Saturday, November 2, 2013

Get Rid of Applet Security Warning when Using Self-Signed Certificate in EBS (Part II)


If your EBS 11i or R12 environment does not have patch 17309237 applied, you will see this warning when you start any Forms:
Reason: JAR file manifest does not contain the Permission attribute.

You check the box of "I accept the risk..." and click Run, you could see the error "FRM-92095: Oracle JInitiator version too low. Please install version 1.1.8.2 or higher"

Reason: You need to patch your IAS to version 10.1.2.3 (through patch 5983622), and patch 14825718 for numerous bug fixes -- which requires OPatch 1.0.0.0.63 or higher, and OUI must be 10.1.
So you probably need to apply 6640838 (to Oracle Home 10.1.2) which upgrade OUI to 10.1, and then unzip patch 6880880_10100_[OS].zip to this Oracle Home directory.

A quick workaround is to change the java.vendor system property value back to it's original owner: Sun Microsystems Inc.  This property value has changed to "Oracle Corporation" since JRE 7.

To achieve this change, you can open the Java Control Panel -> Java -> View -> User Tab
Add a Runtime Parameter: -Djava.vendor="Sun Microsystems Inc."


Or even simpler way is to add a system variable JAVA_TOOL_OPTIONS and the value is
-Djava.vendor="Sun Microsystems Inc."



After you'd apply the patch 17309237 and using self-signed certificate, you will see another warning:
Reason: UNKNOWN Publisher, i.e. The JRE does not know the CA which signed these JAR files.

You can continue to work if you check the "I accept..." box, but this warning will show up EVERY TIME when you start the form.

Obtain the cacert.pem file (in-house CA root certificate) from C:\OpenSSL\CA and import it to your desktop JRE under Certificate type "Signer CA":

Start the Form again you will see the warning but the content is slightly different:
Reason: The Publisher is recognized, but the JRE cannot find out whether this certificate has been revoked or not (through Certificate Revocation list CRL or Online Certificate Status Protocol OCSP).  

Again,. you can continue to work if you check the "I accept..." box, but this warning will show up EVERY TIME when you start the form.

Change the JRE setting to stop checking certificate revocation

Start the Form again, and finally you get a "one-click-away-everything-done' warning:


After the Form is opened successfully, you can go back to the Java control panel, and you will see that this certificate has been added to Trust Certificate.  It is done automatically when you check the "Do not show this again..." warning message dialog box.


Finally, you can set the Certificate Revocation security settings back to the originally values:

If you open the Form again, no more warning will be shown even you set the checking back.  Hurray !!

2 comments :

Anonymous said...

Good post. Just worked on this over the last few days and if I would have found this earlier it would have really helped.

Anonymous said...

How to create cacert.pem file (in-house CA root certificate) from C:\OpenSSL\CA and import it to your desktop?

Can you show an instruction on how to do it?