CF2016 securing CFIDE/administrator with TLS

Question

Hello Community!

I recently began working on a POC with CF2016 and was a little shocked to learn that the defacto method of getting to the /CFIDE/administrator was via localhost through SSH Tunneling (Per lockdown pdf).

The out of the box alternative to ssh tunneling was to punch a hole in the firewall for port 8500. Security be damned!

Both of these methods were unacceptable (seriously adobe!). Thus began a 2 day deep dive into a flawed Java product.

In stead of boring you with a 14 hour deep dive as to everything that didn't work - here is what did work :

PreReqs :

RHEL 7 X64 Minimum install

Coldfusion2016 Enterprise Edition patched to 2016.0.02.299200

Tomcat Version 8.0.32.0

Java JRE Server 1.8.0_102

Firewalld Rule for 8443/tcp allowed from Devops Team

Steps :

1. Download latest JRE 8 Server edition to /opt/coldfusion2016/ (Update CF JVM path to match i.e. /opt/coldfusion2016/jdk1.8.0_102/jre/ )

2. Download and deploy Unlimited Strength Jurisdiction Policy Files

3. Generate Self Signed Cert using new JRE

sudo /opt/coldfusion2016/jdk1.8.0_102/jre/bin/keytool -genkey -keyalg RSA -alias test -keystore /etc/ssl/certs/keystore.jks -storepass yourpass -validity 1825 -keysize 2048

4. Setup Tomcat Connector with limited cipher list (No Elliptic Curves) in /opt/coldfusion2016/cfusion/runtime/conf/server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"

maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

clientAuth="false"

keyAlias="test"

keystoreFile="/etc/ssl/certs/keystore.jks"

keystorePass="yourpass"

sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

useServerCipherSuiteOrder="true"

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,

TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,

SSL_RSA_WITH_RC4_128_SHA" />

5. Restart Coldfusion

sudo service coldfusion_2016 restart

6. Continue on your merry way!

Adobe CF Dev Team - if you are reading - PLEASE deploy encryption with the Tomcat Dedicated Server for Administering CF. Perhaps a Self Signed Cert option during the install wizard after choosing to deploy the server secure profile etc... Or - update your LockDown CF guide to include a working method (see above) to secure the dedicated server...

pete_freitag · Accepted Answer

Hi,You are correct that there were some issues with getting TLS to work properly on the builtin web server with CF2016 up through update 2. I did some digging and found the problem to be due to an issue in the RSA BSafe Crypto-J Provider. This is the third party java cryptography provider that ships with ColdFusion. I reported this to Adobe and they confirmed that it was the cause of the problem.Adobe has fixed the issue in ColdFusion 2016 update 3 by updating the crypto-j jars (version 6.2.1 fixes the issue). So if you update to the latest version of CF2016 you should no longer need to disable the elliptic curve ciphers to get TLS working.Also you can expect an update to the lockdown guide with instructions on enabling HTTPS / TLS on the built-in web server now that this issue is fixed.--Pete FreitagFoundeo Inc.

AlexZimm · Answer

Amen!This post should be pinned!

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded