USA: (978) 496-9990
Germany: +49 7031 221461
UK: +44 207 193 1212

Platform

Thursday, 29th November 2012 – FREE Webinar – Preventing and diagnosing ColdFusion server crashes and slow downs

  • Are your ColdFusion applications running slow or even crashing the server?
  • Are you concerned about what increasing load will do the the reliability of your application?
  • Do you want to protect your organizations reputation for quality on the web?

Then join us for this free webinar with Intergral’s David Stockton and learn how to keep your ColdFusion servers alive and performing to their full potential. And when your server is crashing or running slow find out how to figure out what is going on and solve the problems fast so that your apps can be running reliably.

If your server is slow or sick this is for you! We will look at how to diagnose problems and some common ways to heal a sick ColdFusion server. We will also discuss what tools you can use to prevent problems from occurring.

This webinar is with David Stockton, technical consultant from the FusionReactor professional JVM and ColdFusion server monitor team. David has been using ColdFusion for more than 10 years and has spoken on server tuning and load testing many times.

He will demonstrate how to:

  • continuously monitor and gather metrics on your production servers
  • diagnose server and application issues
  • keep servers alive with unattended monitoring

We will also look at the FusionAnalytics ColdFusion Application and server analysis tool.

  • better server sizing business decisions
  • improve application performance
  • improve code quality
  • measure exactly how your applications are performing over time

We will raffle off one copy of FusionReactor – you must register to enter this raffle.

The webinar on “Preventing and diagnosing ColdFusion server crashes and slow downs” is on Thursday, November 29, 2012 3:00 PM – 4:00 PM EST. The webinar will cover fixing slow servers, performance bottlenecks location and diagnosis tips. It will be approximately 45 minutes including time for Q and A. The webinar is free. You can register athttps://www1.gotomeeting.com/register/242091952 See you there!

David started his career developing desktop applications using Visual Basic. After a period of working on interface design and prototyping for digital television set-top boxes, he made the move to web applications and working with ColdFusion in a variety of fields, from e-commerce to social networking.
In 2006 David joined the team at Intergral Information Solutions, makers of FusionReactor, FusionDebug and FusionAnalytics. David holds a senior consulting position for the Intergral UK team. David graduated from Staffordshire University with a Bachelor of Engineering degree (with honours) in Software Engineering.

The webinar will be hosted by Michael Smith, from TeraTech Inc. Click http://www.teratech.com/blog/index.cfm/2012/11/14/Preventing-and-diagnosing-ColdFusion-server-crashes-and-slow-downs-Thursday-112912-3pm-EST for further details.

System Requirements
PC-based attendees
Required: Windows® 7, Vista, XP or 2003 Server

Mac®-based attendees
Required: Mac OS® X 10.5 or newer

Mobile attendees
Required: iPhone®, iPad®, Android™ phone or Android tablet

Securing FusionReactor

I just posted a new technote over at http://www.fusion-reactor.com/support/kb/FRS-246.cfm

Hopefully you’ll all find this a good starting point on how to keep your server monitoring solution secure.

Happy New Year! Happy Server?

Hopefully we’re all back from a quiet festive break where your phones didn’t ring and you weren’t bothered by server outages at 2am on Christmas morning.

If that wasn’t you and your pager/cell was lit up brighter than the Christmas tree then perhaps you should already be speaking to us! We offer a professional consulting service using Adobe certified engineers with a minimum of 10 years experience. Our engineers are highly skilled and our experience in a wide range scenarios allow us to quickly and accurately diagnose the root cause of server issues. We can handle issues including networking, database, web-server, application server and code-level plus a lot more. So if you’re in need of help then get in touch now – https://www.cfconsultant.com/contact/

If you’re sitting feeling smug right now then that’s great news! Equally, you want to be the happy one next holiday break so why not take a server review service from us. Our server reviews typically cover a range of areas including CF configuration, JVM configuration, OS optimizations and page performance including JDBC breakdown.
Your issues will be classified by and marked by severity allowing simple prioritization. We can additionally include plans to resolve any problems found including time-estimates. This service is typically provided remotely and duration/cost will depend on the complexity of your platform. Get in contact with us now to secure a quote – and your servers future!

https://www.cfconsultant.com/contact/

Hello from CFUnited 2010

A big hello from CFUnited!

Myself (David Stockton) and my colleagues (Darren Pywell & David Tattersall) are all at CFUnited this week. We have a FREE copy of FusionAnalytics to give away so don’t be shy – come and speak to us for a chance to win!!

Plus, ask nicely and we’ve got FREE goodies for everyone we speak to!

We’re in the vendor area between Adobe & Railo – look for the ShareDox, FusionReactor, FusionAnalytics & Intergral banners… plus this good looking guy:

See you there!

ColdFusion Update 1 – 9.0.1

ColdFusion 9.0.1 has been released for about a week now. I’m sure everyone has done due diligence in their test environments, run a full test-suite and deployed to production right?

http://www.adobe.com/support/coldfusion/downloads_updates.html#cf9

Well it’s not always that simple is it? So if you want some professional help from the experts then call the experts – we’re ready & waiting to help.

