unable to access CFMX 2023 admin console with admin credentials

Report · Mar 27, 2024

Hello,

I have recently installed cfmx 2023 but however I'm unable to access the admin page using the credentials I have provided via silent install.

I have done two things here -->

1. It first had localhost(default I believe) in allowedAdminIPList but then I have removed it and restarted cfmx. so, now I can see the admin page(planning to restrict through in next phase but wanted to get somewhere) . However, when I provide the admin credentials it gives me 403

2. later, I tried changing the admin.security.enabled from true to false. and I was able to view the admin page without passing credentials. However, I believe thats not the right way and its a security risk.

I'm not quite sure what the issue is here. can someone provide any inputs on what could be the issue?

Stack details:

CFMX version : 2023

OS : RHEL9

Tomcat : 9.0.86

JDK17

Thanks,

Manoj

Report · Mar 27, 2024

forgot to mention that I'm using a trial developer edition

Report · Mar 28, 2024

Manoj, I can tell you've been using CF a long time, and there are some important changes to be aware of.

First, starting in cf 10 Adobe added a passwordreset script (.sh or .bat) in the cfusion/bin folder, so no need to edit that xml file anymore. 🙂 For more, besides the docs, see this blog post.

Second, you were using that old trick just to remove the need to login. Once you did that, did you realize you could have also CHANGED (enabled) the admin password there? It would be on the CF Admin security page. In the new look CF Admin (changed in CF2018), see the "security"/padlock icon whcih is seventh down in the navigational icons on the left, which will land you on its first section link at the top, for "administrator" (which is about these admin pw settings). The change you make there would take effect immediately. Or did that not work for you somehow?

Note also that the Admin has changed in another important way: when you want to find something (in the mass of icons and links), just use the search icon at the top right, and type in what you seek. It will offer links to get there. 🙂

As for why your silent install attempt to set the password failed, we'd need more info. But you may be moving on to other challenges once you get past this one.

And no, nothing is different if one uses the trial or developer edition,. You refer to both in your next reply. I'll assume you meant one or the other, as is asked at the start of the install process.

Finally, though less important, you'll want to note that CF was called CFMX only in CF6 and 7 (back in the early 2000's). You will help youself (in asking for help) to just drop the "MX", as Adobe did starting with CF8 as documented here. 🙂

Hope all that's helpful.

/Charlie (troubleshooter, carehart.org)

Report · Mar 28, 2024

Thanks Charlie for the response.

when I initially installed, I tried the password reset script that I found in the documentation which didn't work.

Later I tried installing fresh on a different server and ended up with same issue.

However, I also tried changing password from console(thinking my password is incorrect and may work) and unfortunately that didn't work as well. Also, I see a blank screen after submitting the changes(doesn't look like perm issues and nothing from logs unless I missing something?)

So, looks like the changes are not updated?

Technically, regardless of console or cli - both doesn't work.

and yeah I have just got used to cfmx . I will try to use CF2023 hereon.

here is the silent install properties file that I have

#Silent properties for ColdFusion 2023

INSTALLER_UI=SILENT

#Valid Values are full/trial/developer 
SILENT_LICENSE_MODE=trail

SILENT_SERIAL_NUMBER=

#Use when it is upgrade

SILENT_PREV_SERIAL_NUMBER=

#Valid values are ear/war/standalone

SILENT_INSTALLER_TYPE=war

SILENT_INSTALL_JNBRIDGE=true

#Remote administrator component for server remote start/stop
SILENT_INSTALL_ADMIN=false

SILENT_INSTALL_SOLR=true

SILENT_INSTALL_PDFG=true

SILENT_INSTALL_FOLDER=/opt/web/

SILENT_ENABLE_PROD_SECURE_PROFILE=true

SILENT_ENABLE_PROD_DEFAULT_PROFILE=false

SILENT_ENABLE_DEV_PROFILE=false

#IP addresses from which Administrator can be accessed.
SILENT_ADMIN_IP=

#IP address of the CF installed machine through which PDFG/Solr service would be accessed remotely.
SILENT_JETTY_IP=

SILENT_ADMIN_USERNAME=admin

SILENT_ADMIN_PASSWORD=${JETTY_PASSWORD} (I have given the actual password here)

SILENT_ENABLE_RDS=false

SILENT_RUNTIME_USER=

#Provide password when enable RDS is true

SILENT_RDS_PASSWORD=${JETTY_PASSWORD} (I have given the actual password here)

#username/password of remote administrator component for server remote start/stop

SILENT_JETTY_USERNAME=admin

SILENT_JETTY_PASSWORD=${JETTY_PASSWORD} (I have given the actual password here)

#Context Root for J2ee Installation

SILENT_CONTEXT_ROOT=

SILENT_AUTO_ENABLE_UPDATES=false

SILENT_PREV_CF_MIGR_DIR=/opt/web

ENABLE_RDS=false

ENABLE_WSRP=false

ENABLE_JSDEBUG=false

ENABLE_CFR=false

ENABLE_CFSWF=false

I'm trying to double check everything to see if I missed anything but would appreciate your guidance.

Report · Mar 29, 2024

If you say that changing the admin password in the CF Admin "doesn't work", then I WOULD think this is a "perm issue". Let's talk about that.

First, I see you have no value for the silent install line for runtime_user. As such, what user would you expect CF to be running as? Have you done a top or ps (or the like) to see what user the coldfusion process is in fact running as? And does that user (whatever it is) have permissions to edit the cfusion/lib folder, and espeically the password.properties (where the password is stored, encrypted) and other neo*.xml files which get modified when one makes a change in the CF Admin?

The commandline passwordreset.sh would ALSO modify that file. When you ran that at the command line, what user were YOU running as? And what if you used sudo to prefix that? Then that would run as the root user--who should DEFINITELY have the needed permissions to change that password.properties file.

Let's hear what you may find or say, before proceeding with more thoughts.

/Charlie (troubleshooter, carehart.org)

Report · Apr 01, 2024

I had port number mentioned along with my URL, hence the 403 error. I'm able to login with creds after removing the port number(FYI 8443). Thanks again for providing your thoughts and inputs.

Report · Apr 01, 2024

Wait, what? You do have to use a port to access the cf admin (at least, by default since cf2016). So you had 8443 (which is the default port if you use https), and you got a 403, and now you're not using that.

But what are you using now, 8500? That is the default of you are NOT using https. If so, I'd be curious why you didn't use that in the first place.

Since we've spent a week and considered a lot (based solely on what you'd offered), it could help bring this to a nice conclusion for all of us following along. Thx.

/Charlie (troubleshooter, carehart.org)

Report · Apr 02, 2024

I understand 8500 port is the default one for CF but we decided to run CF via tomcat on port 8443. Also, after double checking the server.xml I realized that port 8443 is being proxied over 443 as I have setup accessing via ssl through apache web server. I confirm that the denial is because of the proxyPort attribute being added on the tomcat server.xml file. Hope that makes sense now.

Report · Mar 30, 2024

Have you configured the connector? Just a thought.

Report · Mar 30, 2024

Bkbk, the connector has no bearing on the cf admin, ket alone the setting of cf admin passwords. If you're thinking of something I'm somehow not seeing, I'd appreciate hearing it. If it was just a "hail mary pass", as a last resort for Manoj to consider, I guess we'll wait to hear how things go.

/Charlie (troubleshooter, carehart.org)

Report · Apr 02, 2024

You might get a 403 error if you configured https, but launched the Administrator on http. Again, just a thought.

Report · Apr 02, 2024

Bkbk, that https matter is indeed what Manoj reported yesterday had been the cause.

/Charlie (troubleshooter, carehart.org)