Enhanced security within Oracle E-Business Suite instances through JAR file signing using a Trusted Certificate Authority

The following describes the implementation of enhanced security within your Oracle E-Business Suite instances through JAR file signing using a Trusted Certificate Authority (CA) utilizing larger and more secure keysizes bits to provide stronger encryption. Signing jar files with a Trusted CA is a requirement for running jar content using the later JRE 7 releases running on the highest security settings. This will also become a requirement when using the Java default security settings in a future release.

1) Generate Keypair and Certificate Signing Request
$ export JRI_DATA_LOC=$NE_BASE/EBSapps/appl/ad/admin

Step 1.1. Source the Environment
Note: The configuration steps can be applied with either the RUN or PATCH File System sourced. If you are currently running an ADOP Online Patching session you must make these changes with the PATCH File System sourced. If this is the case please ensure the cutover phase is run after regenerating the Jar Files in

Regenerate the Jar Files.
. $EBS_ROOT/EBSapps.env run

Step 1.2. Generate a new keypair (private key and public key)
$adjkey -initialize -keysize 2048 -alias <INSTANCE-NAME>

Enter the APPS username: apps
Enter the APPS password:
Successfully created javaVersionFile.
adjkey will now create a signing entity for you.
Enter the COMMON NAME [ ] :

Enter the ORGANIZATION NAME [xxx.corp.local] :

Enter the ORGANIZATION UNIT [ ] : apps

Enter the LOCALITY (or City) [ ] :

Enter the STATE (or Province or County) [ ] :

Enter the COUNTRY (two-letter ISO abbreviation) [ ] : US
Enter keystore password:  Re-enter new password: Enter key password for <INSTANCE-NAME>
        (RETURN if same as keystore password):  Re-enter new password:

The above Java program completed successfully.
Your digital signature has been created successfully and imported into the keystore database. This signature will now be used to sign Applications JAR files whenever they are patched.

adjkey is complete.

Run the following to check the generated keystore list:
$ keytool -list -v -keystore adkeystore.dat

Step 1.3. Create a Certificate Signing Request
$ keytool -sigalg SHA256withRSA -certreq -keystore $JRI_DATA_LOC/adkeystore.dat -file  $JRI_DATA_LOC/adkeystore.csr -alias <INSTANCE-NAME>
Enter keystore password: xxxx
Enter key password for <alias_name>: yyyy

Step 1.4. Submit your Certificate Signing Request
Submit your certificate signing request ‘adkeystore.csr’ to your official certificate authority, for example, Verisign, Thawte etc. or to your own in-house
certificate authority as applicable.

Section 2: Import your Certificate(s)
Step 2.1. My Java Code Signing Certificate is Now Available
The adkeystore.csr file created in Step 1.3 Create a Certificate Signing Request should now have been signed, encoded and formatted to be recognized as a ‘signed code certificate’ by your certificate authority which will be used to verify the authenticity of downloaded content.

Once you have received the ‘signed code certificate’ back from your Certificate Authority, continue with the steps below to complete the process.

Step 2.2. Prepare your Oracle E-Business Suite Environment
On the Application tier as the file system owner source your APPS env file.
. $EBS_ROOT/EBSapps.env run

Step 2.3. Add the Root Certificate to cacerts (if required)
If you need to import the ‘Root Certificate’ into cacerts continue to Step 2.4. Add the Root Certificate to cacerts.

Step 2.4. Import the Root Certificate to the Java Keystore Certificate Store ‘cacerts’ (if required)
Step 2.4.1. Copy your Root Certificate to the Security Properties Directory
$ cp <root_certificate> <sec_prop_loc>/<root_certificate>

Step 2.4.2. Import the Root Certificate into cacerts
export SEC_PROP_LOC=$OA_JRE_TOP/lib/security/
keytool -import -alias caroot -file $JRI_DATA_LOC/xxxx.cer -trustcacerts -v -keystore cacerts -keypass xxxx
Enter keystore password: zzzzz
Trust this certificate? [no]:  y

keytool -import -alias cainter -file $JRI_DATA_LOC/corp_local_intermediate.cer -trustcacerts -v -keystore cacerts
Enter keystore password: zzzzz
$ keytool -list -keystore cacerts

Step 2.5. Import the Code Signing Certificate into the Keystore
Step 2.5.1. Copy and Rename the ‘Code Signing Certificate’
cp -p xxxx.cer $JRI_DATA_LOC/adkeystore.crt

Step 2.5.2. Import your Intermediate Certificate(s) (if required)
keytool -import -file corp_local_intermediate.cer -trustcacerts -alias cainter -keystore adkeystore.dat
Enter keystore password: xxxx

Step 2.5.3. Import your Java Code Signing Certificate
keytool -import -file xxxx.cer -trustcacerts -alias <INSTANCE-NAME> -keystore adkeystore.dat
Enter keystore password: xxxx
Enter key password for <EBSPRD> yyyy

Section 3: Regenerate the Jar Files
Step 3.1.1. Stop the Application Tier
. $EBS_ROOT/EBSapps.env run
sh adstpall.sh

Step 3.1.2. Regenerate the jar files through adadmin
Generate Applications Files menu
Generate product JAR files
Do you wish to force regeneration of all jar files? [No] ? yes

Step 3.1.3. Restart the Application Tier
sh adstrtal.sh

Thanks & Regards
Venkatesh RK

  • June 19, 2017 | 21 views
  • Comments