Sign E-Business Suite JAR Files Now

Java Security logoOracle E-Business Suite uses Java, notably for running Forms-based content via the Java Runtime Environment (JRE) browser plug-in. 

The default security settings for the JRE plug-in are expected to become more stringent over time.  To prepare for upcoming changes to Java security, all EBS 11i, 12.0, 12.1, and 12.2 system administrators must follow the procedures documented here:

More information about Java security is available here:

Getting help

If you have questions about Java Security, please log a Service Request with Java Support.

If you need assistance with the steps for signing EBS JAR files, please log a Service Request against the "Oracle Applications Technology Stack (TXK)" > "Java."


Comments:

Hi,

Users are facing issues with latest java, we are on 115102

we followed the doc 1207184.1, still issues are there but we managed to login and suddenly oracle says it is outdated and asked to follow 1591073.1

while applying the patch 17191279 as per that NOte,it fails

sqlplus -s APPS/***** @/u11/app/erptg2/erptg2appl/ad/11.5.0/patch/115/sql/ADJRIINITPASSWD.sql
begin
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_SESSION", line 101
ORA-06512: at "APPS.AD_JAR", line 44
ORA-06512: at line 2

kindly help

Posted by narayana on October 18, 2013 at 10:19 AM PDT #

Hi Steven,

You wrote "To prepare for upcoming changes to Java security", so actions customer needs to take relating to Note 1591073.1 are proactive.

Do you have any idea on the urgency on this (weeks, months, a year) ?

Regards,
Guillaume

Posted by Guillaume Goulet-Vallieres on October 18, 2013 at 10:22 AM PDT #

Hello, Narayana,

I'm sorry to hear that you're encountering issues with this. We just released these new instructions today for EBS users.

We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on October 18, 2013 at 10:23 AM PDT #

Hi Steven,

You wrote "To prepare for upcoming changes to Java security", so actions customer needs to take relating to Note 1591073.1 are proactive.

Do you have any idea on the urgency on this (weeks, months, a year) ?

Regards,
Guillaume

Posted by Guillaume Goulet-Vallieres on October 18, 2013 at 10:23 AM PDT #

Hi, Guillaume,

Different users are affected in different ways, depending upon their default security settings and desktop deployment procedures. Some users are already seeing new popups warning of unsigned JARs today. System administrators at those sites should do this immediately.

You can find out more about the changing Java security requirements by clicking on the "Security of the Java Platform" link above.

Regards,
Steven

Posted by Steven Chan on October 18, 2013 at 10:26 AM PDT #

HI steven,

iam sorry, i missed the running adgrants.sql in hurry. after running this as specified in doc. it is working now.

Thanks,
Narayana

Posted by narayana on October 18, 2013 at 10:29 AM PDT #

Hi,

we completed the steps documented in 1591073.1 and now our EBSuite works without any issue and no java warning pop-up messages on 1.7u45.
Thanks steven.

Regards,
Narayana

Posted by narayana on October 18, 2013 at 01:23 PM PDT #

Hi, Narayana,

That's great to hear. Thanks for the update.

Regards,
Steven

Posted by Steven Chan on October 18, 2013 at 02:21 PM PDT #

Note:1591073.1 describes how to build a Certificate Signing Request which you then "Submit to an official certificate authority, for example, Verisign or Thawte or to your own in-house certificate authority as applicable. Note: Be sure to request a Java Code Signing Certificate."

Can the following be used as a CA for this?
http://www.oracle.com/technetwork/java/javase/tech/getcodesigningcertificate-361306.html

Otherwise, could we just create a self-signed certificate with "Any purpose" as the certificate purpose?

Posted by guest on October 19, 2013 at 04:20 PM PDT #

Hi Steve,

We recently upgraded to JRE7u40 and we now getting the Java Security Warning "Running Applications by UNKNOWN publisher will be block...."

We are following 1591073.1. Now that the self signed certificate are not allowed in the new release seems that we need to get trusted certificate to resolve this issue. How about if we can;t get one in either in-house or in Official CA. The only way is to utilize the Deployment Rule set feature right to workaround the issue?

We followed the Appendix B: Deployment Rule Set of ML Note: 1591073.1 and we getting error "Can not verify self-signed Deployment Rule Set Jar" error after following the steps.

What went wrong in our steps? Do we need to run Section 3 even though we don't request for new certificate from CA?

Thank you.

Edward

Posted by Edward on October 21, 2013 at 12:31 AM PDT #

Hi Edward,

While the Deployment Rule Set security tool can be used to suppress the need for java content to be signed by a Trusted CA in Oracle E-Business Suite, the DeploymentRuleSet.jar itself must be signed by a Trusted CA. You have done the steps correctly but are seeing the 'Application Blocked' pop up error because you have signed it with a Self-Signed certificate.

In general a Deployment Rule Set would be used as an additional security tool to allow more stringent control over your java access. Either way a trusted code signing certificate is required.

Regards,
Tim.

Posted by Tim Mervyn on October 22, 2013 at 06:48 AM PDT #

with regard to (Doc ID 1591073.1)

1. Is this a mandate change for Oracle E-business Suite R12?
2. Is this a permanent change? Can we undo/un-sign the changes made to JAR files in future?
3. If yes for #2, What are the steps to revert the changes?

Posted by guest on October 22, 2013 at 02:48 PM PDT #

Hello, Guest,

1. All customers who wish to use JRE 7 must do this. This includes EBS 11.5.10.2, 12.0, 12.1, and 12.2.

2. We do not recommend this. Your users will be annoyed by the JRE warnings that appear when you switch back to using unsigned JAR files.

Regards,
Steven

Posted by Steven Chan on October 23, 2013 at 10:17 AM PDT #

In regard to this note:
1. How often would the the .jar file have to be updated?
2. We can not use an internally signed cert per note. (confirm)
3. Would this interfere with other java based apps?
4. If another java application was signed by a different cert, would the .jar have to be edited?

Thank you for your time.

Posted by guest on October 24, 2013 at 06:46 AM PDT #

We are on 11.5.10.2 with JRE 1.6.0.15. Does this document is still applicable for us to enhance the JRE security or its only applicable to JRE 1.7 Upwards?

If it is applicable for 1.6 also, then does it applies to 1.6.0.15 (our current version) also? Because we are not curently looking for JRE upgrade immediately. Kindly advice

Doc-- Enhanced Signing of Oracle E-Business Suite JAR Files Note 1591073.1

Posted by guest on October 25, 2013 at 10:23 AM PDT #

Hello, Guest,

The increased security warnings appear only when your end-users run JRE 1.7 to access Forms-based content.

Even if you're running JRE 1.6 today, it's prudent to sign your JARs with an official certificate eventually. This is especially true if you do not have centralized control over your end-users's desktops (i.e. your end-users have local administration rights), since that would imply that they might inadvertently upgrade their JREs to 1.7, which would then start generating warnings if your JARs are not signed using a trusted certificate.

Regards,
Steven

Posted by Steven Chan on October 25, 2013 at 10:32 AM PDT #

Hello, Guest (Rachel),

1. JAR files need to be re-signed each time a patch delivers a new Java-based component. This is documented in the READMEs for patches that require JAR file regeneration.

2. You can use self-signed certificates, but they will generate warnings when running JREs with higher security default settings.

3. No, this should not interfere with other Java-based applications. EBS JAR files are independent of other Java applications that you may have deployed.

4. It's technically feasible to sign JAR files for different Java applications with different certificates. JRE clients with higher security default settings will display warnings only for unsigned or self-signed JAR files.

Regards,
Steven

Posted by Steven Chan on October 25, 2013 at 11:03 AM PDT #

I'd like to pitch this question again here since it appears to have broad interest. When I probe certificates for their purpose flag settings, it is rare that I don't see "Any Purpose" flagged which to me means that it COULD be used for code signing and these flags seem to be the only difference between my existing EBS web tier certificate from Verisign and what is required for signing jar files on that same host.

http://stackoverflow.com/questions/78869/are-java-code-signing-certificates-the-same-as-ssl-certificates

Certificate purposes on server certs I commonly see:

SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No

Do the java code signing certificates have something else that "Any purpose" does not cover? What makes a java code signing certificate different from a web server certificate if it isn't the flags?

I have a paid-for Verisign certificate on my EBS web tier. Can this be used for signing jar files from this same host? Has anyone tried this?

Posted by guest on October 29, 2013 at 05:15 PM PDT #

You cannot use an SSL certificate to sign code (in this case jar files) the two certificates are used for totally different purposes.

An SSL certificate would be used to authorize a server for example, hence when you SSL enable an environment you do it on a per environment basis.

A Code Signing Certificate allows you to deliver code (for example jar files) and verifies the publisher who sent it as being a trusted publisher. In this case the customer is the publisher. After all, that code is being pushed onto a users desktop which is a natural way to spread harmful viruses etc. As this is verification of a publisher (not a server for example) using a single code signing certificate allows you to verify any amount of code across multiple environments.

Posted by Tim Mervyn on October 30, 2013 at 08:12 AM PDT #

The adkeystore.csr file has already been created. We will like to self sign this file and create a certificate without using external CA . Please let us know how to self sign the adkeystore.csr and create a java code signing certificate?

Posted by oli on November 04, 2013 at 10:23 AM PST #

Hi, Oli,

Your best option for guidance on creating self-signed certificates would be to log a Service Request against the Java team.

