Importing the Jar Signing Certificate for Oracle E-Business Suite R12

Important Definitions:
adkeystore.bak - a backup copy of your previous adkeystore.dat Keystore taken before the new one is created.
JavaVersionFile - The Java version used in the compilation (The JDK version on your server)
adsign.txt - Used to pass arguments to the JRI during file signing. The first value within this file is your alias.
adkeystore.dat - the Keystore file that is used to sign jar files on the server.


1: Generate Keypair and Certificate Signing Request

  • The alias and key size parameters are optional
  • Valid options for the -keysize parameter are 2048, 3072 or 4096
  • If you do not include the -keysize parameter it will use the default 2048 bit key size.
  • If you do not include the alias parameter it will be created using the environments $CONTEXT_NAME by default.
  • If you wish to change the alias from the current value this must be done before running this command to create the new adkeystore.dat.
  • Do not include spaces in your alias name.
  • The same alias name must be used.

[applmgr@funapps ~]$  cd $NE_BASE/EBSapps/appl/ad/admin

Note: In R12.1 its $APPL_TOP/admin
[applmgr@funapps ~]$ adjkey -initialize -keysize 2048 -alias funoracleapps

                     Copyright (c) 2002, 2012 Oracle Corporation
                        Redwood Shores, California, USA

                             AD Java Key Generation

                                 Version 12.2.0

NOTE: You may not use this utility for custom development
      unless you have written permission from Oracle Corporation.

Reading product information from file...

Reading language and territory information from file...

Reading language information from applUS.txt ...

Enter the APPS username: apps

Enter the APPS password:

Successfully created javaVersionFile.

adjkey will now create a signing entity for you.

Enter the COMMON NAME [ ] : funoracleapps.lab

Enter the ORGANIZATION NAME [funoracleapps.lab] : FOA


Enter the LOCALITY (or City) [ ] : Noida

Enter the STATE (or Province or County) [ ] : UP

Enter the COUNTRY (two-letter ISO abbreviation) [ ] :  IND
Enter keystore password:  Re-enter new password: Enter key password for <funoracleapps>
        (RETURN if same as keystore password):  Re-enter new password:
/u02/apps/CLON/fs1/EBSapps/comn/util/jdk/jre/bin/java -genkey -alias funoracleapps -keyalg RSA -keysize  2048 -keystore /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin/adkeystore.dat -validity 14600 -dname " CN=funoracleapps.lab, O=FOA, OU=Noida, L=Noida, S=UP, C=IND"

The above Java program completed successfully.
Your digital signature has been created successfully and imported into the keystore database. This signature will now be used to sign Applications JAR files whenever they are patched.

  IMPORTANT: If you have multiple web servers, you must copy  files to each of the remaining web servers on your site.  See the documentation reference for more information.

adjkey is complete.

[applmgr@funapps ~]$

Use below code to see default keystore passwords: 
SQL> set serveroutput on 
SQL> declare spass varchar2(30); 
kpass varchar2(30); 
begin ad_jar.get_jripasswords(spass, kpass); 
dbms_output.put_line(spass); dbms_output.put_line(kpass);
 puneet <== default password for keystore 
 myxuan <== default password for the key
2: Create a Certificate Signing Request

[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin ]$ keytool -sigalg SHA256withRSA -certreq -keystore adkeystore.dat -file adkeystore.csr -alias funoracleapps
Enter keystore password:
Enter key password for <funoracleapps>
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin ]$

You can verify the algorithm used within your 'Certificate Signing Request' (adkeystore.csr) by running the following command:
$ openssl req -in adkeystore.csr -text -noout | grep "Signature Algorithm"

3: List the Certificate Request content

[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$ keytool -list -v -keystore adkeystore.dat
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: funoracleapps
Creation date: Dec 1, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: CN=funoracleapps.lab, O=FOA, OU=IT, L=Noida, ST=UP, C=IND
Issuer: CN=funoracleapps.lab, O=FOA, OU=IT, L=Noida, ST=UP, C=IND
Serial number: 7cf6666d
Valid from: Sat Dec 01 12:15:23 GST 2018 until: Thu Nov 21 12:15:23 GST 2058

Get the certificate signed by the signing authority.

4: Import your Certificate(s)

Import the Root Certificate to the Java Keystore Certificate Store 'cacerts' ( I am not doing as root provider is same and in house which is already present in my cacerts)
If you are using my script for self signing then no need to import.

If you have an intermediate certificate, please import that as well in order in adkeystore.dat.

[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$
[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$ cp funoracleapps.p7b adkeystore.crt

[applmgr@funapps /u02/apps/CLON/fs_ne/EBSapps/appl/ad/admin]$ keytool -import -file adkeystore.crt -trustcacerts -alias funoracleapps -keystore adkeystore.dat
Enter keystore password:
Enter key password for <funoracleapps>
Certificate reply was installed in keystore

5: Update the adsign.txt with the new alias

[applmgr@funebs122 admin]$ cat adsign.txt
funoracleapps 1 CUST

6: Stop the application services

7: Regenerate Jar files using force option using adadmin utility

Run ADADMIN, and select the following from the AD Administration Main Menu:
Choose Generate Applications Files menu
From this menu choose Generate product JAR files
Enter yes when prompted with: Do you wish to force regeneration of all jar files? [No] ? yes

8: Start the application services using

Reference: Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1)

If you like please follow and comment