X

The Latest Technology Stack News Directly from EBS Development

Reminder: Sign E-Business Suite JAR Files

Steven Chan
Senior Director

Oracle disabled MD5 signed JARs in the April 2017 Critical Patch Update.  JAR files signed with MD5 algorithms will be treated as unsigned JARs.

MD5 JAR file signing screenshot

Does this affect EBS environments?

Yes. This applies to Java 6, 7, and 8 used in EBS 12.1 and 12.2.  Oracle E-Business Suite uses Java, notably for running Forms-based content via the Java Runtime Environment (JRE) browser plug-in.  Java-based content is delivered in JAR files.  Customers must sign E-Business Suite JAR files with a code signing certificate from a trusted Certificate Authority (CA). 

A code signing certificate from a Trusted CA is required to sign your Java content securely. It allows you to deliver signed code from your server (e.g. JAR files) to users desktops and verifying you as the publisher and trusted provider of that code and also verifies that the code has not been altered. A single code signing certificate allows you to verify any amount of code across multiple EBS environments. This is a different type of certificate to the commonly used SSL certificate which is used to authorize a server on a per environment basis. You cannot use an SSL certificate for the purpose of signing jar files. 

Instructions on how to sign EBS JARs are published here:

Where can I get more information?

Oracle's plans for changes to the security algorithms and associated policies/settings in the Oracle Java Runtime Environment (JRE) and Java SE Development Kit (JDK) are published here:

More information about Java security is available here:

Getting help

If you have questions about Java Security, please log a Service Request with Java Support.

If you need assistance with the steps for signing EBS JAR files, please log a Service Request against the "Oracle Applications Technology Stack (TXK)" > "Java."

Related Articles

Join the discussion

Comments ( 5 )
  • Karen Fisse Tuesday, May 2, 2017
    Can you please help us to understand where the MD5 piece comes in? Is this internal to EBS and will need addressed once we apply the April CPU? Or is whether we use MD5, SHA, etc determined by the Java Code Signing Cert we have?
    does that make sense to you?
  • Steven Chan Tuesday, May 2, 2017
    Hi, Karen,

    The Java components released as part of the April 2017 CPU will treat all EBS JAR files as unsigned if the EBS JAR files were signed only with an MD5-based security certificate.

    If you haven't re-signed your EBS JAR files with a more-secure certificate, your end-users accessing Forms-based EBS screens (e.g. Financials) will experience a variety of security-related warnings depending upon their desktop configuration. For examples of those warnings, see:

    https://www.java.com/en/download/help/appsecuritydialogs.xml

    In certain circumstances, some of those security warnings may prevent your end-users from accessing EBS entirely.

    You need to obtain a SHA-2 certificate and re-sign your EBS JAR files to prevent these warnings.

    Please don't hesitate to log an SR if you have issues. You're welcome to drop me a line with the SR number if it gets stuck for some reason.

    Regards,
    Steven
  • Patrik Teughels Wednesday, May 3, 2017
    Hi Steven,

    Seems the MOS DOC is not yet updated for the new standard defined by the CA Security Counsil, which goes into effect on February 1, 2017. This mentions "Private keys must now be protected on hardware or kept in a device separate from the host of the signing function".
    The MOS doc mentions to keep the private key in the java keystore (adkeystore.dat)

    Because we just need to renew our EBS jar certificate we hit this problem..
    and supplier does not yet deliver Solaris drivers for their USB dongle..
  • Joseph Mathew Tuesday, September 11, 2018
    After our recent to 12.2.7, we are having all kinds of issues with trying to obtain a Java Code Signing Cert - from our approved vendor Entrust. They keep telling us that recent CA guidelines for the industry now dictate that they can no longer provide the certificate to load into the EBS keystore.dat - instead, they will provide the keystore (and their own passwords) on a hardware token - that has to be mounted on an application tier guest - from where the jar contents have to be signed. As such, we have been unable to follow Steps 3-5 of 1591073.1 - and have had to resort to Appendix E of the same doc to get our jar files (in the 12.2.7 install) signed.

    I find it hard to believe that Entrust is doing anything other than push their own standards on us because I don;t see this as whats being done industry wide - where the organization submits a .csr file and receives a cert chain (Root, Intermediate1/2 and Main.crt) that can then be loaded into the CACERTS file as well as into the adkeystore.dat as specified in Step 4 in 1591073.1. I have had an SR open for this - and am still trying to get some guidance on this topic as the popups are now becoming a source of annoyance to our user community.

    The SR number is SR 3-18097661781

    Thank you for your time.
  • Steven Chan Tuesday, September 11, 2018
    Hello, Joseph,

    I don't think we've ever investigated the delivery of these kinds of code signing certificates via hardware tokens. I've asked our Security group to take a look at your SR. Please monitor that for updates.

    Regards,
    Steven
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services