Checking HTTPS in ColdFusion on Tomcat

So this came about after I was asked to debug a problem with an application that was misbehaving when users were logged in. As I setup the application on my machine, I noticed that all links were reverting to HTTPS by default. Initially, I thought this might be caused by the “baseref” tag, or the rules in the .htaccess file, but nothing.

It was actually caused by some logic in the codebase of an in-house framework that we use, that was checking for HTTP/HTTPS and correcting according to some predefined logic. Even the logic seemed fine – if “HTTPS” eq “off” then use “HTTP” – so this led me to think there was something up with the headers…

Usually, when CF is running through IIS, the HTTPS value is set, but in tomcat at least, it seems to be blank when running through HTTP. Perhaps it is only set when running through HTTPS? I quickly setup HTTPS on my local machine using a self-signed cert (see previous post on how to do this) and tested it when running through HTTPS….STILL NOTHING!

This is where the benefit of installing CF on native Tomcat is really becoming moot, as it is causing more disruptions than was intended to avoid. According to Charlie Arehart’s presentation on a few months ago, there is limited support for CGI variables in a native Tomcat installation (which I have – running CF9).

It seems I cannot add these additional headers without writing my own filters for Tomcat, which I haven’t the time for right now, and I would rather know WHY it wasn’t working, than fix it for now. Besides, there are other ways in which our in-house MVC could check for SSL anyway, like checking the port – which to be fair is platform independent, as relying upon the CGI variables in CF clearly isn’t.

Another alternative could be to install Bilal’s IIS to Tomcat Connector. This MIGHT contain enough to get the additional CGI headers there. Freezer food for future thought.

Enabling HTTPS in local Apache Tomcat

Sometimes it’s useful to run a site through HTTPS during testing, without the actual cost/hassle of installing a valid certificate. In case you need to, this is how you do it through Apache Tomcat – IMPORTANT THIS IS ONLY FOR LOCAL MACHINE – NOT A SERVER!

Click here to skip the intro to SSL and HTTPS

Brief Intro to SSL and HTTPS

SSL (secure sockets layer) is a protocol that is used to achieve a secure layer of communication between two machines over the Internet. In order to make use of SSL/HTTPS, the server must have a valid secure certificate installed to allow this to happen. Without a secure certificate, SSL cannot be used, and the client/server connection is not encrypted.

Certificates are typically issued by trusted third-party organisations called certificate authorities (such as VeriSign, Thawte, Comodo), and effectively are offering THEIR assurance that the server/domain is a valid company or organisation. SSL certificates do not need to be signed/verified by a certificate authority, however if they are not – the client browser is warned of a problem with the certificate, and warns the user to proceed at their own risk.

Self-Signed Certificate

To use HTTPS within the bounds of your local machine (acting as the server and the client), there is no risk of the connection being exploited by an external malicious user, as the connection never leaves your machine. It would be unnecessary to purchase a secure certificate that is authorised and signed by a certificate authority, as there would be no other users needing assurance that you were legitimate? Instead you can generate you own secure certificate it, “self-signing” it yourself. Once the certificate is installed, you can then use HTTPS on your local machine (ONLY VALID FOR TESTING ON YOUR MACHINE HOWEVER!)

How to create your self-signed certificate

1. Load up the command line tool, and browse to the “bin” folder in the Java root. Prepare the keystore with the following command (change to suit your own preferred keystore location):
   

   keytool -genkey -alias tomcat -keystore c:\keystore\tomcat.jks -keyalg RSA

2. At the prompt for the keystore password, enter “changeit” (Tomcat default) and again for the confirmation.
   
3. Complete the following questions according to your business. This is obviously an essential part of the validation process when using a certificate authority (they use this to check the organisation requesting the certificate is legitimate), and is also presented to users who choose to view the certificate details in their browser. For our purposes however, it’s not so important…
   
4. Next, it will ask for the Key Password, which is specific to this Certificate – as opposed to the password used for the whole keystore (step 2). Although it implies that you can set different passwords, a restriction with the Tomcat implementation means that the key password and the keystore password MUST be the same (so just press enter).
5. Browse to the folder of your keystore, and you should see the keystore file, and the certificate to be used by your server.
   
6. Open up “[apache directory]/Tomcat/conf/server.xml” and add the SSL connector below, ensuring that you set the passwords/paths correctly for your environtment…

   <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the APR configuration --> <Connector clientAuth="false" port="8443" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="c:/keystore/tomcat.jks" keystoreType="JKS" keystorePass="changeit" truststoreFile="c:/keystore/tomcat.jks" truststoreType="JKS" truststorePass="changeit" SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"/>

7. Restart Tomcat server. Test the HTTPS by browse to your localhost, with the SSL port appended (for example, https://127.0.0.1:8443). If everything went well,you SHOULD see a warning from your browser, advising you that the certificate is not trusted by any certificate authorities…
   But it’s fine – click “Proceed Anyway” to see your website now using HTTPS (sort of)…
   

Important note: This SHOULD ONLY be used for LOCAL testing, not for the production environment.

Apache Serving Blank Screen – even in CF Admin

Apache has started doing this; a blank screen. A restart of tomcat seems to fix it, but this cannot be the answer, especially when it’s only just started, AND it’s not like it is poor code; the error occurs even in ColdFusion administrator.

A quick check in the Apache logs (C:\Program Files\Apache Software Foundation\Tomcat 6.0\logs) shows the following error:

Mar 27, 2014 9:40:47 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet CfmServlet threw exception
     java.lang.OutOfMemoryError: PermGen space
          at java.lang.Throwable.printStackTrace(Throwable.java:643)
          at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:100)
          at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
          at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
          at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
          at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)

This is either caused by a memory leak, or the PermGen space is just too small for what I genuinely need. I’m thinking that it might just be too small for the size of application I am running, as it is quite a large application, and the last time this happened, it was on the first deploy of another large application (albeit both times I was in CF Admin to configure the setup). So, it could be a memory leak in CF Admin (which I doubt), a memory leak in the application CF (very possible if someone has been sloppy with “var scoping”), or a larger PermGen space needed (possible from deploying a large application).

Forcing Garbage Cleanup

To check if the problem was memory related inside Tomcat (which looks likely), I first enabled “Class Unloading” inside Tomcat, so that unused classes were free to delete in memory. This isn’t an ideal or long term solution however; for one thing, it increases processing time as classes have to be recreated as they are called, but this is a useful test nonetheless – especially when exploring an application for a memory leak:

1. Open “Tomcat Properties”: Open C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apache Tomcat 6.0 Tomcat6/ “Configure Tomcat”. This runs Tomcat6w.exe with additional arguments.

2. Stop Tomcat: Click on the “General” tab, click on “Stop”. Check the task manager for when the service has stopped. This can take a while sometimes, as much as 15 minutes waiting for the service to stop. If Tomcat hangs with “Stopping” status, read this post to kill it.

3. Update Java Options: Click on the “Java” tab, and add the following arguments to the bottom of the Java Options box:
   “-XX:+CMSClassUnloadingEnabled”
   “-XX:+CMSPermGenSweepingEnabled”
   

4. Restart Tomcat

This worked for me, both the application and ColdFusion Administrator are running well now – proving that the problem is a memory issue (no surprise there really).

Using Memory Limits

I could leave the server running as is, but class unloading slows down an application, and it won’t tell me if there’s a memory leak in the application. If there IS a memory leak, this would eventually manifest itself on the production server too – so I would rather know about a memory leak now, than later. Think of it like a car that is running rich, and burning to much fuel; putting in more fuel keeps the car running, but this does not fix the problem, only hides it. The car is using far more fuel than it should, and eventually we will run out of money to fuel the car – so its best to fix the engine.

To use the memory limits (either increasing or decreasing), follow these steps:

1. Open “Tomcat Properties”: Open C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apache Tomcat 6.0 Tomcat6/ “Configure Tomcat”. This runs Tomcat6w.exe with additional arguments.

2. Stop Tomcat: Click on the “General” tab, click on “Stop”. Check the task manager for when the service has stopped. This can take a while sometimes, as much as 15 minutes waiting for the service to stop. If Tomcat hangs with “Stopping” status, read this post to kill it.

3. Update Java Options: Click on the “Java” tab, remove the arguments added for garbage cleanup, and add the following arguments to the bottom of the Java Options box:
   “-XX:MaxPermSize=128m” (set the 128 to whatever you want)
   

4. Restart the Server

It’s working for me, for now at least – but if ColdFusion Admin or my application breaks down again, then it is possible that there is a memory leak somewhere. I could increase the memory again further (if it is genuinely needed) but I would need justification to think that it needs the extra memory. To be honest, I would probably check for issues in the code before I increased the memory again.

 

 

Apache Tomcat service “Stopping”

Apache takes a silly amount of time to stop its service. It’s not something I need to do often, but when I do, the Tomcat service seems to hang in a status of “Stopping” for at least 10 minutes.

I have no idea why it does this, but I haven’t the enthusiasm to explore. You could restart your machine if you like, but sometimes this is not possible or ideal (especially if on a production server).

A quick way around it that I am recording for my own benefit mostly:

1. Open Task Manager: [ctrl] + [alt] + [delete], then click “Task Manager” then click on the “Services” tab.
2. Find your Tomcat service: In the list of services, find the name of the Apache Tomcat service with a status of “Stopping”. Make a note of this service name (not case sensitive).
3. Run the Command Prompt: Open the “Start” menu, type “cmd”, then right-click on the “Command Prompt” and click “Run as administrator”.
4. Check the Service Status: Enter the command “sc queryex Tomcat6” into the command prompt (replace “Tomcat6” with the name of your tomcat service as shown in step 2)
   It should then present you with the status of that service, including the process ID (PID).
5. Kill the service: Enter the following command “taskkill /PID 2248 /F” where “2248” is the PID as found in step 4. Note: you need the “/f” argument to “force” the task to be killed.
6. Success: You should get the confirmation message “SUCCESS: The process with PID 2248 has been terminated”

 

ColdFusion “Cannot access java.rmi.RemoteException bad class file”

Opting for a “custom install” of CF9 on Tomcat (rather than CF10) still throws up the occasional obstacle; the latest being the following error:

coldfusion.jsp.CompilationFailedException:
Errors reported by Java compiler: C:\workspace\WEB-INF\cfusion\stubs\WS-326788660\
  coldfusion\xml\rpc\CFCInvocationException.java:10: cannot access java.rmi.RemoteException
  bad class file: C:\Program Files\Java\jre7\lib\rt.jar(java/rmi/RemoteException.class)
  class file has wrong version 51.0, should be 48.0 Please remove or make sure it appears in
  the correct subdirectory of the classpath. public class CFCInvocationException extends
  org.apache.axis.AxisFault implements java.io.Serializable { ^ 1 error

So clearly, there’s some conflict with the java class versions. I’m currently running the latest version of the Java JDK (1.7), but according to Adobe, CF9 ships with 1.6 by default, so likely the problem is here. I’m wondering if I am seeing this problem now, because the CF9 hotfix doesn’t work on Win 8.1, and that this hotfix included an upgrade for CF9 to work on Java 7?

Anyway – my first thought was to simply add the “Java_home” to the system path (via “This PC” > “Properties” > “Advanced System Settings” > “Environment Variables”), and restart, but no such luck. However….

To fix the problem is simple; update “tools.jar” with the latest from your SDK…

1. Stop Apache Tomcat (or whichever server you’re running)
2. Create a backup “C:\workspace\WEB-INF\cfusion\lib\tools.jar” (or wherever you CF is configured)
3. Browse to “C:\Program Files\Java\jdk1.7.0_51\lib” (or wherever your JDK is) and copy “tools.jar” to clipboard.
4. Go back to “C:\workspace\WEB-INF\cfusion\lib” and paste “tools.jar” from clipboard
5. Restart Tomcat, and hey presto – it now works.

Run ColdFusion 9 on Windows 8.1 with Apache Tomcat

Note: CF10+ installs easily on Win 8.1, so unless you need CF9 for any reason, this is probably the best thing to do – however while our production servers are running CF9, this was just a bad idea for me to write code in a new environment, then deploy on an old. This would eventually have resulted in unforeseen headaches, code rewrites, and wild goose chases.

The pain of having to upgrade to Windows 8.1 continues – this time, it is ColdFusion 9 that’s causing the headache…

HTTP Error 404.3 - Not Found
The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloadable, add a MIME map

Clearly, with an error like that, my first thought was “ah, IIS not configured to process CFM files – simple”. CF has had its quirks when installing with IIS since Win7, but there’s always been a way around it, and I tried the usual suspects – expecting them to work:

• Open up the JRun Server Config, and setup IIS to manually serve up CFM
• Tried anabling 32 bit applications in IIS
• Enable IIS6 Management Compatibility
• Enable ISAPI Filters

None of these worked. JRun Server still wouldn’t allow IIS to be selected as a configurable server. After a bit more digging, I remembered about the “other” usual suspect – allowing IIS access to the necessary files and folders. So I added explicit permissions to IUSR etc etc.

This fixed the problem, and I was sorted – at least until I clicked “Ok”…

Let me save you the trouble – CF9 will not work on Win8.1 through JRun. I tried. I failed. Don’t make the same mistake.

If you really want to install CF9 on windows 8.1, drop JRun and run it through Apache Tomcat – it’s what CF10 does anyway! It’s a bit of a pain having to restart Tomcat everytime you add a new site etc, but this isn’t too often, and it does actually work.

If you’re unfamiliar with installing Tomcat with Coldfusion, here is a great video walk through by Joe Rinehart that describes how to setup CF9 with Tomcat and Eclipse.