Inspiring

Answered

ColdFusion 2021 conflict between Sandbox Security and Java 11.0.11

Forum|Forum|4 years ago
July 15, 2021
2 replies
4341 views

Have installed ColdFusion 2021 with update 1, on 64-bit Windows server 2019 Datacenter. I can either run it with Java 11.0.11 from Adobe, or with sandbox security (with Java 11.0.1), but the ColdFusion Application Service will not start if I have both Java 11.0.11 and sandbox security.

This topic has been closed for replies.

Correct answer Charlie Arehart

Hi, guys. I can offer a workaround for now. (I've confirmed experiencing the same issue, that CF won't start if running Java 11.0.11 with CF Sandbox Security enabled.) The workaround is to add this JVM argument to the CF startup args (in CF's jvm.config or the java args in the CF Admin), and then restart CF):

-Djdk.lang.Process.allowAmbiguousCommands=true

As for what led me to even consider that, you can see it's new for Java 11.0.11 specifically, and it's purpose discussed briefly as one of the "other notes" in the release notes for Java 11.0.11. You'll see also that it's specific to when a Java "security manager" is enabled.

When we enable the CF Sandbox Security feature, we are indeed causing CF to enable that java security manager, which CF configures for us.

As for why the arg to "allowAmbiguousCommands" is needed with CF, we will likely need to leave that with Priyank and the team to sort out. Perhaps there's something that CF startup code is doing that trips over the problem, which this change fixes, but which ultimately they can correct so the arg is no longer needed.

As for looking into the issue further, I'll note a couple other things:

Priyank, wouldn't that message you show mean not that the sql server module was hanging things up (since it says it was "not installed"), but ratehr that whatever would have been NEXT to be loaded, or processed in the startup? FWIW, when I look at my own cf2021 setup (full install), the logs show that the odbc module would have been loaded next. Micheal or Priyank, I'd be curious when you look at your working implementation (with 11.0.1), what do you show in the logs as being loaded after the sql server module?
FWIW, I can confirm this is indeed definitely about 11.0.11. I tried using 11.0.10 with Sandbox Security, and all worked.
And in case any may ask, this is NOT about the new "feature" added in 11.0.11, whereby the JVM (and therefore CF) is not allowed to call out to servers running TLS 1.1 or 1.0. While there is provision in the JVM update to configure the JVM to allow such calls (see any of many resources on that, from the JVM 11.0.11 release notes to blog posts from Pete Freitag and myself), I can confirm that I made that change, and still CF would not start with 11.0.11 and Sandbox enabled--unless I added that arg above.

But while we await Adobe resolving the root cause, this workaround will at least allow you to run 11.0.11 while also using the Security Manager. I'd love to hear from either of you if you confirm this and/or find any issues I have not.

Charlie ArehartCorrect answer

Community Expert

Hi, guys. I can offer a workaround for now. (I've confirmed experiencing the same issue, that CF won't start if running Java 11.0.11 with CF Sandbox Security enabled.) The workaround is to add this JVM argument to the CF startup args (in CF's jvm.config or the java args in the CF Admin), and then restart CF):

-Djdk.lang.Process.allowAmbiguousCommands=true

As for what led me to even consider that, you can see it's new for Java 11.0.11 specifically, and it's purpose discussed briefly as one of the "other notes" in the release notes for Java 11.0.11. You'll see also that it's specific to when a Java "security manager" is enabled.

When we enable the CF Sandbox Security feature, we are indeed causing CF to enable that java security manager, which CF configures for us.

As for why the arg to "allowAmbiguousCommands" is needed with CF, we will likely need to leave that with Priyank and the team to sort out. Perhaps there's something that CF startup code is doing that trips over the problem, which this change fixes, but which ultimately they can correct so the arg is no longer needed.

As for looking into the issue further, I'll note a couple other things:

Priyank, wouldn't that message you show mean not that the sql server module was hanging things up (since it says it was "not installed"), but ratehr that whatever would have been NEXT to be loaded, or processed in the startup? FWIW, when I look at my own cf2021 setup (full install), the logs show that the odbc module would have been loaded next. Micheal or Priyank, I'd be curious when you look at your working implementation (with 11.0.1), what do you show in the logs as being loaded after the sql server module?
FWIW, I can confirm this is indeed definitely about 11.0.11. I tried using 11.0.10 with Sandbox Security, and all worked.
And in case any may ask, this is NOT about the new "feature" added in 11.0.11, whereby the JVM (and therefore CF) is not allowed to call out to servers running TLS 1.1 or 1.0. While there is provision in the JVM update to configure the JVM to allow such calls (see any of many resources on that, from the JVM 11.0.11 release notes to blog posts from Pete Freitag and myself), I can confirm that I made that change, and still CF would not start with 11.0.11 and Sandbox enabled--unless I added that arg above.

But while we await Adobe resolving the root cause, this workaround will at least allow you to run 11.0.11 while also using the Security Manager. I'd love to hear from either of you if you confirm this and/or find any issues I have not.

/Charlie (troubleshooter, carehart. org)

Priyank Shrivastava.

Community Manager

Hi Charlie,

I tried the argument which you shared and indeed it worked so Thank you for that. I wanted to show Michael, that is getting stuck at some point. My intention was not to point to a particular package. Before I responded to the above thread and opened a bug, I tried this in 2 different machines and it was getting stuck in different packages or loading another module. So it was clear to me that it is not the package but something else is causing the issue. I did not mention this in the bug that I opened internally.

Thanks,Priyank Shrivastava

A

Ayera

New Participant

FWIW, I've been seeing this same problem upgrading from CF2018 to CF2023. We've used Sanboxing for years but as soon as we turn it on with CF2023, the instances won't startup. The jvm argument Charlie recommended seems to resolve the problem (-Djdk.lang.Process.allowAmbiguousCommands=true).

Not sure anyone will see this old message but if there's a better resolution for CF2023, would be great to hear.

Thanks Charlie,

Ken Wilson

We are experiencing this same issue on fresh CF2023 installs when attempting to enable Security Sandboxing. CF service will not start. Roll back the security.xml (Sandbox not enabled), starts up fine. Getting stuck on the same ODBC service processing place as mentioned above when checking the server.log. Adding Charlie's jvm argument does not seem to work. Any hope of getting this to work? JVM version is 17.0.6 (one that comes with CF2023).

Priyank Shrivastava.

Community Manager

Hi Michael,

Let me try this.

Thanks,Priyank Shrivastava

M

michaelf34344382Author

Inspiring

Thanks!

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded