Create and
Import Java Code Signing Certificate to use in Oracle E-Business Suite
Ref: Oracle
Note
Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1)
Oracle note is important document and covered most of the
errors/resolutions. But there are short comings in the document .I did not
use ADJAVA command and substituted with KEYTOOL command.
1) Generate
KeyPair
keytool -genkey -keyalg RSA
-keysize 4096 -alias EbsJarCert -keypass EbsJarkp1 -storepass EbsJarsp1
-keystore /ebs/home/test/keystore.dat –v
What is your
first and last name?
[Unknown]:
EbsJarServ.com
What is the
name of your organizational unit?
[Unknown]:
Ebs
What is the
name of your organization?
[Unknown]:
Ebs Company
What is the
name of your City or Locality?
[Unknown]:
Washington
What is the
name of your State or Province?
[Unknown]:
District of Columbia
What is the
two-letter country code for this unit?
[Unknown]:
US
Is
CN=EbsJarServ.com, OU=Ebs, O=Ebs Company, L=Washington, ST=District of
Columbia, C=US correct?
[no]:
yes
Generating
4,096 bit RSA key pair and self-signed certificate (SHA1withRSA) with a
validity of 90 days
for: CN=EbsJarServ.com, OU=Ebs, O=Ebs
Company, L=Washington, ST=District of Columbia, C=US
[Storing
/ebs/app/keystore.dat]
2) Verify KeyPair
$ keytool -list –v -storepass EbsJarsp1
-keystore /ebs/home/test/keystore.dat -alias EbsJarCert
( You can also execute the same command with
adjkey
adjkey -list -v -storepass
EbsJarsp1 -keystore /ebs/home/test/keystore.dat -alias EbsJarCert)
Alias name: EbsJarCert
Creation date: Dec 17, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=EbsJarServ.com, OU=Ebs, O=Ebs Company,
L=Washington, ST=District of Columbia, C=US
Issuer: CN=EbsJarServ.com, OU=Ebs, O=Ebs Company,
L=Washington, ST=District of Columbia, C=US
Serial number: 52b06a4a
Valid from: Tue Dec 17 09:05:46 EST 2013 until: Mon
Mar 17 10:05:46 EDT 2014
Certificate fingerprints:
MD5: 10:37:62:7D:60:EA:89:AF:15:77:19:62:59:49:28:DD
SHA1:
02:93:CC:96:BD:EF:CE:28:B9:38:51:8E:4B:F8:94:05:ED:C8:68:0A
Signature algorithm name: SHA1withRSA
Version: 3
3) Request Certificate (CSR)
keytool -certreq -alias
EbsJarCert \
-storepass
EbsJarsp1 -keypass EbsJarkp1 \
-file
/ebs/home/test/EbsJarCert.csr \
-keystore
/ebs/home/test/keystore.dat
4) Submit your CSR to Signing Authority for certificate (Verisign)
Note: Be sure to request a Java Code Signing
Certificate. This certificate can be used to sign your jar content
across one or mutliple Oracle E-Business Suite environmments. After you get the certificate, export
in X509 format and ftp in ascii to web server.
5) Verify the Certificate (CRT) after you
receive from Verisign
keytool -printcert -v -file /ebs/home/test/EbsJarCert.crt
6) Import Intermediate and Root Certificate to
the cacerts Keystore File
Create
myca.crt ( by exporting Intermediate and Root Certificate in X509 format)
Go to =
$OA_JRE_TOP/jre/lib/security/
chmod +w cacerts
cat inter.crt root.crt
>myca.crt
keytool -import -alias myca
-file myca.crt -trustcacerts -v -keystore cacerts
chmod a-w cacerts
Note: The
default Java for the cacerts keystore certificates
file is usually changeit.
7) Import the Java Code Signing Certificate
into the Keystore
Create
EbsJarCert.crt ( by exporting
.crt in X509
format)
cp EbsJarCert.crt
$APPL_TOP/admin/adkeystore.crt
cp /ebs/home/test/keystore.dat $APPL_TOP/admin/adkeystore.dat
Import the certificate
keytool -import \
-file
/ebs/app/test/ appl/admin/adkeystore.crt \
-trustcacerts
-storepass EbsJarsp1
-alias
EbsJarCert \
-keystore
/ebs/app/test / appl/admin/adkeystore.dat
8) Verify and Update jripasswords in the
database
Login as
APPS
SQL>
set serveroutput on
declare
spass varchar2(30);
kpass varchar2(30);
begin
ad_jar.get_jripasswords(spass,
kpass);
dbms_output.put_line('--------');
dbms_output.put_line('STOREPASS
= '||spass);
dbms_output.put_line('KEYPASS =
'||kpass);
dbms_output.put_line('--------');
end;
/
If STOREPASS
and KEYPASS does not match to adkeystore.dat then update with correct passwords
SQL> exec
ad_jar.DEL_JRIPASSWORDS;
SQL> exec
ad_jar.PUT_JRIPASSWORDS('EbsJarsp1',' EbsJarkp1');
9) Generate JAR files with ADADMIN
vi $APPL_TOP/admin/adsign.txt
EbsJarCert 1 CUST
adadmin
Choose Generate Applications
Files menu
From this menu choose Generate
product JAR files
Enter yes when prompted with: Do
you wish to force regeneration of all jar files? [No] ? yes
10) Verify the Digital Signature of a Signed
Jar File
jarsigner -verify -verbose
-certs /ebs/app/test /comn/java/oracle/apps/fnd/jar/fndlist.jar
X.509, CN=EbsJarServ.com,
OU=Digital ID Class 3 - Java Object Signing, OU=Ebs, O=Ebs Company,
L=Washington, ST=District of Columbia, C=US
[certificate is valid from 12/17/13 7:00
PM to 12/16/15 6:59 PM]
jar
verified.
11) Test the Applications
Java Control Panel ->
Security -> Security Level: Very High
Java Control Panel -> Advanced
-> Show Console (Check)
Java Control Panel -> Advanced
-> Enable logging (Check)
Java Control Panel -> Advanced
-> Enable Trace (Check)
Login to Applications and test
Verify output In Java
Console for any issues/errors/warning.
Some of
them are
Missing Permissions manifest attribute for:
https://11iurl/OA_JAVA/oracle/apps/fnd/jar/fndutil.jar
Missing Codebase manifest attribute for:
https:// https://11iurl
/OA_JAVA/oracle/apps/fnd/jar/fndutil.jar
Fix
All the JAR
files are not signed properly , run the following commands
adjava
-mx512m -nojit oracle.apps.ad.jri.adjcopy -masterArchive $JAVA_TOP -sync
-reportfile javatopfiles.lst
adjava
-mx512m -nojit oracle.apps.ad.jri.adjcopy -masterArchive $JAVA_TOP -sync -mode
APPLY
Run ADADMIN
again and force generate JAR files
For error
in java console
network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT
network: Connecting http://ocsp.verisign.com:80/ with proxy=DIRECT
security: Failing over to CRLs: java.net.SocketTimeoutException: connect timed out
network: Cache entry not found [url: http://crl.verisign.com/pca3-g5.crl, version: null]
network: Connecting http://crl.verisign.com/pca3-g5.crl with proxy=DIRECT
network: Connecting http://crl.verisign.com:80/ with proxy=DIRECT
network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT
network: Connecting http://ocsp.verisign.com:80/ with proxy=DIRECT
security: Failing over to CRLs: java.net.SocketTimeoutException: connect timed out
network: Cache entry not found [url: http://crl.verisign.com/pca3-g5.crl, version: null]
network: Connecting http://crl.verisign.com/pca3-g5.crl with proxy=DIRECT
network: Connecting http://crl.verisign.com:80/ with proxy=DIRECT
Fix
Control Panel->Java->Advanced'
Tab->'Perform certificate revocation checks on' section - Select “DO NOT
CHECK”
