cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
2
Upvote

CF2016 securing CFIDE/administrator with TLS

jbrock777
Explorer ,
Aug 02, 2016 Aug 02, 2016

Copy link to clipboard

Copied

Hello Community!

   I recently began working on a POC with CF2016 and was a little shocked to learn that the defacto method of getting to the /CFIDE/administrator was via localhost through SSH Tunneling (Per lockdown pdf).

   The out of the box alternative to ssh tunneling was to punch a hole in the firewall for port 8500.  Security be damned!

   Both of these methods were unacceptable (seriously adobe!).  Thus began a 2 day deep dive into a flawed Java product.

   In stead of boring you with a 14 hour deep dive as to everything that didn't work - here is what did work :

PreReqs :

RHEL 7 X64 Minimum install

Coldfusion2016 Enterprise Edition patched to 2016.0.02.299200

Tomcat Version 8.0.32.0

Java JRE Server 1.8.0_102

Firewalld Rule for 8443/tcp allowed from Devops Team

Steps :

1. Download latest JRE 8 Server edition to /opt/coldfusion2016/   (Update CF JVM path to match i.e. /opt/coldfusion2016/jdk1.8.0_102/jre/ )

2. Download and deploy Unlimited Strength Jurisdiction Policy Files

3. Generate Self Signed Cert using new JRE

sudo /opt/coldfusion2016/jdk1.8.0_102/jre/bin/keytool -genkey -keyalg RSA -alias test -keystore /etc/ssl/certs/keystore.jks -storepass yourpass -validity 1825 -keysize 2048

4. Setup Tomcat Connector with limited cipher list (No Elliptic Curves) in /opt/coldfusion2016/cfusion/runtime/conf/server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"

               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

               clientAuth="false"

               keyAlias="test"

               keystoreFile="/etc/ssl/certs/keystore.jks"

               keystorePass="yourpass"

               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

               useServerCipherSuiteOrder="true"

               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,

                        TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,

                        SSL_RSA_WITH_RC4_128_SHA" />

5. Restart Coldfusion

sudo service coldfusion_2016 restart

6. Continue on your merry way!

Adobe CF Dev Team - if you are reading - PLEASE deploy encryption with the Tomcat Dedicated Server for Administering CF.  Perhaps a Self Signed Cert option during the install wizard after choosing to deploy the server secure profile etc...  Or - update your LockDown CF guide to include a working method (see above) to secure the dedicated server...

Views

1.3K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

pete_freitag
Enthusiast , Aug 22, 2017 Aug 22, 2017

Hi,

You are correct that there were some issues with getting TLS to work properly on the builtin web server with CF2016 up through update 2. I did some digging and found the problem to be due to an issue in the RSA BSafe Crypto-J Provider. This is the third party java cryptography provider that ships with ColdFusion.  I reported this to Adobe and they confirmed that it was the cause of the problem.

Adobe has fixed the issue in ColdFusion 2016 update 3 by updating the crypto-j jars (version 6.2.1 f

...

Votes

Translate

Translate
replies 2 Replies 2
latest latest Jump to latest reply
AlexZimm
New Here ,
Aug 02, 2016 Aug 02, 2016

Copy link to clipboard

Copied

Amen!

This post should be pinned!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
pete_freitag
Enthusiast ,
Aug 22, 2017 Aug 22, 2017

Copy link to clipboard

Copied

LATEST

Hi,

You are correct that there were some issues with getting TLS to work properly on the builtin web server with CF2016 up through update 2. I did some digging and found the problem to be due to an issue in the RSA BSafe Crypto-J Provider. This is the third party java cryptography provider that ships with ColdFusion.  I reported this to Adobe and they confirmed that it was the cause of the problem.

Adobe has fixed the issue in ColdFusion 2016 update 3 by updating the crypto-j jars (version 6.2.1 fixes the issue). So if you update to the latest version of CF2016 you should no longer need to disable the elliptic curve ciphers to get TLS working.

Also you can expect an update to the lockdown guide with instructions on enabling HTTPS / TLS on the built-in web server now that this issue is fixed.

--

Pete Freitag

Foundeo Inc.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices