Text Size 100%:

Oracle disabled MD5 signed JARs in the April 2017 Critical Patch Update.  JAR files signed with MD5 algorithms will be treated as unsigned JARs.

MD5 JAR file signing screenshot

Does this affect EBS environments?

Yes. This applies to Java 6, 7, and 8 used in EBS 12.1 and 12.2.  Oracle E-Business Suite uses Java, notably for running Forms-based content via the Java Runtime Environment (JRE) browser plug-in.  Java-based content is delivered in JAR files.  Customers must sign E-Business Suite JAR files with a code signing certificate from a trusted Certificate Authority (CA). 

A code signing certificate from a Trusted CA is required to sign your Java content securely. It allows you to deliver signed code from your server (e.g. JAR files) to users desktops and verifying you as the publisher and trusted provider of that code and also verifies that the code has not been altered. A single code signing certificate allows you to verify any amount of code across multiple EBS environments. This is a different type of certificate to the commonly used SSL certificate which is used to authorize a server on a per environment basis. You cannot use an SSL certificate for the purpose of signing jar files. 

Instructions on how to sign EBS JARs are published here:

Where can I get more information?

Oracle's plans for changes to the security algorithms and associated policies/settings in the Oracle Java Runtime Environment (JRE) and Java SE Development Kit (JDK) are published here:

More information about Java security is available here:

Getting help

If you have questions about Java Security, please log a Service Request with Java Support.

If you need assistance with the steps for signing EBS JAR files, please log a Service Request against the "Oracle Applications Technology Stack (TXK)" > "Java."

Related Articles

Steven Chan

Senior Director

Steven Chan was a Senior Director in the Oracle Applications Technology Group.  He managed EBS technology stack certifications, ATG product management, ATG documentation and curriculum, and ATG Quality Assurance in the E-Business Suite Development division.

Steven joined Oracle in 1998.  Steven retired from Oracle in 2019. Prior to joining Oracle, he held positions with IBM, Deloitte & Touche Consulting, and other software companies. 

Steven is an Oracle ACE and a three-time recipient of the Oracle Applications User Group 'Ambassador of the Year' Award (2007, 2009, 2010). Steven received the Oracle Applications User Group Lifetime Service Award in 2011.

Previous Post

Critical Patch Update for April 2017 Now Available

Steven Chan | 1 min read

Next Post

April 2017 Updates to AD and TXK for EBS 12.2

Steven Chan | 2 min read