Oracle Forms - A Closer Look at the JRE Security Warning(s) Related to JAR Signing and Manifests
By Bulent Seckin-Oracle on Jan 29, 2014
Latest versions of JREs demand some new security requirements on JAR files used by applets. Because of these new requirements, Oracle Forms users started to see several different Security Warnings lately, which didn't popup in the past. With a careless glance at these Security Warnings, one may not realize any difference between them. But for careful eyes, there are important distinctions between each. And of course each of them has its own specific solution. This article shows the current set of security warnings and explains how to deal with them.
Before starting, it is important to understand two concepts related to the Security Warnings :
Control Panel --> Java --> Security --> Manage Certificates --> Trusted Certificates
2. Signer CA (Signer Certificate Authority) : A Certificate Authority is also recognized with its certificate. Again in a MS Windows based client machine, these certificates are listed under :
Control Panel --> Java --> Security --> Manage Certificates --> CA
Newer JRE Versions demand two security requirements from applet jar files :
- The jar files have to be signed with a Trusted Certificate Authority (CA). The Trusted CA can either be one of the standard Trusted CAs already registered to the browsers (like Verisign or other Trusted CAs) OR you can register your own certificate -with which signed the jar files- to become a Trusted CA.
- The Manifast file of the signed jar files should contain "Permissions" attribute
When any of the two requirements above are not fulfilled, a different Security Warning message will pop up. Here are the potential Security Warnings that may display :
Warning#1 : When the jar file is NOT signed, then the following message displays :
Block potentially unsage components from being run?
Java has discovered application components that could indicate a security concern. Contact the application vendor to ensure that it has not been tampered with.
Warning#2 : When a jar file is signed but NOT with a Trusted CA (Certificate Authority) then the following message displays :
Do you want to run this application?
Name : com.jacob.com.Jacob
Location : http://server.domain:PORT
Running applications by UNKNOWN publishers will be blocked in a future release because it is potentially unsafe and a security risk.
Risk : The application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source.
Warning#3 : When a jar file is signed by a Trusted Certificate but its manifest does not contain the Permissions attribute, then following message displays :
This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more information.
Now let's discuss under which conditions you may see which of the warning message(s) and how to deal with them :
In any Oracle Forms application there can be two kind of jar files :
1. First category of jar files are those which are provided by Oracle : Standard forms applications use only these jar files.
- Example of this category are the well known frmall.jar, webutil.jar, etc. These jar files are already shipped after being signed with a Verisign certificate, so you would never get Warning#1 or Warning#2 for Oracle provided jar files.
- New jar files provided in later patch versions of Forms include the Permissions attribute in the manifest, but when using older patch releases or versions, it is possible to see the Warning#3. In such a case, it is recommended to upgrade to latest patch release. When the upgrade is not possible, then you would consider this second option. Oracle provided new jar files as one-off patches for various versions. See Note:1583119.1 to learn where to find and download the patched jar files with the Permissions attribute.
Please note that, manually signing Oracle provided jar files is not supported! You have to use them as provided by Oracle.
2. Second category of jar files are those which are customer created jar files or provided from a third party vendor (custom jar files) : Such jar files are usually used to extend functionality of Oracle Forms (Pluggable Components) OR it is also common to create jar files as a package of custom images needed by the Forms application. It is up to the customers to insert the necessary Permissions attributes to the manifest and also to sign such jar files. When using such custom jar files, it is possible to get any of the three type of Security Warnings explained above.
- If Warning#1 pops up, it means that the jar file is not signed at all. The recommended solution is to sign the jar file with a certificate obtained from a Trusted CA. But Oracle Forms also comes bundled with a demo script that let's you to sign the jar files manually.It is the "sign_webutil.bat (windows)/ sign_webutil.sh(unix)" script. For more details on using this script, see Note:1076945.1.
- After signing the custom jar files with the sign_webutil.sh script (or in a similar way), this time you will get the Warning#2 because the authority (you in this case) who signed the jar file is not a Trusted CA. To solve it, you will need to register the certificate used to sign the jar file, to the client side JRE. But if you fix this Warning#2 first, then you will most probably get the Warning#3 as a follow up, this is because the jar file was signed without having the Permissions attribute. That's why, first we will explain how to deal with Warning#3. When you get Warning#3 it means that your jar file is signed, however its manifest does NOT contain the Permissions attribute. So, first insert the Permissions attribute into the jar file. This is a two step operation, first create a text file with the Permissions attribute and then insert it into the jar file using "jar -ufm ..." command. For details see Note:1583119.1.
- And now the solution to Warning#2. This warning means that your client side JRE does not trust to the authority who signed the jar file (ie CA's certificate is not among the Trusted CA certificates). If you sign the jar file with a Trusted CA like Verisign (or others) then you won't get this warning. But if you have used your own certificate (like sign_webutil script), then you need to register its certificate to client side JRE. Again this is a two step operation. First you need to export the certificate from the keystore into a text file (using "keytool -export ...." command) then import it into the client side JRE (Control Panel --> Java --> Security --> Manage Certificates --> CA). For details see Note:1596871.1.