[Looking for Charlie's main web site?]

Restoring the CF Admin logviewer removed in Oct 2022 CF updates, at your own risk

As of the Oct 2022 CF updates (CF2021 update 5 and CF2018 update 15), Adobe has chosen to remove the CF Admin feature to view, search, download, and delete CF logs, due to asserted (but as-yet undocumented) security concerns.

What if you want it back? In this post, I explain what changed, why, and how to get the functionality back--albeit at your own risk. For more, read on.

[....Continue Reading....]

How to solve "Failed Signature verification", for downloads of ColdFusion updates--since Oct 2022

If you try to download a CF update using the ColdFusion Administrator AND you get an error, "error occurred while installing the update: Failed Signature Verification", there are both a couple of possible explanations (one of them new), both with fairly simple solutions.

In brief (TLDR):

  • If this is happening for you with CF2021 or CF2018, and you recently changed CF to use the latest Java update 11.0.17, this is a new problem caused by that Java update. I will explain that and offer a couple of solutions below (at least a workaround until Adobe implements the ultimately correct solution)
  • If this is happening for you on CF2018 and you have not yet installed its update 4, this instead is a very OLD problem. Simply implement update 4 first, before trying to do any subsequent CF2018 updates.

As for the first problem above, which is the main focus of this post, I offer below clarification on how and when this happened, how you could confirm what I am asserting, and a number of ways you can solve the problem (in case one may suit you better than another). I then share a few more points in conclusion that may help folks as they face and consider potentially wider implications of this issue.

[....Continue Reading....]

Finding default/initial CF admin config (neo-*.xml) files, now at cfmlrepo.com

Have you ever wished to obtain a copy of one CF's neo-*.xml files (like neo-cron.xml), for the purpose of setting yours back to its defaults? Folks sometimes need to do that to recover from certain problems.

I've seen the problem raised often enough that when I saw someone raising it this weekend, I decided to solve it by creating a new folder in the cfmlrepo.com site, at least for CF2021 and CF2018 (for now), offering there the initial versions of all the neo-*.xml files for those two editions.

For more information, see what I shared (including more background on the issue, where I got the files, where I put the files, and more) in my reply about all this to the CF Community thread where the user raised the need this weekend.

And for the sake of those who may "just want the files" without any need of explanation or warnings:

I welcome thoughts, feedback, or suggestions.

New updates released for Java 8 and 11, Oct 2020

For those using the Long-term support (LTS) versions of Oracle Java, 8 and 11, please note that there were new updates released last week (Oct 20), specifically Java 11.0.9 and 8.0_271. For more on each, see the:

For some, that's all they need to hear.

And I could (and probably should) leave it at that. But there are other questions which folks will have, including more on getting those binaries/installers (from Oracle or Adobe), on the difference between those LTS versions and "more recent" Java versions, as well as non-Oracle JVMs, and on licensing matters and more. For those, read on. Perhaps I will split this other stuff out into its own post at some point, so I can just point to it from news of these Java updates.

[....Continue Reading....]

It's looking like cf2020 will be cf2021, if I'm reading things right

As much as many have been referring to the new release (known for now as "Project Stratus") as "CF2020", it's looking like it may be instead "CF2021", if I'm reading the tea leaves right. And maybe it's only the name, not the actual release year. Let me explain (Hey, the bright side is that "2020" as a year is one many want to forget.)

[....Continue Reading....]

Come see my online talk, "Migrating or Comparing CF Admin Settings", at noon ET on Aug 13

Just thought I'd share a heads-up here on the blog that I'll be the speaker for the Online ColdFusion Meetup this week, Aug 13, at noon ET, presenting a new talk:

Migrating or Comparing CF Admin Settings, between instances, versions, and engines

You can learn more (including the description, the online meeting URL, where the recording will be posted, and more) at the meetup event page. FWIW, the session name had to be shortened a bit as presented on the meetup site there and even in the title here. :-)

As a bonus for you, my blog readers, I'll note that I'll be covering the CF migration and CAR features, the Commandbox CFConfig tool (which can be used for more than just "box" instances) and the CF2020 cfsetup tool (which has been shown publicly already), and more.

I'll also have a special surprise for people who "just want to compare the Admin settings of two instances without resorting to command-line tools, or hopping back and forth between browser tabs", using a free cross-platform GUI compare tool (and a simple trick in the CF Admin) which has delighted nearly everyone I've ever shown it to. And the tool can benefit you for far more than this one task. :-)

Why should one be careful about securing ColdFusion ARchive (CAR) files?

