Oct 5, 2017

Lessons Learned From Equifax

After watching some of the Congressional Hearing on the Equifax breach,  and reading articles such as https://www.engadget.com/2017/10/03/former-equifax-ceo-blames-breach-on-one-it-employee/ a few things come to mind.

One, it is a powerful reminder on how vigilant you need to be with keeping all products patched that are running on your server.

Make sure you your security team is being notified of all products security alerts, including ColdFusion.

Second, I think an area that is being missed is that the application that was breached was the Credit Score Dispute application.  That type of application should not have access to the Personal Identifiable Information, PII, database. If Equifax would have sandboxed that application better, the malicious hackers would have not been able to get to the honeypot of data.

It appears like the Credit Dispute application had a JDBC connection to the database storing the PII and thru that connection they retrieved that database schema and soon were running queries.  The congressional hearing never went into this line of questioning, I would say that this is more likely the reason the breach was so large.  If the PII database was better protected the Credit Dispute application would never been able to query the PII information.

One account I have worked with implemented an Application Tier and a Data Tier API for exactly this type of protection  If an application needed to get data it needed to send its application based credentials  for every call.  This gave them controls at the application level,  nobody could talk directly to the database, they had to go thru the Data Tier with all the security rules and tracing in place.

 If you store PII, it might be a good time to review your public sites,  make sure your DSNs are properly protected.  Think about ways to sandbox customer facing applications so that if they are breached, you still have additional barriers before they can access your PII.

Oct 4, 2017

ColdFusion and the Built-In Tomcat Clustering

Ever since ColdFusion 10 Tomcat has been the default J2EE Servlet engine, prior to that it was JRun.  One feature that carried forward with the Enterprise edition is the ability to Cluster running ColdFusion server instances.  This article will try and breakdown what happens when you use clustering and when you might want to use, if at all.

There are 2 basic components to what is referred to as Clustering.

  1. Request Load Balancing between all the peers in the cluster
  2. ability for peers to share the session scope also called in-memory session replication
Session replication is managed in the <servername>\runtime\conf\server.xml file.  The main reason for this file is to define the TCPIP multicast port so all the peers can communicate and know when they are online.

Load Balancing is accomplished using 2 Connector settings files:
  1. Worker.properties file where the server instances are defined
  2. URIWorkerMap.properties file is where the load balancing is defined
Note: You do not need any session replication in order to do Tomcat Connector Load Balancing, but as of now if you define a Cluster in ColdFusion you will have both of the above defined for you.

When you define a cluster in ColdFusion Enterprise the administrator will take care of editing all the above files to setup your cluster with the correct settings.

Peers can be local or remote servers.

  • Session replication or sticky sessions are not required when the session storage is pointed externally to Redis on each cluster member.   Redis was added with ColdFusion 2016 as an alternate way of storing the session scope.
  • If using in-memory replication you need to use J2EE Sessions for session replication or sticky sessions. All instances participating in the cluster must use J2EE sessions. Therefore, you will need to go to Server Settings ---> Memory Variables and check "Use J2EE session variables" for each cluster member.
In-memory Session Replication
As I stated above the only reason to use the multicast port setup is for in-memory session replication.  This feature works but it still takes time to get all the servers synched for every session variable change on all the cluster peers.  I would not recommend this for production servers.  The replication creates all kinds of traffic, and you never really know how fast all the sessions are synch'd.  If you have a server go down, it is not 100% that it will be a seamless hand-off, which is kind of the point to replicating in the first place.  

Sharing Sessions
There are several ways to share session or user info across servers:
  1. Redis if you have ColdFusion 2016
  2. Client Scope saved to Database
  3. Distributed EHCache
  4. Custom DB call
The easiest approach that is tried and true and does not add much overhead is to simply use the client scope, and have the Client scope defined in the ColdFusion Administrator to be saved to the database.

More advanced solutions like Redis and EHCache are out there but will likely take some time to implements and test.

Tomcat Connector Load Balancing
The load balancing that is defined is typically for instances on the same server, although it can just as easily point to remote instances.  If you have a hardware load balancer, like an F5, you probably may not need Connector based load balancing.  

The files that control the load balancing are located inside 2 files mentioned above and created when you define your connector.  

Important: If you ever upgrade your connector these settings will be removed,  so make sure to keep backups.  As of ColdFusion 11 Updater 4, CF will now archive your old connector settings.  It still clears them out, but at least they are not lost.  You will need to rebuild them as they were to get load balancing back.

HAProxy - An Open Source Software based Server Load Balancer
As an alternative to Connector load balancer you might look at using a product called HAProxy to route requests.  It has similar features as F5 but it is all software based.

If you did use HAProxy you would likely not define any Clustering in ColdFusion at all.

Using the ColdFusion Admin to only Define Load Balancing
If you only want to do load balancing, I have found that you can use the Clustering page in the admin and define your cluster, then once it is saved, you can then remove or comment out the Clustering section in the <servername>\runtime\conf\server.xml file.  The result will be that you will have the Load Balancing settings completed for you.  The server will not try to find other servers, and potentially replicate sessions.

I have found that if an application is worthy of clustering, it usually will be placed under an F5 like hardware device for load balancer.  However, if for some reason you don't have access to an F5 or want to have more granular control of routing requests then setting up Load Balancing with Tomcat is a great way to do it.

I would not recommend using the multicast server peer discovery for session replication.  You can share session information in many more reliable ways.

Docker and containers are changing everything with deploying, scaling and session management, I will try and write an article building on this one for Docker soon.

Oct 3, 2017

Good Advice from the Apache Struts Team on keeping your Servers Patched

If you have been tracking the recent Equifax breach, it should remind all IT professionals to always have someone dedicated to keeping servers properly updated. 

I found this article and I thought the below advice from the Apache Struts team applies to any J2EE server.  It seems to apply to any publicly accessible Web or Application server product.

Please note that ColdFusion does NOT use any portion of Apache Struts.

The below advice can be found inside the complete article.here:

Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:

1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.

2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources. 

5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.

Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.
For the Apache Struts Project Management Committee,

René Gielen
Vice President, Apache Struts 

Oct 2, 2017

Building Dynamic Documents and Letters for Printing and Archiving with ColdFusion

I was recently on a LiveCycle project that involved created financial documents which were of legal significance.  Every sentence needed legal approval as each state would have different legal requirements on many different conditions.

The process worked well, but I kept thinking if the same process could be done using ColdFusion as well.  The below breaks down the workflow using LiveCycle and how I can see it done with ColdFusion.

In the end the result of the process was a PDF that was then printed and mailed.

LiveCycle Dynamic Letter Process ending in a PDF

  1. Business Analyst creates the letter in Word, using colors and tracking comments to describe all the conditions.
  2. The letter is sent to Legal for approval, once approved move to step 3.
  3. The letter is then created in LC Designer or AEM Designer, using an LC Designer developer
    1. The LC PDF uses embedded Javascript to handle the conditions based on XML values passed into the document.
    2. Conditions maybe things like state and different program types as well as numeric values.
  4. Another team of developers would create the server side scripts to create the input xml used in the LiveCycle Process
  5. Once the letter was completed it is placed in the LiveCycle Repositiry
  6. To create the letter a REST call would be made to LC Process Endpoint, passing in the XML created in step 4 along with what template needs to be created, and the process produces a PDF 
  7. The letter was then returned for printing and archiving.

So how could we do this with ColdFusion assuming the keeping the process close to the above.  It is likely you will need to adapt to your needs.

This could all be done in CF using AEM Designer.
  1. Business Analyst creates the letter in Word, using colors and tracking comments to describe all the conditions.
  2. The letter is sent to Legal for approval, once approved move to step 3.
  3. The letter is then created in LC Designer or AEM Designer, using an LC Designer developer
    1. The LC PDF uses embedded Javascript to handle the conditions based on XML values passed into the document.
    2. Conditions maybe things like state and different program types as well as numeric values.
  4. A CF developer creates the script to create the xml to be included when the pdf is requested.
  5. Once complete the letter would be placed into a resource folder.
  6. To create the letter a REST call, or any cf call, would be requested, which would cfinclude the script in generate the XMLValues.
  7. The letter was then returned for printing and archiving.
The CF code to replace LC and step 6 wold look similar to the below.

I found that you need to save the LiveCycle PDF inside AEM Designer as STATIC as opposed to Dynamic in order for cfpdfform to be able to work with the PDF.

In the below example I am reading straight from the LiveCycle Repository.

<cfif isdefined("form.generatepdf")>
    <cfpdfform action="populate"
        destination="#rootdir#\letters\#form.templatefilename#"  overwrite="true"
File: #rootdire#\letters\#form.templatefilename# was generated!

Right now you can download AEM Designer using the below link:

AEM Designer can be downloaded here:

Adobe seems to be posting the license number in this blog:

I'd recommend talking to Adobe on what their intentions are with licensing.

Summary of Using ColdFusion to Create Dynamic Financial Documents and Letters
Banks and Financial institutions invest heavily with enterprise solutions for creating dynamic documents and letters. Perhaps you have a scenario where this use case could apply.

The unique aspects with this use case are with the planning, legal approvals, and having the PDF use Javascript to manage all the conditions of each PDF. 

I think a high percentage of LiveCycle Forms processes can fit into a use case described above.  

Output service
You still may need to purchase LiveCycle Output for flattening and archival depending on your needs.  It all depends on your archive procedures.

Oct 1, 2017

Troubleshooting ColdFusion Server Outages with Unresponsive Server Alert

When I am working on a ColdFusion server issue that can't be easily identified I will define an Unresponsive Server Alert which also creates a stacktrace and is then emailed.

1. Open your ColdFusion Administrator
2. Open the Server Monitor
3. Go to the Alerts Tab
4. Select the Alert Configuration
5. Define the Alert as shown below.

Use 1 for server hung count as we are trying to capture the issue as soon as possible.  I will usually set it to 30 seconds but your time can vary based on the issue.

Important Note: In order to actually get a stack trace you need to have Monitoring turned on.
You do not need Profiling or Memory Tracking turned on.  In fact you should never turn on Memory Tracking in production.

Your top bar should look like the below.

Once you start to receive the stack traces you can start to identify patterns and hopefully get the issue solved. 

Lock Down your ColdFusion Connector

On my production servers I like to lock down all the Tomcat Connectors to only use a local address.

Each ColdFusion server has a file located in <servername>\runtime\conf\server.xml

In that file you will find Connector definitions,  for AJP or HTTP.  The AJP connectors are for your web server to communicate to ColdFusion.  The HTTP version are for in internal web server, typically used as a means to access the ColdFusion Administrator.

According to Tomcat documentation if you do not specify an address for the Connector, Tomcat will bind to all available IP addresses.

So if your web server is local there is no need to bind to anything other then localhost or

The default Connector looks like the following:

 <Connector  port="8016" protocol="AJP/1.3" redirectPort="8449" tomcatAuthentication="false" maxThreads="500" connectionTimeout="60000"/>

I like to add address="" so the end result looks like this:

 <Connector  address="" port="8016" protocol="AJP/1.3" redirectPort="8449" tomcatAuthentication="false" maxThreads="500" connectionTimeout="60000"/>

This locks the port 8016 to only

I would recommend this for all the Connector tags in the server.xml.

If you are using a remote web server, you can still use this feature to only bind to the actual IP the web server will be talking too.

Your ports will most likely be different and your maxthreads may be different.

Load Balancing, Failover and Scalability with ColdFusion

Here is a presentation I put together for CFSummit 2015 to review how to architect ColdFusion Servers for Load Balancing, Failover and Scalability.

Slides are located here:

Basic CRUD between ColdFusion and AngularJS 1.x

Here is a link to a ColdFusion presentation I did at the CFSummit talking about using ColdFusion as the backend to an Angular 1.x single page application. 

The code demonstrates using CF Angular together to perform full CRUD like operations.  It also shows how to use Angular Routes, and Angular Filtering.

The Slide share stats gives it about 10,000 views so it is one of the most popular ColdFusion slides shares for CF.

Slides are located here.

Source code and PPT files along with MYSQL database can be found here:

Building a ColdFusion REST Application - TAFFY vs Native ColdFusion tags

I was recently working on converting an existing ColdFusion applications over to a service based architecture (SOA), using REST API on the backend, with a Javascript framework on the front end.  I thought I would share a few points about the process.

The project I was working on chose to go with Taffy but you should consider your all your projects requirements before making a decision.  My intentions with this post is to try and highlight a couple of the differences which might help you make the right decision.

Note: If this topic is all new to you, I would recommend you review a session done back in the CFSummit 2015 called How We Rest.  You can find the slides at the link below and there is a link on the last slide to get code samples as well.

The slides do a great job a drawing out some of the major differences Native ColdFusion, Taffy, FW\1 and ContentBox. It is a few year old presentation, so use it as a good primer on the topic.

If your organization already uses FW\1 or ContentBox, it might be an easier decision.

After using Taffy, I am a big fan of its ease of use and its plug and play nature.  I would use it again in a heartbeat.  

Here are two important areas you might want to consider when picking your solution.

OpenAPI Swagger Support
If you need to support an OpenAPI specification, such as Swagger, you will need to consider how your project or organization need to import or export your APIs.  The need for OpenAPI import and export features will be more important if you are sharing APIs between systems over time.  If you are just using it as part of a migration step, it is not that important as recreating the CFML syntax for the API is not too difficult with most projects.

Coldbox has the ability to export as documented here https://www.forgebox.io/view/cbswagger
FW\1 - I do not see any built in support
Taffy - No direct support.  Although not to hard to put something together if you needed it.

Using the online Swagger editor https://editor.swagger.io/ makes it quite easy to build your  OpenAPI REST specification.  If you look at the top menu bar you have several options with Generating Server or Client shell code along with front end typescript classes as well.

Perhaps one day we will see CFML under Generate Server Code.

If you look at the syntax, you can see a few elements that were added like responseMessages to support the OpenAPI spec.  
<cfcomponent rest="true" restPath="/cookieService" produces="text/plain" >
    <!--- Test with various produces --->
    <cffunction name="sayPlainHelloUser" responseMessages="404:Not Found,200:successful,10:notdefine" access="remote" returnType="String" httpMethod="GET" produces="text/plain">
        <cfargument name="nAme" type="string" restargsource="cOOkie" required="false" default="CF">
        <cfset res="Hello " & name>
        <cfreturn res>

So if need to import \ export OpenAPI specs then you should consider levels of support for each REST solution.  In my recent project it was the front end code generation that was driving the need to OpenAPI.

Overloading Methods
One of the features of the Open API spec is that you can define the GET method several times, using the same REST Path with different arguments and then have the server call the correct method based on incoming arguments.

Since Native ColdFusion supports import and export of OpenAPI you would be correct to assume it is supported within the ColdFusion tags.  The cffunction tag has an attribute called httpmethod which can be GET for many different Functions which are defined with different REST arguments.

Taffy, by design, does not support function overloading.  If you want more then one GET you will need another CFC.  As Taffy uses GET, POST, PUT, Options, Delete as the actual function names, you are blocked from having more than one GET etc.  After talking to Adam Tuttle, the creator or Taffy, he told me Taffy was designed  to remove complexity and to keep the mapping between the REST Path, the CFC and the method as simple as possible.

So this becomes another area to consider if you like having function overloading.

So two important areas to consider.  There are many many more areas to consider but beyond my intentions for this post.  Areas like Token management, Security, Metering, Logging, Analytics etc are all important as well.

I hope this helps you when making the right decision for your ColdFusion REST project.