[Looking for Charlie's main web site?]

My upcoming talk, "ColdFusion at 25: not the kid most have stuck in their minds"

As you may have heard by now, the free Adobe CF Developer Week 2021 will be held June 22-24. My session will be on June 22 at 4p Central in Track 2. While currently the DevWeek site only offers session titles and speakers (descriptions were added after I posted this: click the + sign to the right of each talk), here is mine, from the "presentations" page here on my site:

ColdFusion at 25: not the kid most have stuck in their minds

As ColdFusion turns 26 next month, many seem stuck remembering it only as the "teen" they knew or even the "child", when instead it's grown up to be a capable "adult", impressive in many ways, and even more so recently. In this session, we'll look back at how CF has indeed evolved into a very capable platform, with quite modern features that seem to surprise many--including people working with it currently. If you struggle "finding CF people" or "getting buy-in", perhaps these observations could help you with both challenges. If nothing else, they're things designed simply to help you get your job done, while keeping up with modern practices.

We'll start with many modern coding techniques--which will be familiar to those using more "modern" languages but that many don't realize CF supports, and may have for years. We'll then look at ways that things such as CF installation/deployment, configuration/administration, monitoring, security, and more have improved over the years. And we'll look not only at CF itself but the community surrounding it, ranging from resources for help and learning to tools and services that others have created, making CF a far more complete ecosystem than most give it credit. Put another way: it's not your father's CF!

I look forward to presenting this topic and hope you'll come check it out.

New updates released for Java 8 and 11, April 20 2021

For those using the Long-term support (LTS) versions of Oracle Java, 8 and 11, please note that there were new updates released last week (Apr 20), specifically Java 11.0.11 and 8.0_291. For more on each, see the:

For some, that's all they need to hear. For others, read on.

[....Continue Reading....]

Confirming ColdFusion's Java version via CFML code

Have you ever wished you could confirm with 100% certainty what Java version is in use by the CF instance you are running? Or where the JVM's location is (in case you are told to modify files related to it)?

Some good news is that ColdFusion offers simple ways/variables that can show you each of these, via CFML code. In this post, I share that. I share first a simple single variable which works in CF2018 and above, then I offer a variation for those on CF2016 and earlier, as well as variations for Lucee.

[....Continue Reading....]

Be aware that updates to ColdFusion 2016 will end Feb 2021

Are you still running ColdFusion 2016? Did you know that its "core" support (meaning, public updates from Adobe) will end in just a couple of months, Feb 21 2021? Same for CFBuilder 2016.

The recent release of CF2021 is a great sign for the continued vitality of CF, but this looming deadline is a reminder that as the years roll on, we not only get new versions but we say good-bye to old ones.

Wondering what you can do? or when CF2018 or CF2021 support ends? And what's the difference between "core" and paid Adobe support plans? For more on these, as well as official Adobe documentation that discusses such things, read on.

[....Continue Reading....]

Why should one be careful about securing ColdFusion ARchive (CAR) files?

You may hear (starting today) about a new admonition (a "strong recommendation") from Adobe that one should be careful to "delete CAR files once they are used". What's that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)

The TLDR is this: If you create (or are given) a CF "CAR" (ColdFusion ARchive) file, you should treat that as a file that contains passwords, as technically it will, if what was exported into it was in fact any CF Admin setting which holds a password (there are several). No, the passwords are not in plain text within the CAR (which is just a zip). But the info needed to decrypt the passwords is in that file, and the CF Admin INTO WHICH such a CAR is imported will now have those passwords enabled within that CF Admin. Perhaps more dismaying, a savvy coder could easily use that info to convert the "encrypted" passwords into plain text in a single line of code. So one SHOULD indeed take care to secure such CAR files (if not delete them after use).

Do I have your attention now? Just a bit more tldr to preface the post...

Is the concern really unique to CAR files alone? And is deleting the CAR files the only way to "secure" them? No, but a difference is that CAR files may be passed around in a way that other "sensitive" CF files would not be. Indeed, what about the process of simply transporting them from one server to another? Should you be as concerned about that? And what if you don't WANT to delete them because they hold the CF Admin settings of record for an old CF instance you are removing? Should you even be concerned that a colleague also accessing your CF Admin might now use the info identified here to try to obtain a CAR file and use it in ways they should not? And what can you do to limit that? Finally, what about other tools that can save/transfer admin settings, like CFConfig in commandbox?

If you're interested in what's up (and if you or anyone on your server uses the CF Archive mechanism at all, you should be), then do read on. Same if you are not aware of what CAR files are used for, as I will explain.

[....Continue Reading....]

When and how to upgrade CF web server connector, easier since CF2016

Did you know that when you update ColdFusion, there is often a need to also update the web server connector (for IIS and/or Apache)? In this post, I discuss how you can know when to do it (Adobe makes that easier since CF2016), as well as how to do it (also easier since CF2016), and why it's important.

[....Continue Reading....]

CF updates temporarily missing. Get them here

If you've tried to get the update files for cf 2018, 2016, 11, or 10 in recent days, whether from the CF Admin "updates" page or the update technote pages, you've found the update jar files are missing and unavailable, due to a temporary problem. Here's how to get them in the meantime.

[....Continue Reading....]

Considering use of Amazon Corretto, the new openjdk jvm, especially with ColdFusion

As I posted earlier today, there are big changes afoot in the Java world, about production (not just "commercial") use of Java going forward. This is big news, as it is for anyone using Java 8 or 11 for production purposes.

But here's some good news: Amazon has recently released a new free JVM (java virtual machine) implementation based on the OpenJDK specification, called Corretto. In this post, I want to share some news about it. (Off the bat, let me tell my friends on any Linux flavor other than Amazon Linux 2, this is not yet available to you. For now it is only available for Amazon Linux 2 as well as Windows, MacOS, and as a docker image. Other Linux flavors are due in Q1 2019.)

For much more, read on.

Update in Jan 2019: This is no longer an option for CF folks to consider, as Adobe announced both that they have licensed Oracle Java for production use by those using CF, and they clarified that they will NOT be adding support for any OpenJDK implementations. I will leave this post and the rest, for non-CF users and for posterity.

[....Continue Reading....]

What's an admin to do: Oracle's changed stance on production use of Java, going forward?

Did you know that Oracle announced in 2018 major changes regarding free production use of Java 8 and 11?
  • Regarding Java 8, did you know that Oracle will no longer offer free updates/security patches for Java 8, if used for production (NOT just "commercial") purposes beyond Jan 2019? After that, you must pay them for support/updates (including security updates). For more on why this is NOT just about "commercial" use, see below.)
  • Regarding Java 11, the next major release, did you know that the Oracle Java 11 JVM cannot be USED at ALL for PRODUCTION purposes, without paying for it?
  • Finally, while Oracle will be offering a free openJDK implementation (which CAN be used for production, for free), did you know they will only be committing to supporting/updating their Oracle Java 11 openjdk for 6 months after release, leaving subsequent updates to the community of contributors?

For more, including why this may have significant impact on your use of Java-based applications, as well as alternatives that may exist for you going forward, read on.

[....Continue Reading....]

Fixing CF: "Hey, how come ColdFusion debugging output is not showing up in my localhost testing?"

This is a problem that has troubled many CF users for some years (especially as they have moved to later operating systems): they find that ColdFusion debugging output does NOT appear to them when testing using a URL with "localhost" for the domain name but it DOES appear if they use the 127.0.0.1 ip address instead.

And sure, they could change to just using the ip address, but they wonder why it fails with "localhost" and whether they can fix things so that it does? In this post, I offer the explanation and solution.

In brief, the problem happens when the OS you're working on processes your "localhost" request via ipv6 (if it makes the request as ::1), rather than ipv4 (as 127.0.0.1).
  • One option could be to edit your hosts file to force 127.0.0.1, and that should work
  • But another would be that if you knew about your localhost calling with the ipv6 address of ::1, you should be able to add that to your CF Admin "debugging ip addresses list" (or use its "add current") button. But you will find that if you try that, it will change to "0:0:0:0:0:0:0:1", which does not solve this problem. I have a workaround for that, editing the neo-debug.xml.
Adobe could fix that last problem (and I have filed a bug report, CF-4203295), but until they do, here's a workaround and explanation of things.

And this latter point, of the inability of the Admin to accept ::1--and on the matter of editing that file--is the real focus of this post.

[....Continue Reading....]

More Entries

Copyright ©2021 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting