cat_zilla13
Community Beginner
cat_zilla13
Community Beginner
Activity
‎Feb 01, 2024
03:53 PM
1 Upvote
Without knowing anything about your environment, I can't give specific instructions. I basically went back to the ColdFusion installation and lockdown guides as reference and tried to restore original config since ColdFusion installs CF Admin on Tomcat by default. I ended up having to open a port on our server for Tomcat/CF Admin to separate it from our external webserver. All references to the CF Admin URL were removed from the external webserver configuration and I uncommented the Connector tag in $CFUSION_HOME/runtime/conf/server.xml. Since we require secure HTTPS connection to CF Admin, I had to create a Java truststore and import the server certificate, then updated the Connector in server.xml to point at the truststore.
... View more
‎Nov 01, 2023
12:20 PM
My thanks once again to @Charlie Arehart and @Brian__ for the guidance. Long story short, I've got CF Admin back on Tomcat and SSL/TLS-enabled. Once again, I would like to point out the lack of documentation for importing existing certificate and CA chain into the Tomcat trust store. Lockdown guide only covers self-signed certs, which doesn't meet security standards.
... View more
‎Oct 19, 2023
09:21 AM
@Brian__ Very nice summary of connectors. However, you discuss "if you don't need remote access to CF Admin", but leave out what if you _do_ need remote access? We run on a hosted IAAS Linux platform with Apache web server. I can't run CF Admin on localhost. We have used an external web server to host CF Admin for longer than I've been on the project, making use of the Apache Tomcat AJP Connector. We have a separate URL for CF Admin with SSL certificate, and employ firewall/proxy rules and allowed IP addresses to restrict access. While it is true that wsconfig now creates backups of the modified files when creating a new connector, doesn't reverting to an older connector sort of defeat the purpose of upgrading Tomcat? You state that URIs beginning with /CFIDE are blocked in the new connector. Is that inherently built in to the new library? Or is it a config setting somewhere that can be disabled? Is there any recourse for those of us who need CF Admin somewhere but are discouraged from running an outdated Tomcat due to security concerns?
... View more
‎Oct 18, 2023
12:31 PM
Sorry, in answer to an earlier question, yes we use the sandbox feature.
... View more
‎Oct 18, 2023
12:05 PM
>"I've got nothing to point to, other than the fact that Adobe HAS both enabled that built-in web >server by default and AND blocked admin access via iis or apache since cf2016--now 7 years ago, >and they have not changed that since." Respectfully, that seems inaccurate as my organization has been following the STIG guideline for several years to disable CF Admin on built-in server and configure to run on external Apache. This has been done in CF 2016, CF 2018 and now CF 2021. It has been working without issue right up until update 11. Specifically, it was recreating the Connector which broke it, not the actual patch. I don't suppose you know _how_ CF Admin is being blocked? >"While the built-in server can be used to continually host the Administrator Console, this is not the >best practice since the server is not guaranteed to be patched and upgraded". This is the crux of the argument used by my origanization's security team for running CF Admin on external web server. Even with the latest update, Tomcat is only now patched up to 9.0.78 which leaves several potentially open vulnerabilities which have been addressed in the current version 9.0.82. >"Moving the Administrator Console to Apache and IIS is well documented in the Adobe ColdFusion >Lockdown Guide" >Um, no, it is not. Not a word about that since the cf2016 guide which last covered it in its section >2.23 for iis and 5.8 for apache. " I certainly can't argue with that.
... View more
‎Oct 17, 2023
12:45 PM
@Charlie Arehart I am in the same situation as @neowire in that I am expected to set up our CF 2021 environment in accordance with the outdated CF11 STIG where other documentation is not available to provide as evidence. I have been able to point to the Adobe ColdFusion 2021 Lockdown Guide 1.1 for some updated recommendations, but there is no specific documentation from Adobe that I can find that indicates that the built-in web server is now preferable to using IIS/Apache for accessing CF Admin, and that the original reason for disabling Tomcat for CF Admin is no longer applicable. For reference, the discussion text in the STIG: Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. The built-in TomCat Web Server is used to host the Administrator Console and is used for initial setup. While the built-in server can be used to continually host the Administrator Console, this is not the best practice since the server is not guaranteed to be patched and upgraded, implementing TLS is not well documented, allowing for poor implementations, and commercial web servers offer better logging. To enable the Administrator Console to still operate and disable the built-in TomCat Web Server, the Administrator Console application must be moved to the web server (i.e., IIS, Apache, IBM HTTP Server, etc.) hosting the ColdFusion applications. Moving the Administrator Console to Apache and IIS is well documented in the Adobe ColdFusion Lockdown Guide. If there is documented evidence from Adobe that indicates built-in server is the way to go, point me at it! However, without said evidence, I'm stuck with disabling Tomcat for CF Admin, which apparently doesn't work for CF 2021 update 11. Open to suggestions.
... View more