Skip to main content
M
michaelf34344382
Inspiring
July 15, 2021
Answered

ColdFusion 2021 conflict between Sandbox Security and Java 11.0.11

  • July 15, 2021
  • 2 replies
  • 4341 views

Have installed ColdFusion 2021 with update 1, on 64-bit Windows server 2019 Datacenter.  I can either run it with Java 11.0.11 from Adobe, or with sandbox security (with Java 11.0.1), but the ColdFusion Application Service will not start if I have both Java 11.0.11 and sandbox security.

This topic has been closed for replies.
Correct answer Charlie Arehart

Hi, guys. I can offer a workaround for now. (I've confirmed experiencing the same issue, that CF won't start if running Java 11.0.11 with CF Sandbox Security enabled.) The workaround is to add this JVM argument to the CF startup args (in CF's jvm.config or the java args in the CF Admin), and then restart CF):

-Djdk.lang.Process.allowAmbiguousCommands=true

 

As for what led me to even consider that, you can see it's new for Java 11.0.11 specifically, and it's purpose discussed briefly as one of the "other notes" in the release notes for Java 11.0.11. You'll see also that it's specific to when a Java "security manager" is enabled.

 

When we enable the CF Sandbox Security feature, we are indeed causing CF to enable that java security manager, which CF configures for us.

 

As for why the arg to "allowAmbiguousCommands" is needed with CF, we will likely need to leave that with Priyank and the team to sort out. Perhaps there's something that CF startup code is doing that trips over the problem, which this change fixes, but which ultimately they can correct so the arg is no longer needed.

 

As for looking into the issue further, I'll note a couple other things:

  • Priyank, wouldn't that message you show mean not that the sql server module was hanging things up (since it says it was "not installed"), but ratehr that whatever would have been NEXT to be loaded, or processed in the startup? FWIW, when I look at my own cf2021 setup (full install), the logs show that the odbc module would have been loaded next. Micheal or Priyank, I'd be curious when you look at your working implementation (with 11.0.1), what do you show in the logs as being loaded after the sql server module?
  • FWIW, I can confirm this is indeed definitely about 11.0.11. I tried using 11.0.10 with Sandbox Security, and all worked. 
  • And in case any may ask, this is NOT about the new "feature" added in 11.0.11, whereby the JVM (and therefore CF) is not allowed to call out to servers running TLS 1.1 or 1.0. While there is provision in the JVM update to configure the JVM to allow such calls (see any of many resources on that, from the JVM 11.0.11 release notes to blog posts from Pete Freitag and myself), I can confirm that I made that change, and still CF would not start with 11.0.11 and Sandbox enabled--unless I added that arg above.

 

But while we await Adobe resolving the root cause, this workaround will at least allow you to run 11.0.11 while also using the Security Manager. I'd love to hear from either of you if you confirm this and/or find any issues I have not.

2 replies

Charlie Arehart
Charlie ArehartCorrect answer
Adobe Expert
July 16, 2021

Hi, guys. I can offer a workaround for now. (I've confirmed experiencing the same issue, that CF won't start if running Java 11.0.11 with CF Sandbox Security enabled.) The workaround is to add this JVM argument to the CF startup args (in CF's jvm.config or the java args in the CF Admin), and then restart CF):

-Djdk.lang.Process.allowAmbiguousCommands=true

 

As for what led me to even consider that, you can see it's new for Java 11.0.11 specifically, and it's purpose discussed briefly as one of the "other notes" in the release notes for Java 11.0.11. You'll see also that it's specific to when a Java "security manager" is enabled.

 

When we enable the CF Sandbox Security feature, we are indeed causing CF to enable that java security manager, which CF configures for us.

 

As for why the arg to "allowAmbiguousCommands" is needed with CF, we will likely need to leave that with Priyank and the team to sort out. Perhaps there's something that CF startup code is doing that trips over the problem, which this change fixes, but which ultimately they can correct so the arg is no longer needed.

 

As for looking into the issue further, I'll note a couple other things:

  • Priyank, wouldn't that message you show mean not that the sql server module was hanging things up (since it says it was "not installed"), but ratehr that whatever would have been NEXT to be loaded, or processed in the startup? FWIW, when I look at my own cf2021 setup (full install), the logs show that the odbc module would have been loaded next. Micheal or Priyank, I'd be curious when you look at your working implementation (with 11.0.1), what do you show in the logs as being loaded after the sql server module?
  • FWIW, I can confirm this is indeed definitely about 11.0.11. I tried using 11.0.10 with Sandbox Security, and all worked. 
  • And in case any may ask, this is NOT about the new "feature" added in 11.0.11, whereby the JVM (and therefore CF) is not allowed to call out to servers running TLS 1.1 or 1.0. While there is provision in the JVM update to configure the JVM to allow such calls (see any of many resources on that, from the JVM 11.0.11 release notes to blog posts from Pete Freitag and myself), I can confirm that I made that change, and still CF would not start with 11.0.11 and Sandbox enabled--unless I added that arg above.

 

But while we await Adobe resolving the root cause, this workaround will at least allow you to run 11.0.11 while also using the Security Manager. I'd love to hear from either of you if you confirm this and/or find any issues I have not.

/Charlie (troubleshooter, carehart. org)
    Priyank Shrivastava.
    Community Manager
    Priyank Shrivastava.Community Manager
    Community Manager
    July 16, 2021

    Hi Charlie,

     

    I tried the argument which you shared and indeed it worked so Thank you for that. I wanted to show Michael, that is getting stuck at some point. My intention was not to point to a particular package. Before I responded to the above thread and opened a bug, I tried this in 2 different machines and it was getting stuck in different packages or loading another module. So it was clear to me that it is not the package but something else is causing the issue. I did not mention this in the bug that I opened internally. 

     

     

     

    Thanks,Priyank Shrivastava
    Charlie Arehart
    Charlie Arehart
    Adobe Expert
    July 17, 2021

    Great to hear.

     

    And while you say here, "My intention was not to point to a particular package", it was simply because you had said, "it is getting stuck at sql server" that I commented on that at all. 🙂 But thanks for the clarification.

     

    Finally, I hope we hear from Michael confirming it works for him, and then we'll await word from you on if the team may find what was amiss. 

    /Charlie (troubleshooter, carehart. org)
    Priyank Shrivastava.
    Community Manager
    Priyank Shrivastava.Community Manager
    Community Manager
    July 15, 2021

    Hi Michael,

     

    Let me try this.

     

    Thanks,Priyank Shrivastava
    M
    michaelf34344382Author
    Inspiring
    July 15, 2021

    Thanks!

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices