Importing the Jar Signing Certificate for Oracle E-Business Suite R12
adkeystore.bak - a backup copy of your previous adkeystore.dat Keystore taken before the new one is created.
JavaVersionFile - The Java version used in the compilation (The JDK version on your server)
adsign.txt - Used to pass arguments to the JRI during file signing. The first value within this file is your alias.
adkeystore.dat - the Keystore file that is used to sign jar files on the server.
Steps
1: Generate Keypair and Certificate Signing Request
Note:
- The alias and key size parameters are optional
- Valid options for the -keysize parameter are 2048, 3072 or 4096
- If you do not include the -keysize parameter it will use the default 2048 bit key size.
- If you do not include the alias parameter it will be created using the environments $CONTEXT_NAME by default.
- If you wish to change the alias from the current value this must be done before running this command to create the new adkeystore.dat.
- Do not include spaces in your alias name.
- The same alias name must be used.
[applmgr@funapps ~]$ cd $NE_BASE/EBSapps/appl/ad/admin
Note: In R12.1 its $APPL_TOP/admin
[applmgr@funapps ~]$ adjkey -initialize -keysize 2048 -alias funoracleapps
Copyright (c) 2002, 2012 Oracle Corporation
Redwood Shores, California, USA
AD Java Key Generation
Version 12.2.0
NOTE: You may not use this utility for custom development
unless you have written permission from Oracle Corporation.
Reading product information from file...
Reading language and territory information from file...
Reading language information from applUS.txt ...
Enter the APPS username: apps
Enter the APPS password:
Successfully created javaVersionFile.
adjkey will now create a signing entity for you.
Enter the COMMON NAME [ ] : funoracleapps.lab
Enter the ORGANIZATION NAME [funoracleapps.lab] : FOA
Enter the ORGANIZATION UNIT [ ] : IT
Enter the LOCALITY (or City) [ ] : Noida
Enter the STATE (or Province or County) [ ] : UP
Enter the COUNTRY (two-letter ISO abbreviation) [ ] : IND
Enter keystore password: Re-enter new password: Enter key password for <funoracleapps>
(RETURN if same as keystore password): Re-enter new password:
/u02/apps/CLON/fs1/EBSapps/comn/util/jdk/jre/bin/java sun.security.tools.KeyTool -genkey -alias funoracleapps -keyalg RSA -keysize 2048 -keystore /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin/adkeystore.dat -validity 14600 -dname " CN=funoracleapps.lab, O=FOA, OU=Noida, L=Noida, S=UP, C=IND"
The above Java program completed successfully.
Your digital signature has been created successfully and imported into the keystore database. This signature will now be used to sign Applications JAR files whenever they are patched.
IMPORTANT: If you have multiple web servers, you must copy files to each of the remaining web servers on your site. See the documentation reference for more information.
adjkey is complete.
[applmgr@funapps ~]$
Use below code to see default keystore passwords:
SQL> set serveroutput on
SQL> declare spass varchar2(30);
kpass varchar2(30);
begin ad_jar.get_jripasswords(spass, kpass);
dbms_output.put_line(spass); dbms_output.put_line(kpass);
end;
/
puneet <== default password for keystore
myxuan <== default password for the key
2: Create a Certificate Signing Request
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin ]$ keytool -sigalg SHA256withRSA -certreq -keystore adkeystore.dat -file adkeystore.csr -alias funoracleapps
Enter keystore password:
Enter key password for <funoracleapps>
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin ]$
You can verify the algorithm used within your 'Certificate Signing Request' (adkeystore.csr) by running the following command:
$ openssl req -in adkeystore.csr -text -noout | grep "Signature Algorithm"
3: List the Certificate Request content
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$ keytool -list -v -keystore adkeystore.dat
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: funoracleapps
Creation date: Dec 1, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=funoracleapps.lab, O=FOA, OU=IT, L=Noida, ST=UP, C=IND
Issuer: CN=funoracleapps.lab, O=FOA, OU=IT, L=Noida, ST=UP, C=IND
Serial number: 7cf6666d
Valid from: Sat Dec 01 12:15:23 GST 2018 until: Thu Nov 21 12:15:23 GST 2058
Get the certificate signed by the signing authority.
4: Import your Certificate(s)
Import the Root Certificate to the Java Keystore Certificate Store 'cacerts' ( I am not doing as root provider is same and in house which is already present in my cacerts)
If you are using my script for self signing then no need to import.
If you have an intermediate certificate, please import that as well in order in adkeystore.dat.
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$ cp funoracleapps.p7b adkeystore.crt
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$ keytool -import -file adkeystore.crt -trustcacerts -alias funoracleapps -keystore adkeystore.dat
Enter keystore password:
Enter key password for <funoracleapps>
Certificate reply was installed in keystore
5: Update the adsign.txt with the new alias
[applmgr@funebs122 admin]$ cat adsign.txt
funoracleapps 1 CUST
funoracleapps 1 CUST
6: Stop the application services adstopall.sh
7: Regenerate Jar files using force option using adadmin utility
Run ADADMIN, and select the following from the AD Administration Main Menu:
Choose Generate Applications Files menu
From this menu choose Generate product JAR files
Enter yes when prompted with: Do you wish to force regeneration of all jar files? [No] ? yes
8: Start the application services using adstrall.sh
Reference: Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1)
Post a Comment
Post a Comment