Highlighted

CF2016 securing CFIDE/administrator with TLS

Explorer ,
Aug 02, 2016

Copy link to clipboard

Copied

Hello Community!

   I recently began working on a POC with CF2016 and was a little shocked to learn that the defacto method of getting to the /CFIDE/administrator was via localhost through SSH Tunneling (Per lockdown pdf).

   The out of the box alternative to ssh tunneling was to punch a hole in the firewall for port 8500.  Security be damned!

   Both of these methods were unacceptable (seriously adobe!).  Thus began a 2 day deep dive into a flawed Java product.

   In stead of boring you with a 14 hour deep dive as to everything that didn't work - here is what did work :

PreReqs :

RHEL 7 X64 Minimum install

Coldfusion2016 Enterprise Edition patched to 2016.0.02.299200

Tomcat Version 8.0.32.0

Java JRE Server 1.8.0_102

Firewalld Rule for 8443/tcp allowed from Devops Team

Steps :

1. Download latest JRE 8 Server edition to /opt/coldfusion2016/   (Update CF JVM path to match i.e. /opt/coldfusion2016/jdk1.8.0_102/jre/ )

2. Download and deploy Unlimited Strength Jurisdiction Policy Files

3. Generate Self Signed Cert using new JRE

sudo /opt/coldfusion2016/jdk1.8.0_102/jre/bin/keytool -genkey -keyalg RSA -alias test -keystore /etc/ssl/certs/keystore.jks -storepass yourpass -validity 1825 -keysize 2048

4. Setup Tomcat Connector with limited cipher list (No Elliptic Curves) in /opt/coldfusion2016/cfusion/runtime/conf/server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"

               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

               clientAuth="false"

               keyAlias="test"

               keystoreFile="/etc/ssl/certs/keystore.jks"

               keystorePass="yourpass"

               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

               useServerCipherSuiteOrder="true"

               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,

                        TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,

                        SSL_RSA_WITH_RC4_128_SHA" />

5. Restart Coldfusion

sudo service coldfusion_2016 restart

6. Continue on your merry way!

Adobe CF Dev Team - if you are reading - PLEASE deploy encryption with the Tomcat Dedicated Server for Administering CF.  Perhaps a Self Signed Cert option during the install wizard after choosing to deploy the server secure profile etc...  Or - update your LockDown CF guide to include a working method (see above) to secure the dedicated server...

Hi,

You are correct that there were some issues with getting TLS to work properly on the builtin web server with CF2016 up through update 2. I did some digging and found the problem to be due to an issue in the RSA BSafe Crypto-J Provider. This is the third party java cryptography provider that ships with ColdFusion.  I reported this to Adobe and they confirmed that it was the cause of the problem.

Adobe has fixed the issue in ColdFusion 2016 update 3 by updating the crypto-j jars (version 6.2.1 fixes the issue). So if you update to the latest version of CF2016 you should no longer need to disable the elliptic curve ciphers to get TLS working.

Also you can expect an update to the lockdown guide with instructions on enabling HTTPS / TLS on the built-in web server now that this issue is fixed.

--

Pete Freitag

Foundeo Inc.

Views

1.1K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

CF2016 securing CFIDE/administrator with TLS

Explorer ,
Aug 02, 2016

Copy link to clipboard

Copied

Hello Community!

   I recently began working on a POC with CF2016 and was a little shocked to learn that the defacto method of getting to the /CFIDE/administrator was via localhost through SSH Tunneling (Per lockdown pdf).

   The out of the box alternative to ssh tunneling was to punch a hole in the firewall for port 8500.  Security be damned!

   Both of these methods were unacceptable (seriously adobe!).  Thus began a 2 day deep dive into a flawed Java product.

   In stead of boring you with a 14 hour deep dive as to everything that didn't work - here is what did work :

PreReqs :

RHEL 7 X64 Minimum install

Coldfusion2016 Enterprise Edition patched to 2016.0.02.299200

Tomcat Version 8.0.32.0

Java JRE Server 1.8.0_102

Firewalld Rule for 8443/tcp allowed from Devops Team

Steps :

1. Download latest JRE 8 Server edition to /opt/coldfusion2016/   (Update CF JVM path to match i.e. /opt/coldfusion2016/jdk1.8.0_102/jre/ )

2. Download and deploy Unlimited Strength Jurisdiction Policy Files

3. Generate Self Signed Cert using new JRE

sudo /opt/coldfusion2016/jdk1.8.0_102/jre/bin/keytool -genkey -keyalg RSA -alias test -keystore /etc/ssl/certs/keystore.jks -storepass yourpass -validity 1825 -keysize 2048

4. Setup Tomcat Connector with limited cipher list (No Elliptic Curves) in /opt/coldfusion2016/cfusion/runtime/conf/server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"

               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

               clientAuth="false"

               keyAlias="test"

               keystoreFile="/etc/ssl/certs/keystore.jks"

               keystorePass="yourpass"

               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

               useServerCipherSuiteOrder="true"

               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,

                        TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,

                        SSL_RSA_WITH_RC4_128_SHA" />

5. Restart Coldfusion

sudo service coldfusion_2016 restart

6. Continue on your merry way!

Adobe CF Dev Team - if you are reading - PLEASE deploy encryption with the Tomcat Dedicated Server for Administering CF.  Perhaps a Self Signed Cert option during the install wizard after choosing to deploy the server secure profile etc...  Or - update your LockDown CF guide to include a working method (see above) to secure the dedicated server...

Hi,

You are correct that there were some issues with getting TLS to work properly on the builtin web server with CF2016 up through update 2. I did some digging and found the problem to be due to an issue in the RSA BSafe Crypto-J Provider. This is the third party java cryptography provider that ships with ColdFusion.  I reported this to Adobe and they confirmed that it was the cause of the problem.

Adobe has fixed the issue in ColdFusion 2016 update 3 by updating the crypto-j jars (version 6.2.1 fixes the issue). So if you update to the latest version of CF2016 you should no longer need to disable the elliptic curve ciphers to get TLS working.

Also you can expect an update to the lockdown guide with instructions on enabling HTTPS / TLS on the built-in web server now that this issue is fixed.

--

Pete Freitag

Foundeo Inc.

Views

1.1K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 02, 2016 2
New Here ,
Aug 02, 2016

Copy link to clipboard

Copied

Amen!

This post should be pinned!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 02, 2016 0
Enthusiast ,
Aug 22, 2017

Copy link to clipboard

Copied

Hi,

You are correct that there were some issues with getting TLS to work properly on the builtin web server with CF2016 up through update 2. I did some digging and found the problem to be due to an issue in the RSA BSafe Crypto-J Provider. This is the third party java cryptography provider that ships with ColdFusion.  I reported this to Adobe and they confirmed that it was the cause of the problem.

Adobe has fixed the issue in ColdFusion 2016 update 3 by updating the crypto-j jars (version 6.2.1 fixes the issue). So if you update to the latest version of CF2016 you should no longer need to disable the elliptic curve ciphers to get TLS working.

Also you can expect an update to the lockdown guide with instructions on enabling HTTPS / TLS on the built-in web server now that this issue is fixed.

--

Pete Freitag

Foundeo Inc.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 22, 2017 1