#chef-coldfusion10
Installs/Configures Adobe ColdFusion 10
coldfusion10- Includes the standalone, jvmconfig, and updates recipes if the installer type is standalone (the default), or the j2ee recipe if installer type is ear or warcoldfusion10::apache- Configures ColdFusion to run behind the Apache httpd web servercoldfusion10::configure- Sets ColdFusion configuration settings via the config LWRP (cfusion instance only)coldfusion10::install- Runs the ColdFusion installercoldfusion10::j2ee- Includes the install recipe and explodes the ear if installer type is earcoldfusion10::jvmconfig- Sets necessary JVM configuration (cfusion instance only)coldfusion10::lockdown- Locks down CFIDE and other ColdFusion pieces in web server configurationcoldfusion10::standalone- Installs ColdFusion 10 in standalone modecoldfusion10::tomcat- Enables SSL and changes webroot for built in Tomcat webserver (cfusion instance only)coldfusion10::trustedcerts- Imports certificates from a data bag into the JVM truststorecoldfusion10::updates- Applies ColdFusion updates to all local instances
Unless you have the ColdFusion 10 installer available on a private network that the target node can access, you must download the necessary installer from Adobe. For more information see the node['cf10']['installer']['url'] and node['cf10']['installer']['cookbook_file'], and node['cf10']['installer']['local_file'] attributes below.
apt- The apt cookbook is required by the coldfusion10::default recipe if the platform is Ubuntu <= 10.04.apache2- The apache2 cookbook is required if using the colfusion10::apache recipe.sudo- The sudo cookbook is required if using the colfusion10::updates recipe.
This cookbook provides LWRPs that wrap the ColdFusion Configuration Manager API.
| Action | Description | Default |
|---|---|---|
| set | Set a property on a specific admin component | true |
| bulk_set | Set multiple properties on multiple admin components |
| Attribute | Description | Default Value |
|---|---|---|
| component | Name attribute: The componet to target if action is :set (required for :set) | name |
| property | The property to set if action is :set (required for :set) | |
| args | A hash of arguments to pass to the component setter method if action is :set (required for :set) | |
| config | A hash of config settings if action is :bulk_set (required for :bulk_set) | |
| instance | The instance to target | cfusion |
The config resource can be used to set ColdFusion administrator settings. This resource supports two actions. The :bulk_set action allows multiple settings to be changed at once. For example, adding the following to a recipe will ensure the trusted cache is enabled and that a mapping exits:
coldfusion10_config "bulk" do
action :bulk_set
config ({ "runtime" => {
"cacheProperty" => [
{ "propertyName" => "TrustedCache",
"propertyValue" => true}
]
},
"extensions" => {
"mapping" => [
{ "mapName" => "/cf10",
"mapPath" => "/opt/coldfusion10" }
]
} })
notifies :restart, "service[coldfusion]", :delayed
end
The config resouce also has a :set action that can target a ColdFusion administrator API componet directly. For example to create a MS Sql Server datasouce you can do the following:
coldfusion10_config "datasource" do
action :set
property "MSSQL"
args ({ "name" => "test_db",
"host" => "db.example.com",
"database" => "test_db",
"username" => "test_db_user",
"password" => "test_db_password",
"sendStringParametersAsUnicode" => true,
"disable_clob" => false,
"disable_blob" => false })
end
Configuration settings can be targeted to a specific ColdFusion instance by setting the instance attribute of the config resource. By default the resource targets the "cfusion" instance.
Note that the config resource is not yet idempotent. Each time config provider runs it attempts to update the underlying ColdFusion Administrator setting.
| Action | Description | Default |
|---|---|---|
| add_server | Add a local instance | true |
| add_remote_server | Register a remote instance |
| Attribute | Description | Default Value |
|---|---|---|
| server_name | Name attribute: The instance name (required) | name |
| create_service | Enable and start service for the instance if action is :add_server | false |
| service_name | Name of symlink to place in /etc/init.d for the instance coldfusion init script if action is :add_server | server_name |
| server_dir | The server dirctory to use if action is :add_server. This value must be node['cf10']['installer']['install_folder'] + server_name (Do not set this attribute) | |
| host | The IP address or DNS name for the remote instance host if action is :add_remote_server (required for :add_remote_server) | |
| jvm_route | The jvmRoute attribute value of Engine from server.xml of the remote instance if action is :add_remote_server (required for :add_remote_server) | |
| remote_port | The Connector port value with protocol AJP from server.xml of the remote instance if action is :add_remote_server (required for :add_remote_server) | |
| http_port | The HTTP port through which the administrator of the remote instance can be accessed if action is :add_remote_server (required for :add_remote_server) | |
| admin_port | The port on which admin component is running on remote instance if action is :add_remote_server | |
| admin_username | The username for the admin component running on remote instanc if action is :add_remote_server | |
| admin_password | The password for the admin component running on remote instance if action is :add_remote_server | |
| lb_factor | The load balancing factor for the remote instance if action is :add_remote_server (required for :add_remote_server) | 1 |
| https | Use https to connect to remote instance if action :add_remote_server | false |
The instance resource can be used to create new local or remote instances. For example, the following will create a new local instance and configure it as a service:
coldfusion10_instance "cfusion2" do
create_service true
end
Note that the instance resource only supports creating new instances. Once an instance is created it cannot be updated or deleted via the the instance resource.
| Action | Description | Default |
|---|---|---|
| add_cluster | Add a cluster | true |
| Attribute | Description | Default Value |
|---|---|---|
| cluster_name | Name attribute: The name of the cluster (required) | name |
| servers | A comma delimited list of servers to include in the cluster (required) | |
| multicast_port | The mutlicast port to use for this cluster. If not set ColdFusion will pick an available port | |
| sticky_sessions | A string, either 'true' or 'false', indicating this cluster will use sticky sessions. If not set this value will default to 'true' |
The cluster resource can be used to create new clusters.
coldfusion10_cluster "testCluster" do
servers "cfusion,cfusion2"
end
Note that clusters can be created and modified using this resource, but not deleted.
The following attributes are under node['cf10']['installer']:
You must set one of the following values for the installer binary:
['url']- If defined, the installer will be downloaded from this location. (no default)['cookbook_file']- If defined, a cookbook file with this name, i.e. "ColdFusion_10_WWEJ_linux32.bin", must be available in this cookbook'sfiles/defaultdirectory. You must download the installer from adobe.com and place it in this directory. (no default)['local_file']- If defined, the the installer binary must be available on the the chef node at this path, i.e. "/tmp/ColdFusion_10_WWEJ_linux32.bin". This can be useful if you have some way to distribute the installer to chef nodes before provisioning. For example you may keep a single copy of the installer on your Vagrant host workstation and make it availble to all you Vagrant guests via a shared folder. (no default)
Additional settings:
['admin_ip']- Secure profile IP addresses, IP addresses from which Administrator can be accessed (default: "")['admin_username']- ColdFusion administrator username (default: "admin")['admin_password']- ColdFusion administrator password (default: "vagrant")['auto_enable_updates']- Enable auto updates (default: "false")['context_root']- Context root for J2EE installation (default: "/cfusion")['enable_rds']- Enable RDS (default: "false")['enable_secure_profile']- Enable secure profile, locking down the ColdFusion administrator (default: "false")['install_admin']- Install the ColdFusion administrator application (default: "true")['install_folder']- ColdFusion installation path (default: "/opt/coldfusion10")['install_jnbridge']- Install the .Net integration services, applies only to Windows systems with .Net framework installed (default: "false")['install_odbc']- ODBC services (default: "true")['install_samples']- ColdFusion samples, the Getting Started Experience, Tutorials, and Documentation (default: "false")['install_solr']- Install Apache Solr (default: "true")['installer_type']- The type of installation, valid values are ear/war/standalone (default: "standalone")['jetty_username']- Jetty useranme (default: "admin")['jetty_password']- Jetty password (default: "vagrant")['license_mode']- The license mode, valid values are full/trial/developer (default: "developer")['migrate_coldfusion']- Migrate setting from a previous installation (default: "false")['password_databag']- encrypted data bag item with ColdFusion passwords set during installation (default: "password_databag")['prev_cf_migr_dir']- Where to migrate setting from (default: "")['prev_serial_number']- If an upgrade license, previous serial number (default: "")['rds_password']- Password if RDS is enabled (default: "vagrant")['runtimeuser']- Runtime user (default: "nobody")['serial_number']- If license mode is full, provide the serial number (default: "")
The following attributes are under node['cf10']:
['webroot']- The document root to use for either Apache or Tomcat (default: "/vagrant/wwwroot")
The following attributes are under node['cf10']['lockdown']:
['cfide']['adminapi_whitelist']- An array of hosts/IP addresses beyond localhost/127.0.0.1 to grant adminapi access.['cfide']['administrator_whitelist']- An array of hosts/IP addresses beyond localhost/127.0.0.1 to grant administrator access.['cfide']['air']- Lockdown AIR if not using AIR sync API['cfide']['classes']- Lockdown classes if not using Java applets for cfgrid, cftree, and cfslider['cfide']['graphdata']- Lockdown GraphData if not using cfgraph and cfchart['cfide']['scripts']- Lockdown scripts if not using cfform, cfchart, AJAX tags, etc.['cfide']['scripts_alias']- Create Alias for scripts and lockdown original path['cffileservlet']- Lockdown cffileservlet if not using cfreport, cfpresentations and cfimage['flash_forms']- Lockdown cfformgateway and cfform-internal if not using Flash forms['flex_remoting']- Lockdown cfflex2gateway and cfflex-internal if not using Flex Remoting['rest']- Lockdown REST if not using REST services['wsrpproducer']- Lockdown WSRPProducer if not using WSRPProducer
The following attributes are under node['cf10']['java']:
['args']- An array of arguments to be passed o the ColdFusion JVM. (default: [ "-Xms256m", "-Xmx512m", "-XX:MaxPermSize=192m", "-XX:+UseParallelGC" ])['home']- Defaults to the JRE bundled with ColdFusion, updated to system JAVA_HOME if the Java cookbook is used.
The following attributes are under node['cf10']:
['config_settings']- Settings to apply to the ColdFusion server (default: {})
ColdFusion configuration for this cookbook is handled by a LWRP wrapping the ColdFusion Configuration Manager project. To set ColdFusion admin settings via this cookbook set the config_settings as necessary and include the coldfusion10::configure recipe in your run list. Below is a sample JSON datasource definition:
"config_settings" => {
"datasource" => {
"MSSql" => [
{
"name" => "test_db",
"host" => "db.example.com",
"database" => "test_db",
"username" => "test_db_user",
"password" => "test_db_password",
"sendStringParametersAsUnicode" => true,
"disable_clob" => false,
"disable_blob" => false,
}
]
}
}
The following attributes are under node['cf10']['updates']:
['urls']- A list of update URLs to download and install. (default:%w{ http://download.macromedia.com/pub/coldfusion/10/cf10_mdt_updt.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_001.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_002.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_004.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_005.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_006.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_007.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_008.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_009.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_010.jar http://download.adobe.com/pub/adobe/coldfusion/hotfix_011.jar })['files']- A list of files deployed by the update installers. There should be one entry for each update url defined innode['cf10']['updates']['urls']. (default:%w{ hf1000-3332326.jar chf10000001.jar chf10000002.jar chf10000004.jar chf10000005.jar chf10000006.jar chf10000007.jar chf10000008.jar chf10000009.jar chf10000010.jar chf10000011.jar })
The following attributes are under node['cf10']['apache']:
['ssl_cert_file']- The SSL cert to use for Apache (default: "/etc/ssl/certs/ssl-cert-snakeoil.pem")['ssl_cert_key_file']- The SSL key to use for Apache (default: "/etc/ssl/private/ssl-cert-snakeoil.key")['ssl_cert_chain_file']- The SSL chain to use for Apache (default: nil)
The following attributes are set during a Chef run and can be used to query your coldfusion infrastructure:
*node['cf10']['instances_xml'] - The contents of the instances.xml file
*node['cf10']['instances_local'] - A comma delimited list of local instances
*node['cf10']['instances_remote'] - A comma delimited list of remote instances
*node['cf10']['cluster_xml'] - The contents of the cluster.xml file
On server nodes:
include_recipe "coldfusion10"
This will run either a standalone or J2EE installation depending on the node['cf10']['installer']['installer_type'].
