Secure Hash Algorithms (SHA) are used for a variety of cryptographic purposes including signing of public key infrastructure (PKI) certificates (e.g., code signing cerificates and Secure Socket Layer (SSL) or Transport Layer Security (TLS) server certificates). Currently, the SHA family of functions include SHA-0, SHA-1, SHA-2 and SHA-3. This article and reference notes focus on the use of the SHA256 hash function of SHA-2 with Oracle E-Business Suite.
Why is SHA-2 important to you?
Industry standards for encryption algorithms are constantly under review. Many certificate authorities are recommending or mandating SHA-2 as the minumum signature algorithm for issuing certificates. The time frame for moving to SHA-2 varies depending upon the certificate authority that is used. The requirement for SHA-2 also impacts intermediate certificates which must also be SHA2 in order to chain back to the end-entity SHA-2 certificate issued. Root certificates are not impacted.
When does Oracle E-Business Suite use certificates?
1. HTTPS clients (outbound connections) HTTPS client connections that originate from Oracle E-Business Suite. For HTTPS clients, you may need to apply product patches to use SHA-2 certificates. Currently, the following products have identified additional requirements to support SHA-2 for HTTPS clients:
In addition to products that initiate outbound connections from java code on the application tier, the Oracle Database may also act as an HTTP client when the UTL_HTTP package is utilized. Some Oracle E-Business Suite products leverage UTL_HTTP for outbound HTTPS connections. You may also use UTL_HTTP for external integrations and customizations.
For the Oracle Database to utilize a PKI (including SHA-2 signed) certificate, SSL/TLS for outgoing connections database connections must be configured. Our testing in Oracle E-Business Suite development has confirmed that UTL_HTTP is SHA-2 compliant as of Oracle Database 22.214.171.124 (we have not tested with earlier database versions).The steps for enabling and testing SSL/TLS configuration for the Oracle Database are documented in the following:
2. Server Side In addition to client side (outbound connections), the Oracle E-Business Suite application tier utilizes PKI certificates for code signing by AD Jar Signing and for the (inbound) SSL/TLS termination point using the Oracle HTTP Server.
AD JAR Signing
During patching, Oracle E-Business Suite uses certificates to sign JARs that will be delivered to the browser. As of Java 1.5, Java and its utilities keytool and jarsigner supports SHA-2 certificates. SHA-2 certificates are certified for JAR signing for all versions of Oracle E-Business Suite (11i, 12.0, 12.1 and 12.2) and Java 1.5 and higher. Oracle HTTP Server (inbound connections) SHA-2 certificates are also used by the Oracle HTTP server that is delivered with the Oracle E-Business Suite Applications Technology. The requirements for SHA-2 for the Oracle HTTP Server vary per Oracle E-Business Suite version as follows: