Copy link to clipboard
Copied
We updated Coldfusion 2018 from Update 11 to 12 this week (including query of query hotfix by the Coldfusion Support) and after this some of our servers were not reachable any more (we had to roll back as these are productive servers).
Tomcat outputs HTTP Status 403 - Forbidden.
I searched in the forum and found entries about Update 8 leading to such an error.
But we had installed coldfusion 2018 incl. Update 10 in the beginning and updated to 11 since. So I presume this must be another problem.
Is there any known problem with the current Update 12 and Tomcat?
Hi @elisabethf82215657 ,
Once you apply the hotfix, make sure to re-create the connector. Becase there is a new property added after update 7. In case, it is not matching the secret key, it will throw 403 error.
If you have already done the connector and still getting the error, then check the server.xml(\ColdFusion2018\{instance}\runtime\conf) and then search for "secret". In the same line if you have both "secret" and "requiredsecret", please remove the requiredsecret entry and restart th
...Copy link to clipboard
Copied
I haven't heard of any problem with Update 12 and Tomcat. In fact the upgrade from Update 11 to Update 12 includes a Tomcat upgrade from version 9.0.41 to 9.0.50.
Did you upgrade the connectors after installing Update 12? I think that that is the most likely cause of the 403 - Forbidden response.
See this similar discussion: https://community.adobe.com/t5/coldfusion-discussions/403-forbidden-access-after-installing-update-1...
Copy link to clipboard
Copied
Hi @elisabethf82215657 ,
Once you apply the hotfix, make sure to re-create the connector. Becase there is a new property added after update 7. In case, it is not matching the secret key, it will throw 403 error.
If you have already done the connector and still getting the error, then check the server.xml(\ColdFusion2018\{instance}\runtime\conf) and then search for "secret". In the same line if you have both "secret" and "requiredsecret", please remove the requiredsecret entry and restart the server. It will fix the issue.
Copy link to clipboard
Copied
Thanks, Priyank. I experienced the same issue. This resolved it for me.
Copy link to clipboard
Copied
FWIW, the two next CF2018 HF12 updates that I ran did not have this problem. They installed without issue.
The only obvious differences between the three servers was that the first one that had the 403 issue ran the Developer's edition and the later ones that worked w/o issue were both running Enterprise edition.
Copy link to clipboard
Copied
Thanks a lot! This also resolved the problem for us!
Copy link to clipboard
Copied
Had the same issue on 2 separate ColdFusion 2018 installations. This was the solution. Thank you!
Copy link to clipboard
Copied
As for all those reporting that removing the requiredSecret fixed things, since that's not there for most people, I'd love to help everyone to know how and when it WOULD be there. I don't suspect most of you PUT it there (when it was being ignored before these latest updates), though that's possible of course.
Instead, for those of you who did not PUT that attribute there, could it be that you ran the CF AutoLockdown tool (which was new with CF2018, an optional tool to make CF and your server more secure)? Could it be that THAT put it there--and again it lurked unnoticed until this latest update?
Also, those of you who had the problem on "some servers and not others", might it be that you ran the autolockdown tool on some but not all servers?
I realize we won't hear from everyone here, but I thought it worth asking--because this problem does not happen to most folks, just those who have that requiredSecret attribute (not to be confused with secretRequired).
Copy link to clipboard
Copied
The "2" 2018 servers that gave me issues had the lockdown tool installed. I believe that was the issue.
This issue did not occur on a 2021 server that had the lockdown tool installed though. It only happened on the 2018 versions.
Copy link to clipboard
Copied
Interesting. Thanks. 🙂 Let's see how others may report.
Copy link to clipboard
Copied
Thanks, Charlie. My short answer is that I'm not sure whether that's the case with the one on which I had to make the change. 🙂
We're not using the lockdown tool, but had tried it out early on, probably on all three of the servers. We run Enterprise on our dev server to ensure that it has the same features that the apps will have in production.
The server where I had the issue was my test server where I can try stuff out before I implement on the dev and prod servers. I probably tried the lockdown tool on that while it still had a CF trial license. So it's a possibility that it was a leftover from that.
Copy link to clipboard
Copied
Thanks for the update, Phil.