The standalone installation type will run the following recipes coldfusion10::standalone, coldfusion10::jvmconfig, and
coldfusion10::updates recipes, installing ColdFusion 10 standalone server mode.
The J2EE installation type will run the coldfusion10::j2ee recipe.
If you'd like to securely store the CF10 passwords for installation, you can create an encrypted data bag at cf10/#{node['cf10']['installer']['password_databag']} which defaults to cf10/installer_passwords. For example:
$ knife data bag create cf10
$ knife data bag create cf10 installer_passwords --secret-file=path/to/secret
in your editor type:
{
"id": "installer_passwords",
"admin_password": "my_admin_password",
"jetty_password": "my_jetty_password",
"rds_password": "my_rds_password"
}
Using the lockdown recipe, we can block /CFIDE and reopen needed URIs. Use attributes to lockdown additional Location blocks
Configuration also:
- Sets IP whitelist for /CFIDE/adminapi and /CFIDE/administrator
- Requires SSL for /CFIDE/administrator
- Presents 404 error instead of 5XX for ColdFusion application.cfc access
- Optionally alias /CFIDE/scripts (Server Settings -> Settings -> Default ScriptsSrc Directory)
Below are the explanations for additional ColdFusion pieces that can be blocked. ColdFusion 10 server lockdown documentation can be found here: http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf
| URI | Purpose | Safe to Block |
|---|---|---|
| /cffileservlet | Serves dynamically generated assets. It supports the cfreport, cfpresentation, and cfimage (with action=captcha and action=writeToBrowser) tags | Only if cfreport, cfpresentations and cfimage are not used. |
| /cfformgateway | Used for <cfform format=flash> |
Only if Flash Forms are not used. |
| /cfform-internal | Used for <cfform format=flash> |
Only if Flash Forms are not used. |
| /CFIDE/AIR | AIR Sync API | Usually, unless AIR sync API is used. |
| /CFIDE/classes | Contains java applets for cfgrid, cftree, and cfslider | Usually, unless java applets are used. |
| /CFIDE/GraphData | Used to render cfgraph and cfchart assets. | Only if cfchart and cfgraph is not used |
| /CFIDE/scripts | Contains javascript and other assets for several ColdFusion features cfform, cfchart, ajax tags, etc. | Yes - we will create a new, non default URI for this folder, and specify the new URI in the ColdFusion administrator. |
| /flex2gateway | Flex Remoting | Only if Flex Remoting is not used. |
| /flex-internal | Flex Remoting | Only if Flex Remoting is not used. |
| /rest | Used for CF10 Rest web services support. | Only if CF10 REST web services are not used. |
| /WSRPProducer | Web Services Endpoint for WSRP. | Usually, unless WSRP is used. |
The trustedcerts recipe will look for a databag named trusted_certs with items that contain
certificates that should be added to the JVM trust store. The certificate should be a string with
new lines converted to \ns. Below is a sample that would be stored as someCA.json:
{
"id" : "someCA",
"certificate" : "-----BEGIN CERTIFICATE-----\n... truncated ...\n-----END CERTIFICATE-----"
}