Link to home
Start Free TrialLog in
Avatar of Ben Conner
Ben ConnerFlag for United States of America

asked on

CF upgrade from CF 11 to CF 2018 in lockdown mode

Hi,

I have an instance of Coldfusion 11 that is fully locked down via Pete Frietag's guide.  I need to upgrade this server to the 2018 version (and 2020 when it comes out).  Is there an upgrade path to 2018 that maintains the settings from the CF 11 instance in lockdown mode?  I tried the 'simple' approach on a test copy of the server and the Application server service for the 2018 copy didn't use the same local userid I had established for the CF 11 instance.

Thanks!

--Ben
Avatar of dgrafx
dgrafx
Flag of United States of America image

Hello Ben
Have you read this?
https://www.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/cf2018/cf2018-migration-guide.pdf

The steps will be the same coming from CF 11

Good Luck ...
Avatar of Charlie Arehart
Charlie Arehart

Ben, no. The install process for CF only offers the option (on first run of the CF Admin of the NEW version) to import the CF Admin settings of the OLD version. There is not only no provision for having it preserve any of the lockdown settings made outside of the CF admin (like the user running CF), but it definitely does not implement ALL the lockdown protections, such as the permissions for the CF folders, etc.

You raise an interesting point: The Adobe team COULD have provided for that, but no, they did not. So you would need to perform any needed lockdown steps after installing the new version.
Avatar of Ben Conner

ASKER

I had not seen the upgrade guide from Adobe yet, thanks for the link.

Thanks for the overview, Charlie.  Will have my weekend cut out for me. :)  When I ran the upgrade I was concerned that it didn't even pick up the username/pw from the CF 11 version. Admittedly I didn't bring up the UI after the fact to see what happened.

The good news is I'm doing the testing on a VM clone of the production server.  So I can mess it up and not break any toys.

--Ben
Hopefully, the section titled "Migrating the CF settings" will be helpful ...

Good Luck!
I've never had good luck.  That's why I have EE. :)

--Ben
ASKER CERTIFIED SOLUTION
Avatar of Charlie Arehart
Charlie Arehart

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I disagree with Charlie's pessimism.

Have a go at migrating the settings per the document Ben!
It is more than a "discussion" but is actually a "how-to" ...

And still - good luck!
I'm not expressing pessimism: I'm simply stating the situation. I have run, helped people run, and written and spoken multiple times about both that first-run and the manual migration processes. I know what they do and don't do.

More than that, they each produce a migration log which tracks what they do. And ALL they do is import admin settings. They do NOT do the many other things the auto lockdown tool does. More specifically, they will NOT do the particular things Ben asked about, like make the new cf service run as anything other than the system account.

I don't understand your persisting to challenge this. I've written every word in my responses with the intent to make things as clear as possible, to you, Ben, and any other readers . I get chided by some for writing too many words. But clearly I could not have left my first answer at "no, there is not" [an upgrade path to 2018 that maintains the settings from the CF 11 instance in lockdown mode, as Ben initially asked]. 
I do need to offer a clarification (but it doesn't change my fundamental stance here). I've mentioned the auto-lockdown tool in my last couple of replies, but as Ben indicates he's coming from Cf11, that tool was not added until cf2018.

So Ben's referring solely to his MANUALLY applied efforts to lockdown, per the GUIDE (as he said).

But that's all the more reason that there's no way for cf to somehow automatically bring such settings into a new cf2018 install.

Again, all that the migration (if chisen) will do is bring in ADMIN settings. That's better than nothing, but again to Ben's original request, no, it will not somehow migrate in/apply any OTHER aspects of manually applied lockdown.

(And I've not seen any indication that the next release will somehow improve on auto-applying settings performed by the 2018 auto lockdown tool.) 
Ben - do the manual method I pointed to in the migration manual.
This is a fairly simple issue ...

Good Luck!
Thanks to you both.  I have my sandbox set up now and read through the migration guide.  Will give it a shot.

Any lockdown issues that don't get taken care of I can re-apply so that isn't a big deal.  Thankfully this release has the syntax/functionality checker in it.  We host a LOT of old code.  Hoping none of it breaks.

--Ben
👍
Well can't quite get that far yet;   Services didn't start and running cfstart from the bin folder came back with:
<JAVA_HOME>/lib/ext exists, extensions mechanism no longer supported; Use -classpath instead.
.Could not create the Java virtual machine.

Looking at the jvm.config folder I don't see a reference to 'ext' at all, much less a full path to anywhere.  ?

The full jvm.config file is attached.  jvm.config
Do you get this error after installing CF?
There have been times where I had an issue after install. I simply uninstalled and reinstalled and that fixed whatever the issue.
The install went through w/o an apparent errors but it failed to start (the services).  So I sent to the cfusion/bin folder and ran cfstart.  That return the error.  So this looks like a JVM issue of some kind.

I can certainly reinstall.  Don't know how that will impact importing the DSNs, etc. though.
You will need to reimport the DSNs I'm pretty sure.
Is this a Windows OS? Just curious.
I would go ahead and uninstall/reinstall.
Yes, Windows Server 2016.
Excellent! Now uninstall and reinstall - hopefully, that will get you a functional install.
If not try researching if you need to update Java. Not sure about that myself though ...
Hi,

Tried the reinstall and got an unresponsive installation process.  Never finished the install.

I ran out of time with this one and needed an answer yesterday.  Brought in Charlie to look at it.

The root cause was my trying to install 2016 over the top of the same directory that I had vsn 11 installed in.  I mistakenly thought CF worked like most other packages--you had to point it to the prior version's folder for it to pick up the configuration, etc.  Obviously that wasn't the case.  LOL.

The install went well with the exception that it didn't pick up scheduled tasks.  But those easily imported with a CAR file.  

Charlie also found a bunch of unnecessary debris left over from years of upgrades.  Prior versions did things much differently and now the CF team knows better.  I still have some cleanup to do but it did come up and what's left is to verify the sites, functionality, etc. are still intact.   I'll go through the lockdown guide and see what I can apply without shooting myself in the foot.

Thanks to both of you for your wisdom and insight.  This is the type of interaction that makes EE such a valuable resource.

--Ben
Glad you got it working!
But I'm curious - did the migration guide help you and did you use the Migrating the CF Settings section?

Have a good one!
Sorry for the delay...
The migration guide was definitely unhelpful.  It has some significant deficiencies in terms of what NOT to do, such as updating into the previous CF folder.  

Once installed, the migration section did help in retrospect but I never got there before I ran out of time.