Oracle IRM and Hot Folders

Last week I attended a training on Oracle Information Rights Management. Oracle Information Rights Management (IRM) is a Fusion Middleware security service that uses encryption to secure and track all copies of an organization's most sensitive documents and emails, regardless of how many copies are made, or where those copies are stored and used – even when those copies are sent outside the firewall. In Oracle IRM terminology the process of encrypting documents and emails is referred to as “sealing”. Oracle IRM servers expose a comprehensive set of IRM web services to enable the easy integration of “sealing” within the workflows of content management repositories, collaborative web applications, content filtering/monitoring systems, etc.

One of the features (not part of the product but available as a separate download from gives you additional functionality to automatically seal files that are copied of moved into a folder. The Oracle IRM "Hot Folders" application monitors a set of file system folders and uses the IRM web services to automatically seal files copied or moved into them, to associated IRM classifications. This enables organizations to consistently and effectively apply IRM without requiring end users to explicitly seal files, by leveraging the familiar metaphor of placing confidential files “in a safe place”.

In communicating with Oracle IRM 11g all web services traffic is secured by the means of SSL encryption. Since in our setup all certificates are self-signed certificates, setting this up requires the CA certificate (in the TrustMyOwnSelf.jks keystore) to be trusted by the Hot Folders java application. For this we start the Hot Folders java application with the java option TRUST_HF:

 set IRM_HF=C:\\Users\\Rene\\Desktop\\HotFolders
 java -Xms128m -Xmx512m %TRUST_HF%
 -jar %IRM_HF%\\hotfolders.jar %IRM_HF%\\

However, it appears that the certificate that I generated during the training (for one-way SSL encryption from the IRM server to e,g, a browser sesion) is not suitable for using this for the Hot Folders application. This clearly generated some exceptions when trying to establish a connection from the Hot Folders application to the IRM server, the most relevant being:

 <Jul 8, 2010 11:48:43 PM PDT> <Warning> <Security> <BEA-090567> <The certificate chain
 received from - contained a V3 certificate which
 keyusage constraints forbid its key use by the key agreement algorithm.> 

Looking again very carefully at the Hot Folders documentation it appears that the certificate should have very specific properties:

 a. Subject CN: should match hostname of web service URL
 b. Basic constraints: Subject Type=CA
 c. Key Usage: Non-critical, Key Encipherment and Certificate Signing

Especially 'c. Key Usage' was not what I had enabled when generating my self-signed certificates. This one was actually marked 'Critical, Certificate Signing' only.

So I went back to the server machine and regenerated a new keypair and certificate now with some extra options (-keyusagecritical and -keyusage) added to the utils.CertGen command:

 java utils.CertGen
         -certfile MyOwnSelfCA.cer
         -keyfile MyOwnSelfKey.key
         -keyfilepass welcome1
         -cn ""
         -keyusagecritical false
         -keyusage digitalSignature,keyEncipherment

After restarting the IRM server and trusting again the new certificate for the Hot Folders application everything works as a charm as you can see in the following recording...! Here you can see the Hot Folders application doing its work and scanning (in this case every 30 seconds but configurable) for new to be sealed documents in the defined "hot folders". In this case I have only configured one such folder: C:\\Users\\Rene\\Desktop\\HF-Public. All files that are dropped into that (hot) folder are destined to be sealed to the Public context as defined in the Oracle IRM administration GUI.

First we take a look at the IRM admin GUI where we can see the application user _HotFolderApp having the "Sealer" Role in the Public context. This means in short that this user has all the rights to be able to seal documents to the Public context. Next, we see how we start the Hot Folders application and finally we drop a new document into the HF-Public folder and we see how the documents gets sealed automagically!


Excellent and very useful blog article. Lots of people are using Hot Folders with self-generated certs and this will save them a lot of time!

Posted by Martin Lambert on July 10, 2010 at 09:37 AM CEST #

Many thanks René. I was having the same error and was stuck!
I also used the 3 following commands to replace what has been previously imported:

java utils.ImportPrivateKey -keystore MyOwnIdentityStore.jks -storepass welcome1 -keypass welcome1 -alias trustself -certfile MyOwnSelfCA.cer.pem -keyfile MyOwnSelfKey.key.pem -keyfilepass welcome1

keytool -delete -alias trustself -keystore TrustMyOwnSelf.jks

keytool -import -trustcacerts -alias trustself -keystore TrustMyOwnSelf.jks -file MyOwnSelfCA.cer.der -keyalg RSA

Posted by Michel Hascoët on July 11, 2010 at 09:08 PM CEST #

Fantastic, key usages can often trip folks up... nice write up.

Croquette King.

Posted by croquette king on July 15, 2010 at 09:24 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog covers exciting things I encounter about Oracle's software and related; that is Identity & Access Management, SOA, Security, Desktop, etc. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.


« April 2014