Payment Card Industry – Data Security Standards (PCI-DSS) and HTTPS SSL/TLS Connections

The PCI-DSS standards are designed to help protect card-holder data. The specific section we’re interested in is section 4.1 of the v1.2 revision of the standards which are available for download here: https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agreement.html

The standards layout that you should use strong cryptography and security protocols when transmitting card data over open, public networks (ie the Internet).

If you want to secure any data sent over HTTPS you need to make sure the protocols and ciphers used are secure. In practice, this means disabling SSLv2 and weak ciphers. This has to be done at the SSL endpoint – so if you’re using a load balancer, firewall or similar to terminate your SSL connections you’ll need to make the changes there.

We can offer advice and resell SSL terminating end-points. We also work with open-source SSl terminating solutions such as Pound ( http://www.apsis.ch/pound/ ).

How To Check

Use the SSLScan tool – http://sourceforge.net/projects/sslscan/

Use OpenSSL from the command line:

SSLv2

# openssl s_client -ssl2 -connect www.HOSTNAME.com:443

Weak ciphers

# openssl s_client -connect www.HOSTNAME.com:443 -cipher LOW:EXP

How to Fix

Apache 2.x:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Pound:

Ciphers "SSLv3:TLSv1:-LOW:-aNULL:-ADH:-EXP:-eNULL"

IIS:

(Unfortunately you have to edit the registry…)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:0000000

You may also be interested to know that active CF community member Pete Freitag has created a commercial tool to help you make these changes in IIS – http://foundeo.com/products/iis-weak-ssl-ciphers/

Of course not everyone’s environment is straight-forward and often you’ll hit issues or knock-on effects – so get the experts in… we’re waiting!

New system configuration – It’s not just the application server!

A common consulting engagement for us is configuring a new system for optimal use. It’s not just the application server that’ll need configuring, don’t forget the application server relies on a lot of underlying infrastructure including the network and OS. Often this stage gets over-looked or you’ll (often incorrectly) assume your hosting provider will have performed these steps already.

Every application is different, there’s no golden rules but there are some simple steps you can take to improve performance, security & stability. For a typical web & application server machine let’s look at an example Linux setup. Here’s just the tip of the iceberg…

Tune TCP/IP Kernel Parameters

  • Disable response to ICMP Echo broadcasts
    • net.ipv4.icmp_echo_ignore_broadcasts = 1
  • Filter packets not meant for this network.
    • net.ipv4.conf.eth0.rp_filter=1
    • net.ipv4.conf.lo.rp_filter=1
    • net.ipv4.conf.default.rp_filter=1
    • net.ipv4.conf.all.rp_filter=1
  • Set buffer TCP buffer MAX limits
    • net.core.rmem_max = 16777216
    • net.core.wmem_max = 16777216
  • Increase Linux autotuning TCP buffer limits (min, default, and max number of bytes to use)
    • net.ipv4.tcp_rmem = 4096 10000000 16777216
    • net.ipv4.tcp_wmem = 4096 65536 16777216
  • Disable IP spoofing
    • net.ipv4.conf.eth0.accept_source_route=0
    • net.ipv4.conf.lo.accept_source_route=0
    • net.ipv4.conf.default.accept_source_route=0
    • net.ipv4.conf.all.accept_source_route=0
  • TIME_WAIT sockets for new connections can be reused. This helps on any server that receives many connections at the same time.
    • net.ipv4.tcp_tw_reuse=1
    • net.ipv4.tcp_fin_timeout=30
  • Move keepalive from 2hrs to 30 min. (May want to tune this up or down)
    • net.ipv4.tcp_keepalive_time=1800
  • Help protect from denial-of-service (syn-flood) attack:
    • net.ipv4.tcp_max_syn_backlog=4096
  • Allow redirects from trusted sources (pick only trusted sources)
    • net.ipv4.conf.eth0.secure_redirects=1
    • net.ipv4.conf.lo.secure_redirects=1
    • net.ipv4.conf.default.secure_redirects=1
    • net.ipv4.conf.all.secure_redirects=1
  • Don’t allow ICMP redirects (pick only un-trusted sources)
    • net.ipv4.conf.eth0.accept_redirects=0
    • net.ipv4.conf.lo.accept_redirects=0
    • net.ipv4.conf.default.accept_redirects=0
    • net.ipv4.conf.all.accept_redirects=0
  • Do not send redirects (we’re not acting as a router)
    • net.ipv4.conf.eth0.send_redirects=0
    • net.ipv4.conf.lo.send_redirects=0
    • net.ipv4.conf.default.send_redirects=0
    • net.ipv4.conf.all.send_redirects=0

Tune User Security Limit Parameters

  • Define “soft” & “hard” limits for max open file handles for all users
    • * soft nofile 20000
    • * hard nofile 20000
  • Define “soft” & “hard” limits for max concurrent processes for all users
    • * soft nproc 8192
    • * hard nproc 8192

What’s Next?!

Making good progress? What about the network, firewall, loadbalancer, web server, JVM, application server, application code…. the list goes on – save yourself the headache, call the experts!