TLS 1.2 for Apache 2.2 on SLES 11

TLS 1.2 support is available with later versions of Apache 2.2 provided that OpenSSL 1.0.1 or later is installed.
The version of OpenSSL shipped with SLES 11 is based on 0.9.8 and, because of backward compatibility issues, they will not ship 1.0.1.
The best solution is to upgrade to SLES 12 which ships with Apache 2.4. However, this is not always as simple as it sounds in large environments.
The simplest solution to supporting TLS 1.2 on SLES 11 is to switch Apache from using mod_ssl to mod_nss, which SUSE has made available.
Run ‘zypper install apache2-mod_nss’ and then read the notes in /usr/share/doc/packages/apache2-mod_nss/README-SUSE.txt for details on how to make the switch.
Tools and instructions are included to convert from SSL directives to NSS directives and to convert certificates which makes the process easy.

suse-su-20180630-1 update to Java 1.7.1 on SLES 11SP4 breaks JCE

I am not sure if this is just how our engineering team packaged the update but thought I would share in case it affects others.

After applying the suse-su-20180630-1 security update a number of our applications that run on Tomcat on SLES11SP4 broke. The error was in connecting to  the Oracle database as they could no longer open the Oracle wallet.
SEVERE: encountered a problem with the Secret Store. Check the wallet location for the presence of an open wallet (cwallet.sso) and ensure that this wallet contains the correct credentials using the mkstore utility: PKI-02002: Unable to open the wallet. Check password.

Continue reading “suse-su-20180630-1 update to Java 1.7.1 on SLES 11SP4 breaks JCE”

Monitor ColdFusion threads

We have a number of ColdFusion 11 Linux servers fronted by Apache httpd using the AJP connector. The stock ColdFusion install on our servers set these up with the Tomcat AJP connector listening on port 8014 using the Java BIO based connector. We needed a way to monitor the number of current connector threads so we could alert if we were getting close to the maximum (default 200) which generally indicates an issue somewhere causing threads to be waiting longer than they normally should.
This information is available in metrics.log if this is enabled but we did not want to use this log and we didn’t want to enable jmx.

Continue reading “Monitor ColdFusion threads”


I was trying to use the S3: support in ColdFusion to list a bucket. Unfortunately, my CF server is behind a proxy that I have to use to get to the outside world. So, I added the following to my JVM arguments and restarted ColdFusion. -Dhttp.proxyPort=8080 -Dhttps.proxyHost=/ -Dhttps.proxyPort=8080

But, when I launched my page that does a simple cfdirectory list of s3:/ I would get an error, Connection refused.

I did a tcpdump and found that the server was trying to connect directly to and not using the proxy. I then looked at the exception log and could see that the S3 support is using the Apache HttpClient and it appears that it is not configured to pull in the system proxy properties. I tried this on CentOS with CF 11 and CF 2016 with the same results on both.

Tracking down a memory leak

I recently had the need to track down a memory leak in a ColdFusion application running on Linux. The symptoms were either GC Overhead limit exceeded errors, Java heap space errors or ColdFusion just hanging. Increasing the heap size just delayed the time between crashes, with a 12GB heap giving us about 24 hours.

Continue reading “Tracking down a memory leak”


Upgrading the version of Java that your ColdFusion stand alone installation uses is a simple task.
The most important step is to check what versions of Java are supported by the version of ColdFusion you are running.
As of 9/15/17, the latest information from Adobe that I can find is on their blog – /
This document details compatibility and the steps to upgrade.
What the document fails to mention is that there are some utilities that use a script,, that will return <cfinstalldir>/jre as the java to use, regardless of what is in the jvm.config file. So, after following the steps in the document, remove or rename the jre directory and then create a link named jre that points to the new jre or jdk you installed e.g.
ln -s jre1.8.0_144 jre
Continue reading “Upgrade your ColdFusion Java version”

ColdFusion applications on an instance require unique names

This is something the developers at the company where I am contracting at keep forgetting to do. They will clone an existing code tree to start a new application or to work on adding some new features to an existing application. They deploy and things work intermittently and they don’t know why.
If there are multiple applications running on the same ColdFusion instance each application must have a unique name (, normally set in Application.cfc). If multiple applications have the same name, application behavior becomes very unpredictable!

Rotating your ColdFusion logs daily

ColdFusion will only rotate log files based on file size. Many organizations like to roll log files on a daily basis. This could be achieved using something like logrotate on Linux but ColdFusion would have to be restarted to free the lock on the files. Another way is to utilize the Administrator API and a scheduled task. Continue reading “Rotating your ColdFusion logs daily”

Viewing the ColdFusion 11 Administrator API methods

There appears to be limited information out there on using the ColdFusion Administrator API. The only Adobe document I found is here Administrator API. This gives information on some of the CFCs and a few examples. It says

“To view the methods, method arguments, and documentation for the Administrator API CFCs, use the CFC Explorer. For example, to view datasource.cfc when running in the server configuration, open a browser to /localhost:8500/CFIDE/adminapi/datasource.cfc”

What you will find, however, is that this may not work for you – you will likely get the error “Unsupported Operation. Check application log for more details.”. This is because the CFC explorer requires RDS to be enabled and Adobe recommends this be disabled on production servers. I have a test ColdFusion 11 server that I run on a CentOS 7 VirtualBox VM. I enabled RDS on it by logging in to the ColdFusion Administrator, enabling RDS (its under the SECURITY tab) and setting a password. The nice thing is RDS can be enabled and disabled without having to restart ColdFusion. Note that RDS does not need to be enabled to call API methods, only to use the CFC explorer.

To see all of the CFCs available look in the wwwroot/CFIDE/adminapi directory underneath your ColdFusion instance home directory e.g. /opt/coldfusion11/cfusion/wwwroot/CFIDE/adminapi.