Overview of the Problem

The ColdFusion Lockdown guide and corresponding lockdown installers harden a ColdFusion server by tightening file permissions, restricting administrative access, disabling risky endpoints (like RDS), and configuring the web server connectors more securely. After hardening, teams frequently encounter errors such as HTTP 403/404/500 responses, ColdFusion Administrator being unreachable, datasources or Scheduled tasks failing, or PDF generation and file uploads breaking. These issues occur because the lockdown process intentionally removes access and privileges that may have been relied upon in a less secure Configuration.

The challenge is to distinguish between a legitimate Security block (the lockdown is working) and a misconfiguration (needed functionality was inadvertently disabled). The guide below explains how to diagnose, fix, and prevent recurring ColdFusion lockdown issues safely and systematically.

---

Possible Causes

• Access to ColdFusion Administrator is restricted by IP, network rules, or rewrite rules.
• Web server connector (IIS/Apache) misconfiguration after lockdown or re-installation.
• NTFS/Linux file permission changes preventing ColdFusion (cfusion) service from reading/writing required directories.
• Sandbox Security (Resource Security) blocking file system, network, or tag/function access.
• JVM Configuration changes preventing ColdFusion from starting or using the correct JDK.
• URL Rewrite/RewriteRule conflicts blocking .cfm execution or admin paths.
• Certificate and TLS hardening causing outbound cfhttp, mail, or web service calls to fail due to truststore issues.
• Add-on Services (PDFg, Solr/Elasticsearch, CF Image, etc.) disabled or running with insufficient permissions.
• Firewall or SELinux policies blocking needed communication between web server, ColdFusion, and add-on services.
• AJP/Tomcat connector disabled or protected without updating the connector configuration (secrets, allowed IPs).

---

Quick Diagnosis Flow

Common Symptoms and What They Usually Mean

• 403 Forbidden on CFIDE/administrator: IP restriction, rewrite block, or file permissions.
• 404 on .cfm pages: Web connector broken, handler mappings removed, or rewrite rules blocking.
• 500 Internal Server Error: Runtime exception, sandbox denial, or connector mismatch with AJP/CF version.
• ColdFusion service starts then stops: Bad JVM args, wrong JDK, port conflicts, or corrupted cache.
• Datasource connection fails only post-lockdown: Sandbox restrictions or blocked outbound ports.
• PDF generation (cfdocument/HTML to PDF) fails: Add-on Services not running, no permission to temp folders, or blocked fonts/resources.
• File uploads fail: Permission denied on temp or target folders, antivirus/EDR quarantine, or maxPostSize limits.

Where to Look: Logs and Tools

Check these logs first:

• ColdFusion logs:

  • [cfusion]/logs/colfusion-out.log
  • [cfusion]/logs/colfusion-error.log
  • [cfusion]/logs/exception.log
  • [cfusion]/logs/application.log
  • [cfusion]/logs/Audit.log (post-lockdown Audit events)

• Web Server logs:

  • IIS: C:\inetpub\logs\LogFiles\W3SVC…\
  • Apache: /var/log/httpd/access_log, error_log (or distro equivalent)

• Connector logs:

  • IIS ISAPI: isapi_redirect.log or wsconfig logs (e.g., [CF_HOME]/config/wsconfig/[n]/isapi_redirect.log)
  • Apache mod_jk/mod_cf logs (if used): mod_jk.log

• OS logs:

  • Windows Event Viewer: Application and System
  • Linux: /var/log/messages, audit logs for SELinux

Useful commands:

• Windows (IIS/SSL/Ports)
  • netstat -ano | findstr “:80|:443|:8500”
  • netsh http show sslcert
  • appcmd list modules /appcmd list config “Default Web Site”
• Linux (Apache/SELinux/Firewall)
  • systemctl status httpd|apache2 coldfusion
  • getenforce; ausearch -m avc -ts recent; sealert -a /var/log/audit/audit.log
  • firewall-cmd –list-all; ufw status
• Connector verification:
  • [CF_HOME]/cfusion/runtime/bin/wsconfig -list

---

Step-by-Step Troubleshooting Guide

Step 1: Establish the Baseline

• Confirm the ColdFusion version, update level, and whether the Secure Profile was selected during installation.
• Identify whether the lockdown was applied via the Lockdown Tool (cf_lockdown.ps1/.sh) and which options were selected (IIS vs Apache, RDS removal, administrator restrictions).
• Note the running account for:
  • ColdFusion service (e.g., Local Service, domain service account)
  • Web server service account (IIS App Pool identity or Apache user)
• Check if ColdFusion starts cleanly:
  • Look at coldfusion-out.log for startup success messages.

If CF does not start, skip to Step 6.

---

Step 2: Verify Web Server Connector Health

The lockdown often reconfigures or tightens the connector between IIS/Apache and Tomcat (ColdFusion).

• List connectors:

  • Windows: [CF_HOME]/cfusion/runtime/bin/wsconfig.exe -list
  • Linux: [CF_HOME]/cfusion/runtime/bin/wsconfig.sh -list

• IIS checks:

  • ISAPI filter and handler mappings present for .cfm/.cfc.
  • isapi_redirect.dll path valid and accessible by the App Pool identity.
  • Request Filtering not blocking .cfm.
  • Application Pool pipeline set appropriately and 32/64-bit matches connector.

• Apache checks:

  • Ensure mod_proxy_ajp/mod_proxy_http or mod_jk configured as intended.
  • Confirm VirtualHost includes the proxy/jk mapping for .cfm/.cfc.

Typical AJP connector in Tomcat’s server.xml (hardened):

xml
<Connector protocol=”AJP/1.3″
address=”127.0.0.1″
port=”8012″
secretRequired=”true”
secret=”YourStrongSecretHere”
allowedRequestAttributesPattern=”.*”
maxPostSize=”10485760″
redirectPort=”8443″ />

If secretRequired=true, ensure the connector module is also configured with the same secret.

For Apache with mod_proxy_ajp:

apache
ProxyPassMatch ^/(.*.cf[cm])$ ajp://127.0.0.1:8012/$1 secret=YourStrongSecretHere

For IIS with the Adobe wsconfig tool, set the AJP secret using wsconfig when supported or switch to HTTP/HTTPS proxy if preferred.

---

Step 3: Restore Controlled Access to ColdFusion Administrator

The lockdown may:

• Restrict CFIDE/administrator by IP.
• Remove or relocate CFIDE.
• Require HTTPS and/or client certificates.

Actions:

• Review web server rules (IIS web.config or Apache conf) for IP allow/deny.
• Temporarily allow your IP or access from the server console only.
• Verify CF Admin password and that the admin login is not blocked by rate-limiting.

Example IIS web.config to limit admin by IP:

xml

Never re-expose /CFIDE/administrator publicly. Use a jump host, VPN, or IP allowlist.

---

Step 4: Fix File System Permissions (NTFS/Linux)

Lockdown typically tightens ownership and permissions under [CF_HOME] and web roots.

• Identify the ColdFusion service account.
• Grant minimal required permissions to:
  • temp directories
  • scheduler output directories
  • upload directories
  • mail spool (cfusion\mail\spool, \undelivr)
  • log directories

Windows example:

powershell

Grant Modify to CF service account on an uploads directory

icacls “D:\sites\myapp\uploads” /grant “CFServiceAccount:(OI)(CI)M”

Linux example:

bash
chown -R cfuser:cfgroup /var/www/myapp/uploads
chmod -R 750 /var/www/myapp/uploads

If SELinux is enforcing, label path for httpd or cf runtime:

semanage fcontext -a -t httpd_sys_rw_content_t “/var/www/myapp/uploads(/.*)?”
restorecon -Rv /var/www/myapp/uploads

If SELinux is blocking, use audit2why to identify denials and set appropriate boolean or context rather than disabling SELinux.

---

Step 5: Resolve Sandbox security (Resource Security) Denials

Sandbox Security (a.k.a. Resource Security) may block:

• File IO outside allowed directories
• Network access (cfhttp, cfmail)
• Tags/functions (e.g., CreateObject, directory access)
• Datasource access

Symptoms appear as “Permission denied by security sandbox” in logs.

Actions:

• In CF Administrator: Security > Sandbox Security, adjust the policy for affected web roots and directories.
• Allow specific directories and operations instead of disabling sandbox globally.
• For scripted changes, inspect neo-security.xml carefully; backup before editing.

Example to allow a directory:

• Add “C:\sites\myapp\uploads” (Windows) or “/var/www/myapp/uploads” (Linux) to the file access rules with read/write as needed.
• Permit network hosts if using cfhttp to internal APIs.

---

Step 6: JVM and Service Startup Issues

Common issues post-lockdown:

• Wrong JDK path or incompatible JRE after updates.
• Insufficient heap or metaspace.
• FIPS/TLS settings added to jvm.config causing startup failures.

