Issue:
EBS procedures to follow when using code-signing certificates which utilizes an HSM (Hardware Security Module) or Token
Cause of the issue:
Starting June 1st 2023, all trusted 3rd party Certificate Authorities are issuing NEW code signing certificates which are HSM / Token based.
Solution:
1) Follow the documentation by your certificate authority (CA) to generate your certificate and install your HSM software for signing.
(You have to work with the CA vendor for this.)
2) Generate a list of jar files to sign by running ADADMIN, and select the following from the AD Administration Main Menu:
Choose Generate Applications Files menu
From this menu choose Generate product jar files
Enter yes when prompted with: Do you wish to force regeneration of all jar files? [No] ? yes
3) All the files listed in [ jarlist.txt ] located in [ $NE_BASE/EBSapps/log/adadmin/log/ ] directory will need to be signed.
If [ jarlist.txt ] contains only one entry (customall.jar); combine [ jarlist.txt.bak ] and [ jarlist.txt ] to get the full list of JARs that need to be signed.
4) Use the HSM signing software to initially sign the jar files from Step #3 above.
5) After the jar files have been signed via HSM, they need to be moved back to their original location in EBS.
NOTE for Patching
(i) After applying a patch you will need to sign jar files that have been updated. You can use the following script to find them.
$ find $JAVA_TOP/oracle/apps/*/jar -mtime -1 -ls –> Finds jar files updated in the last 1 day
(ii) Use the HSM signing software to resign the jar files.
Please follow the above given steps 4 & 5 to sign jar files that have been updated by patching.
Conclusion:
Starting June 1st 2023, all trusted 3rd party Certificate Authorities are issuing NEW code signing certificates which are HSM / Token based. This is industry driven and not just specific to Oracle. The above given are oracle EBS procedures to follow when using code-signing certificates to sign jar files which utilizes an HSM (Hardware Security Module) or Token.
