Skip to main content

Importing the Jar Signing Certificate for Oracle E-Business Suite R12

Importing the Jar Signing Certificate for Oracle E-Business Suite R12


Important Definitions:
adkeystore.bak - a backup copy of your previous adkeystore.dat Keystore taken before the new one is created.
JavaVersionFile - The Java version used in the compilation (The JDK version on your server)
adsign.txt - Used to pass arguments to the JRI during file signing. The first value within this file is your alias.
adkeystore.dat - the Keystore file that is used to sign jar files on the server.

Steps

1: Generate Keypair and Certificate Signing Request


Note: 
  • The alias and key size parameters are optional
  • Valid options for the -keysize parameter are 2048, 3072 or 4096
  • If you do not include the -keysize parameter it will use the default 2048 bit key size.
  • If you do not include the alias parameter it will be created using the environments $CONTEXT_NAME by default.
  • If you wish to change the alias from the current value this must be done before running this command to create the new adkeystore.dat.
  • Do not include spaces in your alias name.
  • The same alias name must be used.

[applmgr@funapps ~]$  cd $NE_BASE/EBSapps/appl/ad/admin

Note: In R12.1 its $APPL_TOP/admin
[applmgr@funapps ~]$ adjkey -initialize -keysize 2048 -alias funoracleapps

                     Copyright (c) 2002, 2012 Oracle Corporation
                        Redwood Shores, California, USA

                             AD Java Key Generation

                                 Version 12.2.0

NOTE: You may not use this utility for custom development
      unless you have written permission from Oracle Corporation.

Reading product information from file...

Reading language and territory information from file...

Reading language information from applUS.txt ...

Enter the APPS username: apps

Enter the APPS password:

Successfully created javaVersionFile.

adjkey will now create a signing entity for you.

Enter the COMMON NAME [ ] : funoracleapps.lab

Enter the ORGANIZATION NAME [funoracleapps.lab] : FOA

Enter the ORGANIZATION UNIT [ ] : IT

Enter the LOCALITY (or City) [ ] : Noida

Enter the STATE (or Province or County) [ ] : UP

Enter the COUNTRY (two-letter ISO abbreviation) [ ] :  IND
Enter keystore password:  Re-enter new password: Enter key password for <funoracleapps>
        (RETURN if same as keystore password):  Re-enter new password:
/u02/apps/CLON/fs1/EBSapps/comn/util/jdk/jre/bin/java sun.security.tools.KeyTool -genkey -alias funoracleapps -keyalg RSA -keysize  2048 -keystore /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin/adkeystore.dat -validity 14600 -dname " CN=funoracleapps.lab, O=FOA, OU=Noida, L=Noida, S=UP, C=IND"

The above Java program completed successfully.
Your digital signature has been created successfully and imported into the keystore database. This signature will now be used to sign Applications JAR files whenever they are patched.

  IMPORTANT: If you have multiple web servers, you must copy  files to each of the remaining web servers on your site.  See the documentation reference for more information.


adjkey is complete.

[applmgr@funapps ~]$


Use below code to see default keystore passwords: 
SQL> set serveroutput on 
SQL> declare spass varchar2(30); 
kpass varchar2(30); 
begin ad_jar.get_jripasswords(spass, kpass); 
dbms_output.put_line(spass); dbms_output.put_line(kpass);
 end; 
 / 
 puneet <== default password for keystore 
 myxuan <== default password for the key
 
2: Create a Certificate Signing Request

[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin ]$ keytool -sigalg SHA256withRSA -certreq -keystore adkeystore.dat -file adkeystore.csr -alias funoracleapps
Enter keystore password:
Enter key password for <funoracleapps>
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin ]$

You can verify the algorithm used within your 'Certificate Signing Request' (adkeystore.csr) by running the following command:
$ openssl req -in adkeystore.csr -text -noout | grep "Signature Algorithm"

3: List the Certificate Request content

[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$ keytool -list -v -keystore adkeystore.dat
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: funoracleapps
Creation date: Dec 1, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=funoracleapps.lab, O=FOA, OU=IT, L=Noida, ST=UP, C=IND
Issuer: CN=funoracleapps.lab, O=FOA, OU=IT, L=Noida, ST=UP, C=IND
Serial number: 7cf6666d
Valid from: Sat Dec 01 12:15:23 GST 2018 until: Thu Nov 21 12:15:23 GST 2058

Get the certificate signed by the signing authority.


4: Import your Certificate(s)

Import the Root Certificate to the Java Keystore Certificate Store 'cacerts' ( I am not doing as root provider is same and in house which is already present in my cacerts)
If you are using my script for self signing then no need to import.

If you have an intermediate certificate, please import that as well in order in adkeystore.dat.

[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$ cp funoracleapps.p7b adkeystore.crt

[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$ keytool -import -file adkeystore.crt -trustcacerts -alias funoracleapps -keystore adkeystore.dat
Enter keystore password:
Enter key password for <funoracleapps>
Certificate reply was installed in keystore

5: Update the adsign.txt with the new alias

[applmgr@funebs122 admin]$ cat adsign.txt
funoracleapps 1 CUST

6: Stop the application services adstopall.sh

7: Regenerate Jar files using force option using adadmin utility

Run ADADMIN, and select the following from the AD Administration Main Menu:
Choose Generate Applications Files menu
From this menu choose Generate product JAR files
Enter yes when prompted with: Do you wish to force regeneration of all jar files? [No] ? yes

8: Start the application services using adstrall.sh


Reference: Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1)




If you like please follow and comment
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

Rename a PDB in Oracle Database Multitenant Architecture in TDE and Non TDE Environment

Rename a PDB in Oracle Database Multitenant Architecture I am sharing a step-by-step guide to help you rename a PDB. This approach uses SQL commands. Without TDE or encryption Wallet Initial Check Check the Current Database Name and Open Mode: SQL > SELECT NAME, OPEN_MODE FROM V$DATABASE; NAME OPEN_MODE --------- -------------------- BEECDB READ WRITE List Current PDBs: SQL > SHOW PDBS; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 FUAT READ WRITE NO We need to RENAME FUAT to BEE  Steps to Rename the PDB Step 1: Export ORACLE_SID Set the Oracle SID to the Container Database (CDB): export ORACLE_SID=BEECDB Step 2: Verify Target PDB Name Availability If the target PDB name is different from the current PDB name, ensure no service exists with the target PDB name. Run SQL to Check Exi...
Post a Comment
Read more

How to make flash work on IE or Edge with IE Compatibility

How to make flash work on IE or Edge with IE Compatibility With flash been ended from 1-Jan-2021, many applications using flash have stopped working the way they were built (like OEM, OBIEE, etc). The option you have to upgrade.  This method will give a workaround in IE or Edge in IE compatibility mode without upgrading. 1. Verify you have installed flash.ocx on your desktop. Typically, flash.ocx file is located in C:\Windows\System32\Macromed\Flash or C:\Windows\SysWOW64\Macromed\Flash according to your laptop OS system. 2. Edit mms.cfg from the location as a System Administrator In the case of the 64bit system, it might have mms.cfg under C:\Windows\SysWOW64\Macromed\Flash 3. Add below options into mms.cfg file. Note: AllowListUrlPattern list is an example. The URLs need to be replaced to your hosts those have Flash pages. SilentAutoUpdateEnable=0 AutoUpdateDisable=1 EOLUninstallDisable=1 EnableAllowList=1 AllowListUrlPattern=http://www.google.com/ AllowListUrlPattern=http://goo...
Post a Comment
Read more