Regards,
Steven

Posted by Steven Chan on November 05, 2013 at 11:13 AM PST #

Hi Steven
We are using the non-updating version of JRE 1.7.0_25 with EBS 11.5.10.2 and self certified jar files. When the next JRE security update is released, will this 1.7.0_25 version continue to block the certificate errors such as "Application blocked by security settings" & "Failed to validate certificate"? Plans are in place to move to signed jar files, but this will be after the next scheduled JRE security update.
Regards
Andy

Posted by Andy Stonham on November 06, 2013 at 06:36 AM PST #

Hi, Andy,

The behaviour of new JRE 1.7 updates such as JRE 1.7.0_45 have no effect on existing non-updating JRE 1.7.0_25 installations if you don't apply any upgrades.

The only way that your end-users will see different behaviour is if they manually upgrade their desktops to a later JRE release.

Regards,
Steven

Posted by Steven Chan on November 06, 2013 at 10:23 AM PST #

Hi Steven

Why is Oracle choosing to deliver software that is not signed by Oracle Corp? I understand if my organization decided to extend the delivered java application then the onus would be on us to sign the code. If my organization never plans on extending the delivered java application then I am just signing someone else’s code... which does not seem right or ethical for that matter.

Regards,
Jeff

Posted by Jeff on November 07, 2013 at 02:49 PM PST #

Hi, Jeff,

Great question!

We have over 150 components in the E-Business Suite technology stack and over 200 EBS products. In addition to compatibility, development infrastructure, versioning, packaging, and release vehicle challenges, shipping massive pre-signed JAR files would remove our ability to issue small, granular patches to you. In other words, you would need to download huge consolidated Java files and retest the entire E-Business Suite every time a small Java-related issue is fixed, regardless of whether that issue affects the subset of EBS products or technology stack components that you use.

Regards,
Steven

Posted by Steven Chan on November 07, 2013 at 03:06 PM PST #

I followed note 1591073.1 to sign the jar files using our in house certification authority. I still get the message 'Publisher Unknown' when I try to launch forms.
Below are the steps I followed
1. Applied Patch 17191279
2. Generated the Keypair and csr. See attached document.
3. Got the crt file (self signed) by doing this steps
openssl genrsa -des3 -out myCA.key 4096
openssl x509 -req -days 365 -in adkeystore.csr -CA myCA.crt -CAkey myCA.key -set_serial 01 -out adkeystore.crt
4. Performed step 4.4.2 in document 1591073.1
5. Generated all jar files using force option. I can see from adadmin.log that jar files are signed
6. Performed the steps 6.1
7. I am expecting that I get a message similar to what is shown in step 6.3 of the same document. But I still get the message as unknown publisher.
I logged SR 3-8070332391 for this issue. I have been redirected to 1591073.1 which basically says I get the same error if I sign with self signed certs.

If this is really the case the document 1591073.1 should be updated to remove the steps needed for siging jar files with in house CA.

Secondly I found that you cannot use ssl certificate generated for your webserver to sign the jar files or import the certificate using adjkey. Some kind of dependency is tied with adjkey -initialize and then the csr that is raised after that. adjkey -initialize is generating a keystore with alias of $CONTEXT_NAME and I cannot use the SSL cert of my web server to import in to this keystore because the alias (created through adjkey -initialize) has a private key and both wont match. In other words, my understanding is that you are forced to generate a new certificate and use only that and you have to use adjkey only to generate it and cannot use another tool like keytool eventhough adjkey is using keytool under the covers

Posted by Kumar on November 09, 2013 at 06:34 AM PST #

Per Note:376700.1, Oracle has tools called ssl2ossl and sslconvert that are useful in salvaging old certificates. The utilities create an Oracle wallet from an existing certificate and private key that was previously generated with openssl or a similar source.

Will there be an AD utility some time in our future that can convert the web server wallet to an AD compatible form that can be used to sign jar files? The value in this is that the certificate is already paid for and already trusted by the EBS client machines.

Posted by Dan on November 12, 2013 at 02:20 PM PST #

Why doesn't Oracle just sign their own EBS code, instead of leaving it to their customers to stand up and maintain a PKI and the necessary know-how?

Is it even legal to recommend to others that they (routinely) sign your code? What does the legal department think of it? Have they actually been consulted?

All that effort invested in writing elaborate documents to teach EBS customers about the mechanics of code signing would be far better invested in actually _signing_ EBS code, as soon as it is approved and ready for general release.

Posted by tragicomix on November 20, 2013 at 03:42 AM PST #

Hi, Tragicomix,

EBS sysadmins have always signed EBS JAR files. The only difference now is that you need to sign those JAR files with third-party CA certificates instead of self-signed certificates.

We have over 150 components in the E-Business Suite technology stack and over 200 EBS products. In addition to compatibility, development infrastructure, versioning, packaging, and release vehicle challenges, shipping massive pre-signed JAR files would remove our ability to issue small, granular patches to you. In other words, you would need to download huge consolidated Java files and retest the entire E-Business Suite every time a small Java-related issue is fixed, regardless of whether that issue affects the subset of EBS products or technology stack components that you use.

Regards,
Steven

Posted by Steven Chan on November 20, 2013 at 08:02 AM PST #

Post a Comment:
Comments are closed for this entry.
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today