Java

Since Oracle has decided to charge enterprise customers with upcomming JDK11 and JRE11 people need to look for alternatives. There is OpenJDK around that can close the gap.

As you may expierienced in past - Oracle has changed the MSI files embedded into their EXE setups in version 8.x a few times and cleaned up their installer a lot. At first thought it was a WTF are they doing there in the middle of 8.x, but on the end it became clear that they cleaned up the 8.x installer only. It was an outgrown mess over the years and full of garbage. However - they broke the ability to deploy it easily. Now after the setup cleanup a lot of knowledge and guessing is required to fix the MSI database and make it installable via AD GPOs. It is clear that they like to sell the customer only enterprise MSI installer that nobody want to pay $ 100K for. With Java 9 they started to hide the MSI file more. The MSI files are no longer extracted to TEMP folder if you run the EXE setup. But it is still an MSI and this goes into C:\Windows\Installer folder. You can still make a snapshot of a virtual machine, install Java and grab the MSI from the Installer folder.

Now with Java 11 and later Oracle plans to release a new major Java version every ~6 months and force all end users to upgrade to the latest version. Java version 8.x is no longer supported after in January 2019 without a payed LTS contract. Long term versions are than only available to enterprise customers. Additionally enterprise users always need to license their servers and client computers running Java. They are no longer allowed to use the end user Java versions. End users are not affected by this change.

Your CFHTTP requests may fail with an error I/O Exception: Received fatal alert: handshake_failure.  the reason could be a try to connect to a web server that has very high SSL security levels enabled and is no longer compatible with older Java 8 versions.

If you are running ColdFusion on Java < 8.0.161 and you add -Djavax.net.debug=ssl,handshake,verbose to C:\ColdFusion2016\[cfusion]\bin\jvm.config you will see the below info message in coldfusion-out.log:

I just installed a Web Console on Windows 2012 R2 Core server and learned how insecure this system is out of the box. You may have worked through the Post-Installation Configurations for Web Server and Web Console. This ends with an highly insecure web server configuration. The SSL encryption is sooo weak that I tend to say you can also leave SSL switched off. You can check your server with SSL Server Test. Commvault default with Java 7 will end with the most worse test result of F.

Java 7.0.17 / Tomcat (Commvault default)

For an extended time we are trying to install Windows Updates on our machines, but this always fails with error message Failure configuring Windows Updates. Reverting changes when the system reboots. In case all the update rolling back and you are back to no update installed. This happens typically if you install Windows 2012 Core from DVD and try to install all the available Microsoft hotfixes. After a few months with Microsoft this has been escalated MS internally and they identified coldfusion.exe has an open file handle on TTF font files. It looks like Microsoft does not add the TTFs to pending files for rename list and just replace them on reboot from my point of view.

After lot of digging we found an interfering process that causes an update failure of tahomabd.ttf, see C:\Windows\Logs\CBS\CBS.log on the affected machine:

We tried to access a remote webservice from a partner and they updated their certificate a few days ago. This request fails with an very unhelpful error message in ColdFusion.

Symptom:

  • ColdFusion CFHTTP is broken if you access a SSL site, but it worked in past.
  • ColdFusion CFDUMP says Connection Failure with I/O Exception: peer not authenticated
  • ColdFusion CFDUMP says I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.

Analysis:

Since intermediate certificates have been provided by the server it can only be the root level certificate. But there may exists other situations where the certificate chain my be incomplete and you get the same error. Verify this with SSLLabs or a certificate checker from a certificate authority very first. Be aware that they sometimes fail to show missing intermediate certificates.

Code for testing:

You may run a roaming profile environment with Eclipse and from time to time it may start up with an error message like Invalid Configuration Location telling you The configuration area at C:\Users\[username]\.eclipse\...\configuration could not be created. Please choose a writable location using the '-configuration' command line option.

The configuration area at C:\Users\[username]\.eclipse\...\configuration could not be created. Please choose a writable location using the '-configuration' command line option.

Tags

Checking JRE can be done with below code. I found this on the net, but it failed for me with WixUI_FeatureTree and WixUI_Mondo setup interfaces. The problem was that the condition has not checked on install only. Therefore I got the condition message also if I tried to modify features and this blocked me from changing installed features. The added Installed OR makes sure this condition is only checked on the very first install and not later. It would otherwise cause serious issues for the user if the application should be removed after the JRE has been uninstalled, but your application not before.

We tried to access a remote webservice from a partner and they updated their certificate a few days ago. This request fails with an very unhelpful error message in ColdFusion.

Symptom:

  • ColdFusion CFHTTP is broken if you access a SSL site, but it worked in past.
  • ColdFusion CFDUMP says Connection Failure with I/O Exception: peer not authenticated

Analysis:

The very first idea was - there must be something wrong with the top level certification authority like a missing root certificate in the cacerts store that has not been integrated with Java in past. The root level certificate has been imported manually, but the error was still there. As you may expierenced yourself, ColdFusion is always very unhelpful if it comes to SSL errors. If you need more detailed information you need to go on the Java level. Here is an example code snippet you can run: