In short, the changes make the Java Applet more difficult to run malicious code by giving never-ending stop signs and warnings if the Jar files are not properly signed. In light of these changes, Oracle released the long-waiting patch 17191279 to resolve this issue, as mentioned in Metalink doc 1591073.1 "Enhanced Jar Signing for Oracle E-Business Suite".
If your company is willing to pay the ransom to Verisign, Thawte or other Certificate Authorities, those security warning will be gone smoothly. However, if you plan to use self-signed certificate, please follow this blog and I'll go through a step-by-step approach to settle this, without paying a dime to these CAs.
All the steps are tested in the environment of Oracle EBS R12.1.x under Windows OS. If you're using Unix/Linux environment, the steps are essentially the same. These steps can also be applied to 11i environment.
Part I - Apply patch 17191279
This patch requires you to run the adgrants.sql script (follows the readme file in the patch) before patching. If you encounter error in one of the AD worker and the process hangs in the middle, you can:
- open SQL*Plus, connect as APPS, run the SQL
create context AD_JAR using AD_JAR;
- run adctrl to restart the failed worker.
Part II - Setup your own CA
(1) Download OpenSSL 0.9.8h for Windows from Sourceforge, and unzip it under C:\OpenSSL. Even though it is independent of Oracle EBS stuff, I recommend that you put it in APPLTOP server.
(2) Open a Command Prompt
C:\> cd OpenSSL
C:\OpenSSL> mkdir CA
C:\OpenSSL> copy share\openssl.cnf CA\openssl.conf
C:\OpenSSL> cd CA
C:\OpenSSL> mkdir certs
C:\OpenSSL> mkdir crl
C:\OpenSSL> mkdir newcerts
C:\OpenSSL> mkdir private
C:\OpenSSL\CA>set PATH=C:\OpenSSL\bin;%PATH%
C:\OpenSSL\CA>set OPENSSL_CONF=c:\OpenSSL\CA\openssl.conf
C:\OpenSSL\CA>echo off
echo >index.txt
echo 01>serial
echo on
C:\OpenSSL\CA>
DO NOT close this command prompt....
(3) Edit C:\OpenSSL\CA\openssl.conf
Change the dir property to what we set in our environment
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
[ CA_default ]
dir = C:\\OpenSSL\\CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
Change the policy to allow signing all certificates
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the CA policy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
Go back to the command prompt in step (2)...
(4) Create your own Certificate Authority
C:\OpenSSL\CA>openssl genrsa -des3 -out private\cakey.pem 4096
Loading 'screen' into random state - done
Generating RSA private key, 4096 bit long modulus
.............................................................++
.............................................++
e is 65537 (0x10001)
Enter pass phrase for server.key: (password)
Verifying - Enter pass phrase for server.key: (password)
C:\OpenSSL\CA>openssl req -new -x509 -days 3650 -key private\cakey.pem -out cacert.pem -config openssl.conf
Enter pass phrase for cakey.pem:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) []:SYMPLiK Technologies
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your websiteÆs domain name) []: SYMPLiK Certificate Authority
Email Address []:
You can check the content of this certificate file by
C:\OpenSSL\CA>openssl x509 -noout -text -in cacert.pem
(5) Add CA certificate to JRE in APPL_TOP
First, find out where is the JRE datastore located in APPL_TOP:
echo $OA_JRE_TOP\lib\security\cacerts
c:\oracle\apps\tech_st\10.1.3\appsutil\jdk\jre\lib\security\cacerts
Copy file CA certificate to APPL_TOP (if different locations), and add this CA certificate to keystore:
C:\OpenSSL\CA>c:\oracle\apps\tech_st\10.1.3\appsutil\jdk\jre\bin\keytool.exe ^
-import -alias symplik -file cacert.pem -trustcacerts -v -keystore ^
c:\oracle\apps\tech_st\10.1.3\appsutil\jdk\jre\lib\security\cacerts
Enter keystore password: (changeit)
Owner: OU=Information Technology, O=SYMPLiK Technologies, L=Toronto ST=Ontario, C=CA
Issuer: OU=Information Technology O=SYMPLiK Technologies, L=v, ST=Ontario, C=CA
Serial number: c7d2e988a015eb6a
Valid from: Wed Oct 30 11:02:26 CST 2013 until: Sat Oct 28 11:02:26 CST 2023
Certificate fingerprints:
MD5: AF:26:AE:7A:9D:68:89:06:E8:90:30:6E:EE:6A:EC:62
SHA1: 22:66:25:B1:AA:1C:C7:EA:01:BF:4C:EB:F6:04:80:BE:0D:6A:1B:86
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing c:\oracle\apps\tech_st\10.1.3\appsutil\jdk\jre\lib\security\cacerts]
Double check whether this key alias has been added:
C:\OpenSSL\CA>c:\oracle\apps\tech_st\10.1.3\appsutil\jdk\jre\bin\keytool.exe \
-list -keystore \
c:\oracle\apps\tech_st\10.1.3\appsutil\jdk\jre\lib\security\cacerts
....
symplik, Oct 30, 2013, trustedCertEntry,
Certificate fingerprint (MD5): AF:26:AE:7A:9D:68:89:06:E8:90:30:6E:EE:6A:EC:62
....
(6) Open another command prompt which has set the APPL_TOP environment.
(6.1) Initialize the keystore
C:> cd %APPL_TOP%\admin
C:\oracle\apps\apps_st\appl\admin>adjkey -initialize -keysize 4096
Copyright (c) 2002 Oracle Corporation
Redwood Shores, California, USA
AD Java Key Generation
Version 12.0.0
NOTE: You may not use this utility for custom development
unless you have written permission from Oracle Corporation.
Reading product information from file...
Reading language and territory information from file...
Reading language information from applUS.txt ...
Enter the APPS username: apps
Enter the APPS password:
Successfully created javaVersionFile.
adjkey will now create a signing entity for you.
Enter the Name of your Company (used for both CN and
ORGANIZATION NAME) [CN/ORGANIZATION NAME] : SYMPLiK Technologies
Enter the department or group that will use the certificate [ORGANIZATION UNIT] : Finance
Enter the full name of the city where your organization's
head office is located [LOCALITY] : Toronto
Enter the full name of the State, Province or County where
your organization's head office is located [STATE] : Ontario
Enter the two-letter ISO abbreviation for your country
(for example, US for the United States) [COUNTRY] : CA
Enter keystore password: Re-enter new password: Enter key password for
(RETURN if same as keystore password): Re-enter new password:
keytool -genkey -alias VCPDEMO_papaya -keyalg RSA -keysize 4096 -keystore c:\oracle\apps\apps_st\appl\admin\adkeystore.dat -validity 14600 -dname " CN=SYMPLiK Technologies, OU=Finance, O=SYMPLiK Technologies, L=Toronto, S=Ontario, C=CA"
The above Java program completed successfully.
Your digital signature has been created successfully and
imported into the keystore database. This signature
will now be used to sign Applications JAR files whenever
they are patched.
IMPORTANT: If you have multiple web servers, you must copy
files to each of the remaining web servers on your site.
See the documentation reference for more information.
adjkey is complete.
(6.2) Generate client certificate
C:\oracle\apps\apps_st\appl\admin>adjkey -certreq -file adkeystore.csr
Copyright (c) 2002 Oracle Corporation
Redwood Shores, California, USA
AD Java Key Generation
Version 12.0.0
NOTE: You may not use this utility for custom development
unless you have written permission from Oracle Corporation.
Reading product information from file...
Reading language and territory information from file...
Reading language information from applUS.txt ...
Enter the APPS username: apps
Enter the APPS password:
Successfully created javaVersionFile.
Enter keystore password: Enter key password for
keytool -certreq -file adkeystore.csr -keystore c:\oracle\apps\apps_st\appl\admin\adkeystore.dat -alias VCPDEMO_papaya
The above Java program completed successfully.
adjkey is complete.
(7) Sign the client certificate by your CA
(7.1) Copy client certificate adkeystore.csr to OpenSSL directory C:\OpenSSL\CA
(7.2) Do the signing
C:\OpenSSL\CA>openssl ca -in adkeystore.csr -out adkeystore.crt
Using configuration from c:\OpenSSL\CA\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:\OpenSSL\CA\private\cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CA'
stateOrProvinceName :PRINTABLE:'Ontario'
localityName :PRINTABLE:'Toronto'
organizationName :PRINTABLE:'SYMPLiK Technologies'
organizationalUnitName:PRINTABLE:'FINANCE'
commonName :PRINTABLE:'SYMPLiK Technologies'
Certificate is to be certified until Oct 28 03:21:06 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
if you got error:
failed to update database TXT_DB error number 2
It's because the same /C/ST/O/OU/CN combination exists.
Change the 'unique_subject = no' in openssl.conf
remove index.attr and rerun
(7.3) Convert the signed certificate to DER format
C:\OpenSSL\CA>openssl x509 -outform der -in adkeystore.crt -out adkeystore.der
(7.4) Copy DER-formatted certificate to %APPL_TOP%\admin directory
(8) Add the DER-formatted certificate to keystore
C:\oracle\apps\apps_st\appl\admin>adjkey -import -file adkeystore.der -trustcacerts
Copyright (c) 2002 Oracle Corporation
Redwood Shores, California, USA
AD Java Key Generation
Version 12.0.0
NOTE: You may not use this utility for custom development
unless you have written permission from Oracle Corporation.
Reading product information from file...
Reading language and territory information from file...
Reading language information from applUS.txt ...
Enter the APPS username: apps
Enter the APPS password:
Successfully created javaVersionFile.
Enter keystore password: Enter key password for Certificate reply was installed in keystore
keytool -import -file adkeystore.der -trustcacerts -keystore c:\oracle\apps\apps_st\appl\admin\adkeystore.dat -alias VCPDEMO_papaya
The above Java program completed successfully.
adjkey is complete.
(9) Run adadmin and force regenerate all JAR files (R12: 1 > 4 > yes / 11i: 1 > 5 > yes)
5 comments :
Thanks for the awesome post,it's really helps.
Did not work for us. We get an error inn step 8:
Keytool error: java.lang.Exception: Failed to establish chain from reply
Maybe someone has this issue as well?
Hey
Thanks for the post - I followed through without any problems. . . . however I had to import the certs on the client at the end of the process in order for the warnings to go away.
Is this how it's supposed to work? (eg do I need to imprt these on each client), or should they be picking up the cert from the EBS server?
Thanks!
Dave
To answer my own comment, and add a further point...
1) Yes, the generated root CA needs to be imported into each client machine, as a Signer CA in the certificates section of the java control panel.
2) In order to avoid warnings from the client about being unable to check the certification revocation status, you can either disable the revocation checks (in the Advanced section of the java control panel), or create a CRL certificate and put it on a webserver somewhere that the clients will be able to see. I followed the tutorial at: https://jamielinux.com/articles/2013/08/generate-certificate-revocation-list-revoke-certificates/
Grateful to check out your website, I seem to be ahead to more excellent sites and I wish that you wrote more informative post for us. Well done work.
Post a Comment