X

The Latest Technology Stack News Directly from EBS Development

Using SHA-2 Signed Certificates with EBS

By: Elke Phelps | Product Management Director

Secure Hash Algorithms (SHA) are used for a variety of cryptographic purposes including signing of public key infrastructure (PKI) certificates (e.g., code signing cerificates and Secure Socket Layer (SSL) or Transport Layer Security (TLS) server certificates). Currently, the SHA family of functions include SHA-0, SHA-1, SHA-2 and SHA-3. This article and reference notes focus on the use of the SHA256 hash function of SHA-2 with Oracle E-Business Suite.

Why is SHA-2 important to you?

Industry standards for encryption algorithms are constantly under review. Many certificate authorities are recommending or mandating SHA-2 as the minumum signature algorithm for issuing certificates. The time frame for moving to SHA-2 varies depending upon the certificate authority that is used. The requirement for SHA-2 also impacts intermediate certificates which must also be SHA2 in order to chain back to the end-entity SHA-2 certificate issued. Root certificates are not impacted.

When does Oracle E-Business Suite use certificates?

1. HTTPS clients (outbound connections) HTTPS client connections that originate from Oracle E-Business Suite. For HTTPS clients, you may need to apply product patches to use SHA-2 certificates. Currently, the following products have identified additional requirements to support SHA-2 for HTTPS clients:

  • XML Gateway Follow the instructions in the patch README and apply the following patch: 19909850
  • iProcurement Follow the instructions for iProcurement in My Oracle Support Note 1937220.1.

In addition to products that initiate outbound connections from java code on the application tier, the Oracle Database may also act as an HTTP client when the UTL_HTTP package is utilized. Some Oracle E-Business Suite products leverage UTL_HTTP for outbound HTTPS connections. You may also use UTL_HTTP for external integrations and customizations.

For the Oracle Database to utilize a PKI (including SHA-2 signed) certificate, SSL/TLS for outgoing connections database connections must be configured.  Our testing in Oracle E-Business Suite development has confirmed that UTL_HTTP is SHA-2 compliant as of Oracle Database 11.1.0.7 (we have not tested with earlier database versions).The steps for enabling and testing SSL/TLS configuration for the Oracle Database are documented in the following:

2. Server Side In addition to client side (outbound connections), the Oracle E-Business Suite application tier utilizes PKI certificates for code signing by AD Jar Signing and for the (inbound) SSL/TLS termination point using the Oracle HTTP Server.

AD JAR Signing
During patching, Oracle E-Business Suite uses certificates to sign JARs that will be delivered to the browser. As of Java 1.5, Java and its utilities keytool and jarsigner supports SHA-2 certificates. SHA-2 certificates are certified for JAR signing for all versions of Oracle E-Business Suite (11i, 12.0, 12.1 and 12.2) and Java 1.5 and higher. Oracle HTTP Server (inbound connections) SHA-2 certificates are also used by the Oracle HTTP server that is delivered with the Oracle E-Business Suite Applications Technology. The requirements for SHA-2 for the Oracle HTTP Server vary per Oracle E-Business Suite version as follows:

  • Oracle E-Business Suite Release 12.2 SHA-2 certificates are certified with the Oracle HTTP Server delivered with Oracle E-Business Suite 12.2. The wallet management tools that are shipped with EBS 12.2 generate Certificate Signing Requests (CSRs) signed using MD5. The following note has been updated with the steps necessary to create CSRs signed with other algorithms including SHA-2:  
  • Oracle E-Business Suite Releases 12.0 and 12.1 We are currently working on the certification of SHA-2 certificates with the Oracle HTTP Server for Oracle E-Business Suite Release 12.0 and 12.1. As an option while we are working on this certification, you may use an alternate technology (ie, a load balancer, reverse proxy, etc) that supports SHA-2 as the SSL/TLS termination point. Another alternative is to request that your certificate authority issue a SHA-1 certificate.  
    •  
  • Oracle E-Business Suite Release 11i SHA-2 certificates are certified with Oracle E-Business Suite Release 11i when using mod_ssl.so OpenSSL library version 0.98za or later.  To get the minimum mod_ssl.sl library required for EBS 11i and SHA-2, you must apply the July 2014 CPU. Note: We always recommend that you apply the most current CPU available to your environment. You may refer to the following note for additional details:  

Related Articles

References

Join the discussion

Comments ( 16 )
  • Sanjeev Mellacheruvu Tuesday, January 27, 2015

    Hi Steven,

    We are on e-business suite version 12.1.2. We tried reaching popular CA to issue SHA-1 format certificate but they are not offering the same at this time. They are providing SHA-2 at the minimum. We are using combination of load balancer redirection and reverse proxy in front of e-business OHS and are having issue with webADI.

    Does oracle have sample configuration settings for reverse proxy that works with e-business OHS that was tested at your end?

    We are trying to find out what is missing in our reverse proxy setup that is causing this problem. I have opened SR#3-10167686591 and SR 3-9980836301 with oracle support.

    Thanks,

    Sanjeev.


  • Elke Phelps (Oracle Development) Friday, January 30, 2015

    Sanjeev,

    Thanks for your update and inquiry.

    We are interested in learning more about our customers' experience with certificate authorities and the issuing of SHA-1 certificates. If you don't mind, please drop me an email with your company information. I'd like to track your information along with our efforts to certify SHA-2 certificates with the Oracle HTTP Server for Oracle E-Business Suite Release 12.0 and 12.1.

    Logging a service request for the WebADI issues you are encountering is the correct means to receive support. I reviewed the SRs and see that both Oracle support and Oracle E-Business Suite development are engaged with assisting you. If you find that the SRs are stalled in the future, please email me directly.

    Regards,

    Elke


  • guest Monday, February 9, 2015

    Is there any way to use adadmin to code signing jars with a timestamp in R12.1.3?

    Thanks.


  • guest Thursday, February 19, 2015

    Hi - are you able to issue an estimated timescale for the certification of SHA-2 certificates with 12.1? Our certificate owner is withdrawing support for SHA-1 in a few months.

    Many thanks

    Andrew


  • Elke Phelps (Oracle Development) Thursday, February 19, 2015

    Andrew,

    Due to Oracle's revenue recognition policies, we are not permitted to provide dates or time lines for future projects or certifications. Please continue to monitor this blog for the latest in certification announcements.

    Regards,

    Elke


  • Paul Crabb Wednesday, March 25, 2015

    Thanks for the post Elke.

    Plus one for and expedited solution.

    My company is currently running 12.1.3 and our signing authority has already shifted to SHA2. We are currently able to request special certificates that are SHA1 but we don't know how long we will be able to do so.

    Thanks,

    PC


  • Elke Phelps (Oracle Development) Wednesday, March 25, 2015

    Paul,

    Thanks for the comments and update. As stated in the blog article, we are currently working on the certification of SHA-2 certificates with the Oracle HTTP Server for Oracle E-Business Suite Release 12.1. We are working this as a high priority item in Oracle E-Business Suite Development. Please continue to monitor this blog for the latest in certification announcements.

    We are interested in learning more about our customers' experience with certificate authorities and the issuing of SHA-1 certificates. If you don't mind, please drop me an email with your company information. I'd like to track your information along with our efforts to certify SHA-2 certificates with the Oracle HTTP Server for Oracle E-Business Suite Release 12.1.

    Regards,

    Elke


  • Jamie Monday, May 11, 2015

    Can you tell me if there are also plans to extend SHA_2 support to 12.0 please .?


  • guest Monday, May 11, 2015

    Hi Elke - Despite extensive work including help from Oracle, we weren't able to get EBS 12.1 & SHA-2 working with the Load Balancer and reverse proxy method. And apparently this is no longer the recommended solution. However, with Oracle's help we have implemented another solution. We are using a JDK truststore instead of the Oracle Wallet Manager to store certs. This works successfully with the functionality which we need to be protected by SHA-2 certs.

    Regards

    Andrew


  • guest Monday, May 11, 2015

    Hi Andrew,

    Our environment is on 12.1.2 and have opened SR 3 9980836301 with oracle support with 'development working" status for past 5 months.

    Can you share the steps you guys followed to get this work with keystore instead of wallet? This should be help other customers out there too as a temporary workaround until there is official fix.

    Thanks in advance

    Sanjeev.


  • guest Tuesday, May 12, 2015

    Hi Sanjeev - the following is the distillation of the steps we took to get our XML gateway functionality working. I cannot say that this is suitable or safe for you to use in your environment, so obviously, try it in a test environment first.

    Ref: Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1) for more detail.

    Credit to my colleague Dean for all the hard work he put into this!

    Regards

    Andrew

    Steps for using JDK truststore for SHA2 certificate, and setup XML Gateway to use the JDK truststore are :

    1- Using keytool utility, import the SHA2 certificates required by XML Gateway to the default JKS $OA_JRE_TOP/lib/security/cacerts. Note default password for cacerts is "changeit"

    2- Do those changes to the OAFM oc4j.properties ($INST_TOP/ora/10.1.3/j2ee/oafm/config/oc4j.properties)

    # StoreType Parameters

    #

    javax.net.ssl.trustStoreType=JKS

    javax.net.ssl.keyStoreType=SSO

    #

    # Store Parameters

    #

    javax.net.ssl.trustStore=<value of $OA_JRE_TOP>/lib/security/cacerts

    javax.net.ssl.keyStore=..../certs/Apache/cwallet.sso

    javax.net.ssl.trustStorePassword=changeit

    #

    # Algorithm Parameters

    #

    test.trustmanager.algorithm=SunX509

    test.keymanager.algorithm=OracleX509

    3- Restart the OAFM oc4j

    4- Update the context file to make parameters persistent after running Autoconfig.


  • Sanjeev Tuesday, May 12, 2015

    Thanks Andrew - will research if this is applicable to our situation.


  • Elke Phelps (Oracle Development) Thursday, May 14, 2015

    Andrew,

    Thanks for the updates and details of the steps you took to resolve your issue.

    To clarify: The recommended workaround of using a load balancer or proxy server is specific to the Oracle HTTP Server for Oracle E-Business Suite 12.1 for incoming connections. This recommendation is valid.

    The issue you encountered is with your use of XML Gateway for outgoing connections from Oracle E-Business Suite. Several customers have reported issues similar to the one you describe in your comments when using XML Gateway and SHA-2 certificates.

    This blog article states that you should apply patch 19909850 for XML Gateway use with SHA-2. In addition to the recommended patch, 19909850, customers may need to perform additional configuration for XML Gateway use with SHA-2. If other customers encounter similar issues with the use of XML Gateway and SHA-2 certificates, please log a service request to receive the directions from support for your issue.

    Thanks.

    Elke


  • guest Friday, May 15, 2015

    Thanks for the clarification Elke. Yes we did indeed apply that patch during our initial attempts to resolve the issues whilst trying to configure a reverse proxy & load balancer. Oracle Support were involved throughout this process.

    Regards

    Andrew


  • guest Friday, May 15, 2015

    We are using EBS 12.1.3 with SSL and SHA-1 certificates only for incoming connections. But we cannot get SHA-1 certificates anymore,

    we have to use SHA-2. But this is does not seem to be certified with 12.1.3 for now. We are using EBS in an Intranet environment and currently using only one APPS server. We have looked at a couple of articles related to "load balancer" and "reverse proxy" but still not totally sure how to implement this in our environment.

    Any comments are welcome

    Thanks


  • Steven Chan Monday, May 18, 2015

    Hello, Guest,

    It's possible to use a load-balancer or a reverse proxy in your EBS environment generically.

    This generic architecture can also be used as a stop-gap solution: if that load-balancer can accept SHA-2 certificates for TLS, then you can terminate the SHA-2 traffic there. Traffic to end-points behind the load-balancer can continue to use SHA-1 for the time being. This isn't ideal, admittedly, but it can help as a temporary solution.

    This is a potentially-complicated area, and blog comments aren't the best way to get guidance on multi-segment network architectures like this. I'd recommend contacting your Oracle account manager to have someone review the architectural alternatives based upon a careful analysis of your technical requirements.

    Regards,

    Steven


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services