
# Posted By SD | 7/28/20 8:39 AM
Thanks for the kind regards. As you may have noticed, yours is the first comment on this post since I wrote it nearly 9 months ago. So any encouragement is indeed appreciated. :)
Our security scan indicated our tomcat is outdated... we are on windows 2016 now and running cf10 enterprise and have applied all the 24 patches already.

How can we update the tomcat and leave cf10 without the need to upgrade CF10 as our budget is very minimal.

Is this possible?

Thanks!
# Posted By Dave | 2/11/21 2:41 PM
Dave, in a word: no. You cannot upgrade the Tomcat that underlies CF.

There's a bit more to consider, though.

First, as you may already know: with your being on CF10, you have more problems than your Tomcat being outdated. Adobe has not updated CF10 since 2017 (5 years after it came out in 2012), and they stopped updating CF11 in 2019, and will stop updating CF2016 as of later this month. The currently supported versions of CF are 2018 and 2021 (which came out in November).

But I realize that's not where you want to focus attention, given "very minimal budget". Sounds like time for you to explore Lucee, the open source alternative CFML engine. I realize "budget" may also refer to time". Some find the move to Lucee trivial and fantastic, others find it challenging and frustrating. But the allure of free may make it worth the effort.

As for this post, it's about updating the web connector that comes with CF. And whatever version one is on, they should always be sure to update that (wsconfig).

Getting back to being dinged about Tomcat being out of date, note that even people on CF2021, or the current latest updates of CF2018 and CF2016 would be dinged by security scans which say they are still on an "outdated" Tomcat.

But if they ARE on at least the March updates for CF2016 or 2018 (or CF2021), note that Adobe DID then implement an important security fix that WAS specific to Tomcat (addressing the "Ghostcat" vulnerability"), and they did it in such a way where while the Tomcat version did not change Tomcat to a version after they updated for that, the changes in CF and the connector DO address the ghostcat vuln. So at least they are not vulnerable to that.

We have to wait now for Adobe to create an update for CF2021 or CF2018 that will update Tomcat to a still more-recent version than it currently offers.

I realize that's of no help for you on CF10. Just sharing it for others reading alone.
Just applied the ColdFusion 2018 Update 14 (released May 2022) to a Linux server and ended up having to SSH onto the server, cd into the /opt/coldfusion2018/cfusion/bin/connectors and `sudo ./upgrade_all_connectors.sh`. Finally back in business. Thanks, brother!
# Posted By Steve Withington | 6/29/22 1:08 AM
Thanks, Steve. Glad to help wherever I can.
Copyright ©2023 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting