Hidden Gems in CF2018, part 3 – Security, Performance, and the PMT

February 6, 2019
ColdFusion troubleshooter
Wizard 17 posts
Followers: 21 people

Hidden Gems in CF2018, part 3 – Security, Performance, and the PMT

ColdFusion troubleshooter
Wizard 17 posts
Followers: 21 people
February 6, 2019

In part 3 of this series on CF2018 Hidden gems, we move from the discussion of admin/config/install-related aspects in part 2, to somewhat related topics, which may have more broad appeal to CF developers and administrators (and business people) alike:

  • Securing your CF instance and server using the new CF2018 Auto-lockdown tool
  • Performance-oriented improvements in CF2018
  • Monitoring CF2018 with the new Performance Monitoring Toolset (PMT)

New CF2018 Auto-lockdown tool

When it comes to securing ColdFusion, Adobe has made strides in making CF more and more secure out of the box, or with options offered during installation or configuration. There are many adjustable settings, and some are more important than others, while others might negatively impact existing applications in the cause of making CF more secure.

And many will know that there has long been the available ColdFusion Lockdown Guide document, created by Pete Freitag (of Foundeo) and updated as part of the CF docs for several years. It walks one through the process of making CF more secure–and not just CF but also the web server and web server configuration, and more. Indeed, that guide had grown to over 80 pages and covered many aspects, and many found it a daunting prospect to implement all of the guide’s recommendations.

In CF2018, we now have a new (optional) auto-lockdown tool, which tries to handle in one tool all the steps previously outlined in the Lockdown Guide.  The tool is available for Windows and Linux, and it works to configure also both IIS and Apache web servers.

A full discussion of the tool is beyond the scope of this post, but some great news is that there have been both an Adobe blog post and substantial documentation of the lockdown tool. The documentation page would be 34 pages, if printed, and it shows all the screens that the tool would present, along with some discussion. And the doc covers separately running it on Windows and Linux, about 10 pages each on Windows and IIS, Windows and Apache, or Linux and Apache.

Note as well that the new 2018 version of the Lockdown Guide (52-page PDF) discusses the lockdown steps in the context of running the new lockdown tool.

With such substantial documentation available, I will leave it for readers to consider those resources in order to better understand the tool–and in fact I would recommend you review both the Lockdown tool docs and the Lockdown Guide before running the tool, to realize what it will do.

Indeed, do be aware that the tool proposes to do all the lockdown recommended in the lockdown guide, so if you may only want to do SOME lockdown, you must do that manually instead. You can review the Lockdown Guide to better understand what is done by the tool, and use either that current guide or the CF2016 Lockdown Guide to manually apply lockdown instead.

Note that you can download the tool either along with the download of CF (offered after the CF download has started), or from the CF “downloads” page (which is not the page from which you can download CF but rather download files related to CF).

Note as well that the Lockdown tool does offer rollback and uninstall features, so that if something goes amiss either during or after implementation of the lockdown tool, you can revert back to your setup beforehand. It logs what it does (which you can review), including if it rolls back. After running the tool, see your [CF Home]lockdown folder for logs and more, including the ability to uninstall it at [CF Home]lockdown[Instance locked down]Uninstall.

Finally, note that the tool also comes with a silent install option (as discussed in the documentation on the tool), for those wanting to more fully automate the process.

Before moving on, there is also at least one known gotcha, a potential trap if you do use the tool. See the release notes for update 1, which shows some extra steps you need to take to apply the update, if autolockdown has been applied.

Performance improvements

In nearly every new release of ColdFusion, Adobe purports to have made performance improvements. In some releases those are more numerous than others, or more important. Sometimes the improvements are automatic/inherent in CF, while with others you may need to make a configuration or coding change to benefit from the improvement.

And as with each release, there is a CF2018 Performance Whitepaper (PDF) which discusses several improvements that have been made in CF2018:

  • XML parsing much faster (parser instances now pooled/cached)
  • Many other more typical CFML functions also faster
  • Regex compilation now being cached
  • Admin “Cache web server path” feature enhanced
  • Caching of application.cfm/cfc search
  • Also caching of cf mappings/custom tags, and cfcs when implementing an interface

I leave it as an exercise for the reader to read the performance brief to learn more about these changes and the implications of enabling/leveraging them. Here is one example screenshot from the whitepaper, depicting performance improvements as observed in testing of various CFML framework samples.

New CF2018 Performance Monitoring toolset (PMT)

The last new feature I will discuss in this Part 3 on CF2018 hidden gems is the new monitoring solution provided with CF2018, the Performance Monitoring toolset, or PMT. This also is a VERY substantial toolset, which would be worthy of many blog posts–and indeed Adobe has written many, as well as provided ample documentation of the PMT. Rather than repeat what those resources offer, I will point you to those resources and share a few thoughts to help you get started, like I did above regarding the Lockdown tool.

To be clear, the PMT replaces the CF Enterprise Server Monitor which had been introduced in CF8 and which is no longer available in CF2018 (and the PMT can only be used to monitor CF2018, not any earlier CF versions). Some great news is that the PMT is NOT limited to monitoring only CF2018 Enterprise only: it can monitor CF2018 Standard (as well as developer and trial) editions.

The PMT is also a tool that one would typically install on a machine separate from the CF instance being monitored, and it stores its information in a Redis datastore that is implemented when the PMT is installed.

So first, as for the CF documentation, see the many pages and subsections on the CF docs on the PMT, starting here (which would be 96 pages, if all 11 of its sections were printed).

Second, there have been a number of blog posts written by the CF Team, shared at the launch of CF2018, about the many different aspects of the PMT:

So as you can see from those several topics, and as you will find if you look into the 10 sections of the PMT documentation, the PMT is a substantial tool set with any aspects to understand and leverage. Here’s just one screenshot of many that could be shown:

As with the Lockdown tool, you are offered the opportunity to download the PMT when you download ColdFusion itself, or you can obtain it from page for obtaining files related to CF. Again, see the resources above for installing and configuring it.

But here are a few things to be aware of.

Note first that once installed, there is no option for opening the PMT from the Start menu (in Windows), even on the machine where the PMT is installed (let along from the machine of the instance being monitored). That said, there is a link offered to open the monitor–from within the CF Admin of an instance being monitored (if and only when that instance has been configured in the PMT to be monitored). Use the CF Admin “search” feature (discussed in part 2 of this series), to find the monitor page in the Admin.

Second, be sure to install the PMT on a machine with adequate resources (memory, cpu, disk) to run the PMT and its Redis datastore. And really think twice about trying to run the PMT on same machine where CF is running.

Note that the PMT works fine when other CF monitoring tools like FusionReactor or SeeFusion, or other JVM monitoring tools, may already be installed. Each tool adds things the others don’t, while they all also share some features.

And as indicated in the list of blog posts above, note that the PMT supports not only monitoring (and alerts), but also code profiling, though integration with CFBuilder.

Finally, as for gotchas, one currently known issue is that as of its initial release, the server auto-discovery feature of the PMT does not detect a server configured to serve its administrator via https. For more, see this discussion in the CF portal.

Coming up in Part 4, Developer-oriented features

OK, that wraps up part 3 in the “hidden gems” series. Next up, we will start to turn our attention to more developer-oriented features, and then language changes and more in parts to follow.

In part 4, we will look particularly at the new CF2018 CFML REPL feature, the CFFiddle site, and the CF2018 REST Playground feature. Part 5 will cover CFML language additions and enhancements.

Comments (0)
Add your comment