[Looking for Charlie's main web site?]

Why should one be careful about securing ColdFusion ARchive (CAR) files?

You may hear (starting today) about a new admonition (a "strong recommendation") from Adobe that one should be careful to "delete CAR files once they are used". What's that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)

The TLDR is this: If you create (or are given) a CF "CAR" (ColdFusion ARchive) file, you should treat that as a file that contains passwords, as technically it will, if what was exported into it was in fact any CF Admin setting which holds a password (there are several). No, the passwords are not in plain text within the CAR (which is just a zip). But the info needed to decrypt the passwords is in that file, and the CF Admin INTO WHICH such a CAR is imported will now have those passwords enabled within that CF Admin. Perhaps more dismaying, a savvy coder could easily use that info to convert the "encrypted" passwords into plain text in a single line of code. So one SHOULD indeed take care to secure such CAR files (if not delete them after use).

Do I have your attention now? Just a bit more tldr to preface the post...

Is the concern really unique to CAR files alone? And is deleting the CAR files the only way to "secure" them? No, but a difference is that CAR files may be passed around in a way that other "sensitive" CF files would not be. Indeed, what about the process of simply transporting them from one server to another? Should you be as concerned about that? And what if you don't WANT to delete them, because they hold the CF Admin settings of record for an old CF instance you are removing? Should you even be concerned that a colleague also accessing your CF Admin might now use the info identified here to try to obtain a CAR file and use it in ways they should not? And what can you do to limit that? Finally, what about other tools that can save/transfer admin settings, like CFConfig in commandbox?

If you're interested in what's up (and if you or anyone on your server uses the CF Archive mechanism at all, you should be), then do read on. Same if you are not aware what CAR files are used for, as I will explain.

[....Continue Reading....]

Fixing CF: "Hey, how come ColdFusion debugging output is not showing up in my localhost testing?"

This is a problem that has troubled many CF users for some years (especially as they have moved to later operating systems): they find that ColdFusion debugging output does NOT appear to them when testing using a URL with "localhost" for the domain name but it DOES appear if they use the 127.0.0.1 ip address instead.

And sure, they could change to just using the ip address, but they wonder why it fails with "localhost" and whether they can fix things so that it does? In this post, I offer the explanation and solution.

In brief, the problem happens when the OS you're working on processes your "localhost" request via ipv6 (if it makes the request as ::1), rather than ipv4 (as 127.0.0.1).
  • One option could be to edit your hosts file to force 127.0.0.1, and that should work
  • But another would be that if you knew about your localhost calling with the ipv6 address of ::1, you should be able to add that to your CF Admin "debugging ip addresses list" (or use its "add current") button. But you will find that if you try that, it will change to "0:0:0:0:0:0:0:1", which does not solve this problem. I have a workaround for that, editing the neo-debug.xml.
Adobe could fix that last problem (and I have filed a bug report, CF-4203295), but until they do, here's a workaround and explanation of things.

And this latter point, of the inability of the Admin to accept ::1--and on the matter of editing that file--is the real focus of this post.

[....Continue Reading....]

Why you should think twice about leaving on the "public JRE" option of the Java JDK installer

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
This is a follow-up to a post I did in late 2014, CF911: 'Help! I've updated the JVM which ColdFusion uses, and now it won't start!'. In that post, I listed about a dozen common problems that befall people who try to update the JVM that CF is using (and it and this post apply as well to Lucee or BlueDragon, or indeed any Java application server).

In this post, I want to elaborate on one more common mistake. Well, mistake may be too strong word. It's about a default option when you run a Java JDK installer (see the other post for more on JDK vs JRE options).

In short, I make the case here for why you should NOT let the JDK installer implement its "public jre" option.

[....Continue Reading....]

Stuck running the ColdFusion 'Migration wizard'? Here's how to get past that

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
CF Admin migration wizard screenSomeone presented a problem on a discussion list where they found that upon installing CF, they got to the "migration wizard" screen, and though it offered the option to "continue" if it hung up, it did not continue for him.

In this post, I'll share how to get past that prompt, if this happens to you. (And despite that image on the right showing ColdFusion 11, this could conceivably happen in CF10, CF9, and so on, and this same solution applies to all.)

For the anxious folks who want to "skip the waffle" and context/setup, the solution is at the very bottom. :-)

[....Continue Reading....]

FusionReactor updated today: some general info related to getting/applying FR updates

Note: This blog post is from 2015. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
How to update FusionReactorFusionReactor users will want to know that there was a new update released today, 5.2.6. The update is free for those on 5.2.x releases as well as those with maintenance agreements. And you can just download the installer and run it to update your current version (even back to FR 5.0, if you've not updated FR 5 since you first installed it).

But more than that basic info, I'd like in this post to take advantage of the chance to share a few things related to the topic of upgrading FusionReactor, including some common questions I often am asked as I assist people in using it:

  • Where do I get the update?
  • How do I find out what's new in the update?
  • Should I hesitate about applying the very latest FR update as soon as it comes out?
  • How would you I know there WAS an update to FR available?
  • Do I just need to run the full installer or can I update just one file perhaps?
  • Do I need to restart CF (or Railo/Lucee/Tomcat, etc.) for the update to take effect?
  • Can I update FRAM and choose NOT to update my monitored CF/Railo/Lucee/Tomcat/etc instance?
  • Why do you keep referring to "CF/Railo/Lucee/Tomcat/etc"? I thought FR was a CF monitor tool?
  • What if I'm on an FR version older than 5.0?

For these and more, read on.

[....Continue Reading....]

