Refresh any salt values when deploying a new CF engine.
Description
CF engines have salt values to ensure strong encryption and hashing that is unique per installation. Having all CommandBox servers deploy the same CFengine with the same salt defeats this purpose. Modify out CF Engines to omit any salts so they start up fresh. Lucee and Adobe will auto-create fresh salt values.
Files include:
Remove WEB-INF/cfusion/lib/seed.properties in ACF 2016+
Reset RDS password to blank (denies access) and reset admin password to "commandbox" and set encrypted flag to false in WEB-INF/cfusion/lib/password.properties
Remove Lucee server and web context admin password salt This isn't necessary on a stock Lucee war as these files don't exist yet.
Attachments
1
Gliffy Diagrams
Activity
Show:
Brad Wood October 8, 2018 at 10:42 PM
Note the step of removing the seed.properties file only should be performed for ACF 2016 and up. CF10 and 11 do NOT handle that file being missing or unpopulated and will fail to boot. Apparently, Adobe only put in the logic to default fresh seeds in 2016.
So to review, when adding updates to 2016 or 2018, remove any seed.properties file before saving the war but when adding updates to CF 11, do NOT remove the seed.properties file or the war will not work.
Brad Wood September 28, 2018 at 5:19 AM
I have applied all the steps in the description to all of the existing Adobe CF engines on S3. needs to modify his script for updating CF engines to do the same since many of those steps will be undone automatically when the update is applied. I attached a CommandBox Task Runner that I used to process all of the Adobe CF engine zips to apply the lock down steps.
Brad Wood October 4, 2017 at 9:30 PM
I just confirmed the stock Adobe war does not come with a admin.userid.root.salt value in the neo-security.xml file. I assume if we just make sure that we remove any salt from our CF engines in that file, a new one will be created. So long as we are storing the default Adobe admin password as not encrypted, that should be fine.
The same is likely true for the Lucee admin password salt.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
CF engines have salt values to ensure strong encryption and hashing that is unique per installation. Having all CommandBox servers deploy the same CFengine with the same salt defeats this purpose. Modify out CF Engines to omit any salts so they start up fresh. Lucee and Adobe will auto-create fresh salt values.
Files include:
Remove WEB-INF/cfusion/lib/seed.properties in ACF 2016+
ACF's WEB-INF/cfusion/lib/neo-security.xml (Remove admin.userid.root.salt setting)
Reset RDS password to blank (denies access) and reset admin password to "commandbox" and set encrypted flag to false in WEB-INF/cfusion/lib/password.properties
Remove Lucee server and web context admin password salt This isn't necessary on a stock Lucee war as these files don't exist yet.