We are pleased to announce enhancements to signing Java Archive (JAR) files (often simply called JARs) for Oracle E-Business Suite 12.2 to assist you with code signing certificates which are Hardware Security Modules (HSM) or token based.
Overview of JAR Files with EBS
The Java code that runs on the desktop (client tier) is downloaded from Oracle E-Business Suite (EBS) as JAR files. JARs need to be signed by a certificate from a Certificate Authority (CA) that is trusted by the Java code on the desktop.
The granular patching approach used by EBS means that the JARs used on the desktop may change when EBS is patched. This requires the changed or updated JARs to be signed on your EBS application tier after patching, and prior to the updated environment being released to users.
What Recently Changed?
Starting in the summer of 2023, the commercial CAs changed their policy and ceased to issue code signing certificates where your private key was kept in a disk file such as the Java KeyStore (JKS) file used by EBS JAR signing tools. In essence, the private key used for code signing now needs to be kept in a Hardware Security Module. For details, refer to applicable communications from the relevant commercial CAs.
As an Oracle E-Business Suite customer, your choices for JAR signing are now either (a) or (b) below:
- Use a private CA issued code signing certificate and keep using existing AD tools.
- Use a commercial CA issued code signing certificate, and implement a custom signing process that satisfies the commercial CA’s requirements.
What’s New for EBS 12.2 and Signing JARs?
EBS has released enhancements for signing JAR Files. With the installation of the required patches, the following is introduced:
- The adjkey utility is replaced with the new adjss utility.
- For EBS Release 12.2, the number of JAR files that are signed is reduced from over 300 files to 87.
With the new adjss utility, the signing mode can be set to one of the following three values:
- KEYSTORE – Sign using local disk based keystore file, use the keytool command to create the keystore file.
- NONE – AD will not sign JARs. AD will produce jarlist.txt and optionally customjarlist.txt.
- CUSTOM – Same as NONE, but AD will call a new customjarsign.sh script that has your own signing implementation.
For more information regarding prerequiistes including EBS patches and the new adjss utility refer to Signing JAR Files for Oracle E-Business Suite Release 12 (MOS Note 1591073.1)
References
- Signing JAR Files for Oracle E-Business Suite Release 12 (MOS Note 1591073.1)
- FAQ: Essentials of Java Usage in Oracle E-Business Suite (MOS Note 2510500.1)
- Supported Java SE Downloads on MOS (MOS 1439822.1)
- Using Java Web Start with Oracle E-Business Suite (MOS Note 2188898.1)
- Deploying JRE (Native Plug-in) for Windows Clients in Oracle E-Business Suite Release 12 (MOS Note 393931.1)
- R12: Recommended Browsers for Oracle E-Business Suite (MOS Note 389422.1)
- Oracle E-Business Suite Release Notes Release 12 for macOS (OS X) (MOS Note 1533334.1)
- Identifying the Latest Critical Patch Update for Oracle E-Business Suite Release 12 (MOS Note 248400.1)