Solving slow CF startup: my elaborating on an Adobe blog entry on a possible solution

Note: This blog post is from 2015. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
The fine folks at the Adobe CF blog posted a blog entry today, on "Sometimes ColdFusion services refuse to start normally post server restart" (by Rahul Upadhyay), which offers some helpful information on one possible solution to the stated problem of slow CF startup.

That said, there are some concerns I have, with respect to how I fear some may read and take action based on it (especially the notion of deleting the cfclasses files, as a possible solution to the problem).

I'm not contradicting Rahul here, just elaborating on some points, as someone who (like some on the CF team) helps people with CF server troubleshooting every day.

I started to write these thoughts as a comment there, and (as often happens) it grew long so I thought it better to be a blog entry rather than a long comment, and point people here. Once I did that I decided to go further still, hoping to really help those interested to consider the issue more carefully. (It also gives me a chance to highlight again the Adobe CF team blog, something I recommend EVERYONE reading this should follow!)

One quick point (and update) for the TL;DR cloud: My recommendation is that you move the cfclasses folder out of that location, as a temporary test, to see if it makes CF startup happen faster. If it does, I explain why and what the implications are in the choices of renaming, deleting, moving, or disabling the related "save class files" feature. Also, I add an update in E.1 below (since posting this) which you may really want to read: consider turning off your anti-virus software's real-time protection against the cfclasses folder to see if that alone helps with startup.

[....Continue Reading....]

CF911: 'Help! I've updated the JVM which ColdFusion uses, and now it won't start!'

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Has this happened to you? You wanted to update the JVM which CF uses to use a new version...
  • so you found some resource on the web showing how to update, and it seemed simple enough
  • and then you tried restarting CF and wham, it won't start, or the admin won't open, or code starts failing
  • and maybe it's that things didn't fail immediately, but within hours or days folks report things breaking since you made the change
  • and now you're stuck wondering, "what happened? and how am I supposed to fix this?"

It's a tough position to be in, and tragic of course if CF won't start. But no, you do NOT need to reinstall CF!

Often it's just one thing you did by mistake, though there are indeed several possible reasons why your attempt to update CF's JVM can fail or lead to unexpected problems. And as you google about, you may find all kinds of helpful but often misinformed or spartan suggestions that may or may not help much.

So I offer here over a dozen of things you can and should consider/look at, some of which you may quickly recover from or be able to undo (depends on what you did). And all this applies to Lucee, Railo, and BlueDragon as well, though folder locations will differ.

If you're facing this bind right now, you can skip over the following to the the section, "Seeing better error info, when the CF service won't start", and then the section after that "So what went wrong?", where I present each likely problem and solution.

[....Continue Reading....]

Hidden Gem: Importing CF Admin settings in ANY release via 'import wizard', even AFTER installation

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Have you ever faced the challenge of needing to migrate the CF Admin settings (datasources, mappings, scheduled tasks, etc.) from one machine to another, and from one CF version to a newer one? Did you know that there is an "import wizard" that you can (with proper configuration) run at any time to import settings from one release to another?

Before I discuss that, you may know of a couple of other solutions for this challenge: the CF admin ColdFusion Archive/CAR mechanism, available in some but not all editions (more below), and this same "import wizard" which runs at the end of CF installation, importing settings from an older CF version if found on the same box.

But what if either of those solutions don't work for you, and you have dozens of dsn's, scheduled tasks, mappings, or other settings you want to get from one machine/version to another?

You are NOT stuck having to manually copy settings from one screen to another! (And you should be very careful about the common hack solution of copying neo*.xml files from one instance to another, which may not always work and may break things.)

In this entry I'll discuss how you CAN indeed import the CF admin settings from nearly ANY release of CF into nearly ANY OTHER release of CF, in a fully supported way, and which CAN be done even after installation of a new CF release. (I say "nearly", because I worked with someone wanting to do this import of CF7 settings into CF10, and that large a jump was was not supported.)

I'll also mention an important potential gotcha to beware, as well as how to to get around that.

[....Continue Reading....]

Find ColdFusion installers, updates, hotfixes, and docs for all recent releases at CFMLRepo.com

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
This won't be new info for some, but many folks remain confused by the fact, that after Adobe release their current latest ColdFusion version, they no longer offer the previous versions(s) on their public-facing Adobe site. (Those who license CF are given access to a licensing site with a personal account there, where they can download the installers for versions they bought even years after they are no longer supported.)

What if you either don't have such an account or only use CF for Development or trial purposes? How do you find older previous installers?

Find CF installers, updates, and docs for past several releases

The good news is that if one wants to find ANY installers for most ANY version of CF, they can be found on an external repository setup years ago by Gavin Pickin (and still maintained by him and others, including myself, at:

CFML Repo

The site even has installers all the way back to CF1.5, as well as updates, docs, CFBuilder installers, and more.

The name, CFMLRepo, may confuse some if they presume it's a repo of CFML. It's not. IT's that it has both CF and Lucee installers, thus the more "generic" name.

(And there used to be a longer and hard-to-remember URL for the site, when I had posted this originally in 2014, and I had created a shortened url, http://bit.ly/cfdownloads. It's now definitely not "shorter", but I leave this here for posterity.)

Thanks so much to Gavin for creating the repo, and to him and others for maintaining it. Let's hope it remains a viable solution to find downloads for years to come.

New updates for Coldfusion 11, 10, and 9 (security update for 9, 11; still more for 10)

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you'd not heard the news, there were several updates released today, for CF 11, 10, and 9.

As for CF11 and CF9, it's mainly a security update. For CF10, it's got quite a bit more. (And there is another update for CF11 to come in the future which Adobe mentioned when it came out with its first update last month.)

For more on each, see below.

[....Continue Reading....]

More Entries

Copyright ©2020 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting