2 Replies Latest reply on Aug 22, 2017 10:31 AM by pete_freitag

    CF2016 securing CFIDE/administrator with TLS

    jbrock777 Level 1

      Hello Community!

       

         I recently began working on a POC with CF2016 and was a little shocked to learn that the defacto method of getting to the /CFIDE/administrator was via localhost through SSH Tunneling (Per lockdown pdf).

       

         The out of the box alternative to ssh tunneling was to punch a hole in the firewall for port 8500.  Security be damned!

       

         Both of these methods were unacceptable (seriously adobe!).  Thus began a 2 day deep dive into a flawed Java product.

       

         In stead of boring you with a 14 hour deep dive as to everything that didn't work - here is what did work :

       

      PreReqs :

      RHEL 7 X64 Minimum install

      Coldfusion2016 Enterprise Edition patched to 2016.0.02.299200

      Tomcat Version 8.0.32.0

      Java JRE Server 1.8.0_102

      Firewalld Rule for 8443/tcp allowed from Devops Team

       

      Steps :

      1. Download latest JRE 8 Server edition to /opt/coldfusion2016/   (Update CF JVM path to match i.e. /opt/coldfusion2016/jdk1.8.0_102/jre/ )

       

      2. Download and deploy Unlimited Strength Jurisdiction Policy Files

       

      3. Generate Self Signed Cert using new JRE

      sudo /opt/coldfusion2016/jdk1.8.0_102/jre/bin/keytool -genkey -keyalg RSA -alias test -keystore /etc/ssl/certs/keystore.jks -storepass yourpass -validity 1825 -keysize 2048

       

      4. Setup Tomcat Connector with limited cipher list (No Elliptic Curves) in /opt/coldfusion2016/cfusion/runtime/conf/server.xml

      <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"

                     maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

                     clientAuth="false"

                     keyAlias="test"

                     keystoreFile="/etc/ssl/certs/keystore.jks"

                     keystorePass="yourpass"

                     sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

                     useServerCipherSuiteOrder="true"

                     ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,

                              TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,

                              SSL_RSA_WITH_RC4_128_SHA" />

       

      5. Restart Coldfusion

      sudo service coldfusion_2016 restart

       

      6. Continue on your merry way!

       

      Adobe CF Dev Team - if you are reading - PLEASE deploy encryption with the Tomcat Dedicated Server for Administering CF.  Perhaps a Self Signed Cert option during the install wizard after choosing to deploy the server secure profile etc...  Or - update your LockDown CF guide to include a working method (see above) to secure the dedicated server...

        • 1. Re: CF2016 securing CFIDE/administrator with TLS
          AlexZimm

          Amen!

           

          This post should be pinned!

          • 2. Re: CF2016 securing CFIDE/administrator with TLS
            pete_freitag Adobe Community Professional

            Hi,

             

            You are correct that there were some issues with getting TLS to work properly on the builtin web server with CF2016 up through update 2. I did some digging and found the problem to be due to an issue in the RSA BSafe Crypto-J Provider. This is the third party java cryptography provider that ships with ColdFusion.  I reported this to Adobe and they confirmed that it was the cause of the problem.

             

            Adobe has fixed the issue in ColdFusion 2016 update 3 by updating the crypto-j jars (version 6.2.1 fixes the issue). So if you update to the latest version of CF2016 you should no longer need to disable the elliptic curve ciphers to get TLS working.

             

            Also you can expect an update to the lockdown guide with instructions on enabling HTTPS / TLS on the built-in web server now that this issue is fixed.

             

            --

            Pete Freitag

            Foundeo Inc.