Actions:

• Validate jvm.config (e.g., [CF_HOME]/cfusion/bin/jvm.config).
• Confirm java.home points to a supported JDK for your CF version.
• Review coldfusion-out.log for startup errors.
• Reduce overly aggressive JVM flags; test with minimal set then re-add.

Example jvm.config excerpt:

java.home=C:\Program Files\Java\jdk-17
-jar “cfusion.jar”
-Xms1024m
-Xmx2048m
-XX:+UseG1GC
-Djava.security.egd=file:/dev/urandom

If the service still fails, run the server in console mode to see immediate output.

---

Step 7: Check URL Rewrite and Access Rules

Lockdown can add or encourage rules that can block .cfm requests.

• IIS URL Rewrite:

  • Ensure rules do not rewrite or abort .cfm/.cfc accidentally.
  • Exclude admin endpoints as needed but keep them IP-restricted.

• Apache:

  • Review RewriteCond/RewriteRule patterns.
  • Confirm rules allowing necessary endpoints or API routes.

Example IIS URL Rewrite exclusion:

xml

---

Step 8: TLS/Certificates and Outbound Connections

After hardening, TLS may be stricter:

• cfhttp to external APIs fails: certificate not in Java truststore.
• cfmail STARTTLS fails: incompatible ciphers or missing trust anchors.
• HTTPS connectors require proper keystores.

Actions:

• Import required CA or server certs into ColdFusion’s JVM truststore:

bash
keytool -importcert -keystore $JAVA_HOME/lib/security/cacerts \
-storepass changeit -alias myapi -file myapi.crt

• Verify endpoints with OpenSSL:

bash
openssl s_client -connect api.example.com:443 -servername api.example.com -showcerts

• IIS SNI/SSL bindings: confirm correct cert bound to the site/hostname.
• For Tomcat HTTPS (if used):

xml
<Connector protocol=”org.apache.coyote.http11.Http11NioProtocol”
port=”8443″
maxThreads=”150″
SSLEnabled=”true”
keystoreFile=”/opt/coldfusion/certs/keystore.p12″
keystoreType=”PKCS12″
keystorePass=”StrongPass”
clientAuth=”false”
sslProtocol=”TLS” />

---

Step 9: Scheduled tasks, PDFg, File Uploads, and Mail

• Scheduled Tasks:

  • Ensure the ColdFusion service account can write to task output directories.
  • Network restrictions may block outbound calls; validate firewall rules.

• PDF Generation (Add-on Services):

  • Confirm “ColdFusion Add-on Services” is installed and running.
  • Check its logs under [CF_HOME]/cfusion/addonServices/logs.
  • Ensure fonts and temp directories are accessible to the service account.

• File Uploads:

  • Check upload target and temp directories permissions.
  • Validate maxPostSize in Tomcat and request limits in IIS/Apache.
  • Antivirus/EDR may quarantine uploaded files; configure exclusions appropriately.

• Mail:

  • Verify SMTP server reachability and TLS requirements.
  • Mail spool folder permissions (cfusion/mail/spool) must allow CF to write.

---

Step 10: Network, Firewall, and SELinux

• Only required ports should be open externally:

  • 80/443 for web traffic
  • AJP should be bound to localhost and not externally exposed

• Open internal ports between web server and CF if on separate hosts.

• SELinux:

  • Prefer setting appropriate booleans and contexts over disabling:
    • setsebool -P httpd_can_network_connect 1 (if web server initiates outbound)
    • Label CF runtime files correctly

• Windows Firewall:

  • Create explicit inbound rules for web and admin if needed (admin should be restricted).

---

Cause / Solution Quick reference

• CFAdmin 403/Blocked

  • Cause: IP restriction or rewrite block
  • Solution: Temporarily allow your IP; verify web.config/Apache conf; use VPN/jump host

• .cfm 404/Static Only

  • Cause: Connector missing/broken
  • Solution: Re-run wsconfig; fix handler mappings; confirm AJP secret or switch to HTTP proxy

• Sandbox Denials

  • Cause: Resource Security tightening
  • Solution: Add least-privilege file/network/DB permissions for affected app roots

• Service Won’t Start

  • Cause: JVM misconfig, bad flags, wrong JDK
  • Solution: Correct jvm.config; test minimal JVM args; update to supported JDK

• TLS/Cert Failures

  • Cause: Missing trust chain or strict cipher settings
  • Solution: Import certs to JVM truststore; verify SNI; align cipher suites

• PDFg/Tasks Fail

  • Cause: Add-on Services not running or no permissions
  • Solution: Start service; fix permissions to temp/output; open internal ports as needed

• File Uploads Fail

  • Cause: Permissions or request size limits
  • Solution: Grant directory rights; adjust maxPostSize and request filters

---

Common mistakes and How to Avoid Them

• Disabling Sandbox Security entirely to “fix” issues. Instead, grant least-privilege permissions for specific app roots and operations.
• Leaving AJP exposed or without a secret. Always bind AJP to localhost and use a strong secret or switch to HTTP/HTTPS proxy.
• Editing neo-*.xml files without backups. Backup before manual changes; prefer admin UI or cfsetup/cfpm where possible.
• Running CF or web server as overly privileged accounts (e.g., LocalSystem). Use dedicated, minimally privileged service accounts.
• Mixing 32-bit and 64-bit connectors or App Pools in IIS. Ensure Architecture alignment.
• Forgetting to import certificates into the JVM truststore when outbound TLS starts failing.
• Turning off SELinux/Firewall “temporarily” and forgetting to re-enable. Instead, configure correct policies and rules.

---

Prevention Tips / Best practices

• Use Infrastructure as Code for configuration:
  • Export/import CF settings with cfsetup (ColdFusion 2021+):
    • cfsetup export settings.json
    • cfsetup import settings.json
• Document service accounts, directories, and permissions as part of Deployment artifacts.
• Keep connectors updated via wsconfig and re-run after CF updates that affect runtime.
• Store and renew TLS certs automatically; monitor expiry and truststore consistency.
• Enforce strict but explicit URL Rewrite rules; test patterns in staging before production.
• Maintain separate environments (dev/stage/prod) with the same lockdown posture; validate apps under identical security constraints.
• Monitor logs centrally and set alerts for lockdown-related errors (sandbox denials, connector failures, admin access attempts).
• Regularly review the Adobe ColdFusion Lockdown guide for your specific version and revalidate after upgrades.

---

Configuration Snippets and Examples

IIS web.config: Restrict Administrator by IP and Require HTTPS

xml

Apache VirtualHost: Proxy to CF with AJP Secret

apache
<VirtualHost *:80>
ServerName app.example.com

Redirect to HTTPS or serve directly if SSL is set below

ProxyPreserveHost On
ProxyPassMatch ^/(.*.cf[cm])$ ajp://127.0.0.1:8012/$1 secret=YourStrongSecretHere

<Location “/CFIDE/administrator”>
Require ip 127.0.0.1 203.0.113.0/24

JVM Truststore Import for External API

bash

Export server certificate chain beforehand

keytool -importcert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit \
-file api-chain.crt -alias api-example

SELinux: Allow Web/CF to Write Uploads

bash
semanage fcontext -a -t httpd_sys_rw_content_t “/var/www/myapp/uploads(/.*)?”
restorecon -Rv /var/www/myapp/uploads

---

Key Takeaways

• The lockdown is working when access is deliberately restricted. Troubleshoot by confirming which control (connector, permissions, sandbox, TLS, rewrite) is responsible.
• Start with logs and connector health, then verify permissions and sandbox settings.
• Harden AJP or replace it with HTTP/HTTPS proxying; never expose AJP publicly.
• Grant least-privilege file, network, and tag/function access tailored to your app.
• Stabilize with Automation: cfsetup exports, scripted connector installs, and documented service accounts.

---

FAQ

How can I quickly tell if the issue is the connector or ColdFusion itself?

• If static files load but .cfm returns 404/500 immediately, suspect the connector. Check wsconfig -list and connector logs. If ColdFusion Admin is reachable on its internal port (or via console), CF is likely fine and the connector is the issue.

Why did my cfhttp calls start failing with SSL errors after lockdown?

• Hardening often requires strict TLS and disables legacy ciphers. Import the remote server’s certificate chain into the JVM truststore and verify SNI bindings. Use openssl s_client to confirm the presented chain and hostname.

My scheduled tasks run but cannot write files. What should I change?

• Grant the ColdFusion service account Modify permission on the output directories and ensure sandbox allows file writes there. On Linux with SELinux, label the directories with httpd_sys_rw_content_t and restorecon.

Is it safe to disable Sandbox Security to get things working?

• Avoid disabling it globally. Instead, define per-application or directory permissions for the exact file paths, network hosts, and operations needed. This maintains defense-in-depth while restoring functionality.

After applying the Lockdown Tool, CF Administrator disappeared from my site. How do I manage CF now?

• The tool relocates or restricts admin access. Access the Admin via a loopback-only binding, a management vhost, or through a bastion/jump host. You can also manage settings through cfsetup (export/import) and CFPM for Package management, keeping the UI locked down on public interfaces.