X

The Latest Technology Stack News Directly from EBS Development

MD5 Signed JAR Files Treated as Unsigned in April 2017

Steven Chan
Senior Director

Oracle currently plans to disable MD5 signed JARs in the upcoming Critical Patch Update slated for April 18, 2017.  JAR files signed with MD5 algorithms will be treated as unsigned JARs.

MD5 JAR file signing screenshot

Does this affect EBS environments?

Yes. This applies to Java 6, 7, and 8 used in EBS 12.1 and 12.2.  Oracle E-Business Suite uses Java, notably for running Forms-based content via the Java Runtime Environment (JRE) browser plug-in.  Java-based content is delivered in JAR files.  Customers must sign E-Business Suite JAR files with a code signing certificate from a trusted Certificate Authority (CA). 

A code signing certificate from a Trusted CA is required to sign your Java content securely. It allows you to deliver signed code from your server (e.g. JAR files) to users desktops and verifying you as the publisher and trusted provider of that code and also verifies that the code has not been altered. A single code signing certificate allows you to verify any amount of code across multiple EBS environments. This is a different type of certificate to the commonly used SSL certificate which is used to authorize a server on a per environment basis. You cannot use an SSL certificate for the purpose of signing jar files. 

Instructions on how to sign EBS JARs are published here:

Where can I get more information?

Oracle's plans for changes to the security algorithms and associated policies/settings in the Oracle Java Runtime Environment (JRE) and Java SE Development Kit (JDK) are published here:

More information about Java security is available here:

Getting help

If you have questions about Java Security, please log a Service Request with Java Support.

If you need assistance with the steps for signing EBS JAR files, please log a Service Request against the "Oracle Applications Technology Stack (TXK)" > "Java."

Disclaimer

The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Join the discussion

Comments ( 4 )
  • guest Thursday, February 2, 2017

    Hi Steven,

    Is there a way for end users of an app to check for this? Is there a parameter for testing in the java control panel? I have to check our signing of EBS and some other applications that we've added on.

    Thanks, Greg


  • Steven Chan Thursday, February 2, 2017

    Hi, Greg,

    You can find details on how to verify if a weak algorithm or key was used to sign a JAR file here:

    http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html

    Those release notes have a detailed section on using the jarsigner tool.

    Regards,

    Steven


  • Susmit Sunday, February 5, 2017

    Hi Steven,

    Does that mean code signing is now mandatory after next CPU? Without being signed with a valid certificate users wont be able to use EBS Suite?


  • Steven Chan Monday, February 6, 2017

    Hi, Susmit,

    Depending upon your end-users' desktop configuration, some users might be presented with an option to override the block. Other users might not be able to run Forms or other applets. You should ideally re-sign your JARs, but as a workaround, you might consider temporarily rolling out Deployment Rule Sets described here:

    http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/deployment_flow.html

    Regards,

    Steven


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services