You may hear (starting today) about a new admonition (a "strong recommendation") from Adobe that one should be careful to "delete CAR files once they are used". What's that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)

The TLDR is this: If you create (or are given) a CF "CAR" (ColdFusion ARchive) file, you should treat that as a file that contains passwords, as technically it will, if what was exported into it was in fact any CF Admin setting which holds a password (there are several). No, the passwords are not in plain text within the CAR (which is just a zip). But the info needed to decrypt the passwords is in that file, and the CF Admin INTO WHICH such a CAR is imported will now have those passwords enabled within that CF Admin. Perhaps more dismaying, a savvy coder could easily use that info to convert the "encrypted" passwords into plain text in a single line of code. So one SHOULD indeed take care to secure such CAR files (if not delete them after use).

Do I have your attention now? Just a bit more tldr to preface the post...

Is the concern really unique to CAR files alone? And is deleting the CAR files the only way to "secure" them? No, but a difference is that CAR files may be passed around in a way that other "sensitive" CF files would not be. Indeed, what about the process of simply transporting them from one server to another? Should you be as concerned about that? And what if you don't WANT to delete them because they hold the CF Admin settings of record for an old CF instance you are removing? Should you even be concerned that a colleague also accessing your CF Admin might now use the info identified here to try to obtain a CAR file and use it in ways they should not? And what can you do to limit that? Finally, what about other tools that can save/transfer admin settings, like CFConfig in commandbox?

If you're interested in what's up (and if you or anyone on your server uses the CF Archive mechanism at all, you should be), then do read on. Same if you are not aware of what CAR files are used for, as I will explain.

[....Continue Reading....]

How can I keep CF Admin settings in sync between multiple servers or instances?

Updated, Feb 2022

This question, "How can I keep CF Admin settings in sync between multiple servers or instances?" was asked today on the Adobe CF forums. The person had CF instances on multiple servers and lamented having to login to each CF admin to make changes that would apply equally to all instances, in particular creating or changing datasources.

They wondered if in fact there was a feature in the CF Admin to "cluster" datasource definitions, like there is (since CF2016 Enterprise) the feature to "cluster" scheduled tasks.

While I explained that there was not such a "feature" to sync CF admin settings generally across instances, I added that there WERE at least a couple of options one could consider using to achieve the goal. (And as an update after I wrote this in Apr 2020, note that CF2021 came out a few months later offering still one more.) My answer elaborating things (as is my wont) was long enough that I should have probably created a blog post instead. After submitting it, I decided to do just that, here (and I have tweaked here what I said, with some more elaboration and links).

Short answer: there are different tools that might be considered to help with this task (especially automating it), and a couple more that some may consider:

  • the CFConfig tool within CommandBox, a powerful and automatable command line tool which uses json files and could allow you to sync things, even across CF versions and between CF and Lucee
  • the CF2021 cfsetup tool, a new command line tool which also uses json files and could allow you to sync things, for CF2021 and even earlier version
  • the CF Admin API (minimalist and manual), which you'd have to code to sync settings or set them in a synced manner
  • the CF CAR file feature deserves a mention also, though its use can't be automated (it seems)
  • I would advise AGAINST the seeming "shortcut" of copying neo xml files, especially between different servers or CF versions (same with using symlinks, etc.)

For more on all this, read on.

[....Continue Reading....]

Did you know that CF2018 imports environment vars into the Server scope?

This is a hidden gem that I never saw documented anywhere: CF2018 now imports environment variables into the CF "server" scope, specifically:

server.system.environment

and java system properties into:

server.system.properties

(Thanks to Sean C for catching a mistake in the initial post.)

I learned of it last year when Pete F tweeted about it, and I assumed someone else would do a post about it, but the topic came up in a discussion today and I was surprised to not be able to find any mention of it, other than that and his mention of it in his cfdocs.org site.

And yes, Lucee had it first (as proposed initially in 2015). :-)

The feature can be useful, whether you're setting such vars when running a (Docker) container, or via JVM args, etc., and you want to be able to access them within CFML.

Solving metaspace errors, once and for all

I have a really simple solution to offer here, for a problem that has been nagging people running ColdFusion for the past few years. This post may also benefit those NOT running CF, especially if they have found confusing/conflicting information about the Java metaspace error and jvm argument that relates to it.

Perhaps you're getting errors referring to "metaspace" or "OutOfMemoryError: Metaspace", whether in your web sites, error logs, or even the CF Admin, and you wonder "what to do". Or you may be getting odd occurrences of blank pages, and if you look in your coldfusion-error.log you are finding such metaspace errors.

TLDR; In all these cases, the solution is simple (and may seem contrarian to some ears): REMOVE the maxmetaspace element from your JVM arguments. Indeed, I would go so far as to say everyone should simply remove it, even BEFORE you may get errors.

In the post that follows, I will explain how to remove it, including how you need to be VERY careful when doing that. You may also wonder why I recommend removing it, versus raising it. I cover that, as well as a bug report I filed with Adobe related this tis (which was fixed as of CF2021), below.

I also created an abbreviated version of this post, on the Adobe CF portal, if that may interest some readers.

[....Continue Reading....]

More Entries

Copyright ©2022 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting