{"id":5572,"date":"2023-11-06T11:11:03","date_gmt":"2023-11-06T10:11:03","guid":{"rendered":"https:\/\/promatis.com\/ch\/signing-e-business-suite-forms-java-applets-using-a-cloud-based-code-signing-certificate-part-2\/"},"modified":"2023-11-13T11:15:22","modified_gmt":"2023-11-13T10:15:22","slug":"signing-e-business-suite-forms-java-applets-using-a-cloud-based-code-signing-certificate-part-2","status":"publish","type":"post","link":"https:\/\/promatis-test.de\/ch\/signing-e-business-suite-forms-java-applets-using-a-cloud-based-code-signing-certificate-part-2\/","title":{"rendered":"Signing E-Business Suite \/ Forms Java Applets using a Cloud based Code Signing Certificate - Part 2"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" custom_padding_last_edited=\"on|tablet\" disabled_on=\"off|off|off\" admin_label=\"Sektion\" _builder_version=\"4.17.6\" _module_preset=\"default\" custom_padding=\"5vh||5vh||true|false\" custom_padding_tablet=\"5vh||5vh||true|false\" custom_padding_phone=\"5vh||5vh||true|false\" global_module=\"23\" locked=\"off\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_row column_structure=\"1_4,3_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" custom_margin=\"||0px||false|false\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_column type=\"1_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_image src=\"https:\/\/promatis.com\/wp-content\/uploads\/2022\/07\/johannes-michler.png\" alt=\"Johannes Michler PROMATIS Horus Oracle\" title_text=\"johannes-michler\" _builder_version=\"4.20.2\" _module_preset=\"default\" width=\"90%\" custom_margin=\"0vh||0vh||true|false\" border_radii=\"on|516px|516px|516px|516px\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][\/et_pb_image][\/et_pb_column][et_pb_column type=\"3_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_text ul_type=\"square\" _builder_version=\"4.20.2\" _module_preset=\"default\" text_font=\"Open Sans||||||||\" text_font_size=\"17px\" text_line_height=\"1.6em\" link_font=\"Open Sans||||on|||gcid-0becd5ff-19fc-4653-a221-c8c75771a987|\" link_text_color=\"gcid-0becd5ff-19fc-4653-a221-c8c75771a987\" link_font_size=\"22px\" ul_font=\"Open Sans||||||||\" ul_font_size=\"17px\" ul_line_height=\"1.6em\" header_font=\"|600||on|||||\" header_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_font_size=\"47px\" header_line_height=\"1.2em\" header_2_font=\"|600||on|||||\" header_2_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_2_line_height=\"1.6em\" header_3_font=\"|600|||||||\" header_3_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_3_font_size=\"24px\" header_3_line_height=\"1.4em\" header_4_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_4_line_height=\"1.4em\" header_5_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_5_line_height=\"1.4em\" header_6_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_6_font_size=\"16px\" header_6_line_height=\"1.4em\" custom_margin=\"2vh||0px||false|false\" custom_padding=\"||||true|false\" text_font_size_tablet=\"20px\" text_font_size_phone=\"17px\" text_font_size_last_edited=\"on|tablet\" header_font_size_tablet=\"\" header_font_size_phone=\"28px\" header_font_size_last_edited=\"on|phone\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22link_text_color%22%93}\" theme_builder_area=\"et_body_layout\"]<\/p>\n

Johannes Michler<\/a><\/div>\n

[\/et_pb_text][et_pb_text ul_type=\"square\" _builder_version=\"4.20.0\" _module_preset=\"default\" text_font=\"Open Sans||||||||\" text_font_size=\"17px\" text_line_height=\"1.6em\" link_font=\"Open Sans||||on||||\" link_text_color=\"#00A9A0\" ul_font=\"Open Sans||||||||\" ul_font_size=\"17px\" ul_line_height=\"1.6em\" header_font=\"|600||on|||||\" header_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_font_size=\"47px\" header_line_height=\"1.2em\" header_2_font=\"|600||on|||||\" header_2_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_2_line_height=\"1.6em\" header_3_font=\"|600|||||||\" header_3_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_3_font_size=\"24px\" header_3_line_height=\"1.4em\" header_4_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_4_line_height=\"1.4em\" header_5_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_5_line_height=\"1.4em\" header_6_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_6_font_size=\"16px\" header_6_line_height=\"1.4em\" custom_margin=\"1vh||0px||false|false\" custom_padding=\"||||true|false\" text_font_size_tablet=\"20px\" text_font_size_phone=\"17px\" text_font_size_last_edited=\"on|tablet\" header_font_size_tablet=\"\" header_font_size_phone=\"28px\" header_font_size_last_edited=\"on|phone\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93}\" theme_builder_area=\"et_body_layout\"]<\/p>\n


Executive Vice President<\/strong> \u2013\u00a0Head of Platforms\u00a0&\u00a0Development<\/p>\n

[\/et_pb_text][et_pb_text ul_type=\"square\" _builder_version=\"4.20.0\" _module_preset=\"default\" text_font=\"Open Sans||||||||\" text_text_color=\"gcid-0becd5ff-19fc-4653-a221-c8c75771a987\" text_font_size=\"22px\" text_line_height=\"1.6em\" link_font=\"Open Sans||||on||||\" link_text_color=\"#00A9A0\" ul_font=\"Open Sans||||||||\" ul_font_size=\"17px\" ul_line_height=\"1.6em\" header_font=\"|600||on|||||\" header_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_font_size=\"47px\" header_line_height=\"1.2em\" header_2_font=\"|600||on|||||\" header_2_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_2_line_height=\"1.6em\" header_3_font=\"|600|||||||\" header_3_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_3_font_size=\"24px\" header_3_line_height=\"1.4em\" header_4_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_4_line_height=\"1.4em\" header_5_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_5_line_height=\"1.4em\" header_6_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_6_font_size=\"16px\" header_6_line_height=\"1.4em\" custom_margin=\"5px||0px||false|false\" custom_padding=\"||||true|false\" text_font_size_tablet=\"20px\" text_font_size_phone=\"17px\" text_font_size_last_edited=\"on|tablet\" header_font_size_tablet=\"\" header_font_size_phone=\"28px\" header_font_size_last_edited=\"on|phone\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22text_text_color%22%93}\" theme_builder_area=\"et_body_layout\"]<\/i><\/a><\/i><\/a><\/i><\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" custom_padding=\"0vh||10vh||false|false\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_row use_custom_gutter=\"on\" _builder_version=\"4.17.3\" _module_preset=\"default\" custom_padding=\"0px||0px||true|false\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"default\" background_enable_color=\"off\" custom_padding=\"0px||0px||true|false\" hover_enabled=\"0\" inline_fonts=\"Times New Roman\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22background_color%22%93}\" theme_builder_area=\"et_body_layout\" sticky_enabled=\"0\"]<\/p>\n

As you're probably aware by now, since June 1st 2023 all well-known \/ public Certificate Authorities (CA) no longer provide Code Signing Certificates using pure software based private keys (see https:\/\/www.linkedin.com\/posts\/johannes-michler-099892ab_code-signing-key-storage-requirements-will-activity-7090432157688492032-jGvC)<\/a>.<\/p>\n

Since I prefer using such a trusted \/ public CA to sign Java Applets (that are still crucial for Oracle E-Business Suite or Oracle Forms) I've recently had a look into how we can now sign those Java JAR files. Part 1 of this blog series introduced the topic and an available \"Cloud Based\" Code Signing Certificate provider: Signing EBS\/Forms - Part 1<\/a><\/p>\n

In this second part I well be covering how the code signing can be done on an E-Business Suite Application Server running on Oracle Linux 7 on Oracle Cloud Infrastructure (OCI).<\/p>\n

Installing required libraries<\/h2>\n

The Certum SimplySignDesktop Application for Linux unfortunately is not usable entirely headless. I've talked to the support team of Certum, and unfortunately, they do not have any plans to provide a pure Command Line Interface (CLI) of the application. Nevertheless, I was able to run the application without installing a full \"Desktop Manager\" such as GNOME on Linux. For this, I first installed the following libraries:<\/p>\n

yum install libxslt.x86_64 pulseaudio-libs-glib2.x86_64 libwebp.x86_64\nwget https:\/\/www.rpmfind.net\/linux\/epel\/8\/Everything\/x86_64\/Packages\/s\/stalonetray-0.8.3-15.el8.x86_64.rpm\nyum install stalonetray-0.8.3-15.el8.x86_64.rpm<\/pre>\n
Stalonetray is a stand-alone freedesktop.org<\/a> and KDE system tray for the X Window System<\/a>. It has full XEMBED support, minimal dependencies, and works with virtually any EWMH-compliant window manager (see https:\/\/wiki.archlinux.org\/title\/stalonetray)<\/a>.<\/p>\n
With this and an X-Forwarding Tool such as either PuTTY and X-Ming or (more user-friendly) Mobaxterm (https:\/\/mobaxterm.mobatek.net\/<\/a>), it is possible to run the SimplySignDesktop Application over SSH. It's best to test if that is working first using any available X application, e.g. xclock, which is often available even without a full desktop:<\/p>\n
\"\"<\/p>\n
MobaXterm SSH Session with X11-Forwarding and xclock application<\/em><\/p>\n
Installation and Configuration of SimplySignDesktop<\/h2>\n
Download the Linux version of SimplySignDesktop from here: https:\/\/files.certum.eu\/software\/SimplySignDesktop\/Linux-RedHat\/<\/a><\/p>\n
Then install it as follows:<\/p>\n
cd \/home\/oracle\/certum\nsh SimplySignDesktop-2.9.8-9.1.6.0-x86_64-prod-centos.bin<\/pre>\n
It asks for the root password (whyever\/unfortunately; as mentioned the application has a lot of room for improvements).<\/p>\n
Then, still as the oracle user in an SSH Session with X-Forwarding start stalonetray, and then the Certum signing application:<\/p>\n
stalonetray &\n\/opt\/SimplySignDesktop\/SimplySignDesktop_start<\/pre>\n
This should show a small icon somewhere on your desktop through which you can sign in to the Certum Cloud Account using a one-time token generated on the Android App. If your keyboard does not allow to enter the username \/ token, it may be worth a try to use copy-paste instead.<\/p>\n
You may furthermore need to use \"Google translate\" to translate from Polish to English. Did I mention that I don't really like the app? \ud83d\ude09<\/p>\n
\"\"<\/p>\n
Certum SimplySign App headless on Linux<\/em><\/p>\n
Keep that SSH Session and the SimplySignDesktop open and open a new SSH session. There, create the following file:<\/p>\n
vi \/home\/oracle\/provider_simplysign.cfg\nname=SimplySignDesktop\/SimplySignPKCS\nlibrary=\/opt\/SimplySignDesktop\/SimplySignPKCS_64-MS-1.0.20.so\nslot=-1<\/pre>\n
Verification of Installation<\/h2>\n
Then, you can check if everything is working with the following command:<\/p>\n
\/opt\/proCertumSmartSign\/jre\/bin\/keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg \/home\/oracle\/provider_simplysign.cfg -v<\/pre>\n
You can use anything (e.g. 12345) as the password. That should show you your Code Signing Certificate purchased:<\/p>\n
\"\"<\/p>\n
Output of jarsigner showing your code signing certificate<\/em><\/p>\n
Note down the serial number (here: 7C66584B430CD378D0231CA224129EF4, that will be needed in the next step).<\/p>\n
Then, create \/home\/oracle\/certum\/horuschain.pem containing the entire chain of (just put one after the other in the same file):<\/p>\n
    \n
  • Your own certificate (for me: C=DE, L=Ettlingen, OU=IT, O=Horus software Gmbh, CN=Horus software Gmbh\/emailAddress=info@horus.biz)<\/li>\n
  • The intermediate certificate 1 (C=PL, O=Asseco Data Systems S.A., CN=Certum Code Signing 2021 CA)<\/li>\n
  • The intermediate 2 (C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2)<\/li>\n
  • The root certificate ( C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA)<\/li>\n<\/ul>\n
    First Signing<\/h2>\n
    With those preparations in place, you can now sign a first .jar file:<\/p>\n
    \/opt\/proCertumSmartSign\/jre\/bin\/jarsigner -keystore NONE -tsa \"http:\/\/time.certum.pl\" -certchain \"\/home\/oracle\/certum\/horuschain.pem\" -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg \"\/home\/oracle\/provider_simplysign.cfg\" -storepass \"12345\" \"ieucommon.jar\" 7C66584B430CD378D0231CA224129EF4<\/pre>\n
    That should provide a signed .jar file that you can again verify using:<\/p>\n
    jarsigner -verify -verbose -certs \/u01\/oracle\/EBS122FT\/ebs\/fs1\/EBSapps\/comn\/java\/classes\/oracle\/apps\/ieu\/jar\/ieucommon.jar<\/pre>\n
    This should give you something similar to the following:<\/p>\n
    \"\"<\/p>\n
    .jar file sucessfully verified<\/em><\/p>\n
    (Half-)Automating the signing<\/h2>\n
    The last part is now to sign all the .jar files of E-Business Suite. As described in 2806640.1, the adadmin tool on signing creates a list of .jar files to be signed in $NE_BASE\/EBSapps\/log\/adadmin\/log\/jarlist.txt.<\/p>\n
    I've implemented the following small sign.sh script which signs everything from that list:<\/p>\n
    adjarlist=\"$NE_BASE\/EBSapps\/log\/adadmin\/log\/jarlist.txt\"\n# Select the jar files from jarlist.txt\njars_to_sign=`cat $adjarlist | grep '\\.jar'`\nfor jar in ${jars_to_sign}\ndo\n# Remove Signature from jar files created through ADADMIN in EBS\necho \" ** Removing EBS signature from: ${jar} \"\ncp -i ${jar} \/home\/oracle\/certum\/backup_jars\/\nzip -d ${jar} 'META-INF\/*.SF' 'META-INF\/*.RSA'\n\/opt\/proCertumSmartSign\/jre\/bin\/jarsigner -keystore NONE -tsa \"http:\/\/time.certum.pl\" -certchain \"\/home\/oracle\/certum\/horuschain.pem\" -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg \"\/home\/oracle\/provider_simplysign.cfg\" -storepass \"12345\" \"${jar}\" 7C66584B430CD378D0231CA224129EF4\ndone<\/pre>\n
    After a restart of the application server that should allow you to sign into your E-Business Suite environment securely and without nasty errors again:<\/p>\n
    \"\"<\/p>\n
    Dialog shown when opening a signed E-Business Suite environment<\/em><\/p>\n
    Summary<\/h2>\n
    The above procedure allows you to sign all the .jar files of an E-Business Suite environment without copying the files to a different server. What I do not like so far thus is that I have to run that sign.sh shown above on\/after every patch application. In an upcoming blog post, I will evaluate if there is a way to overwrite\/overrule the built-in jarsigner command of adop\/adadmin with the command shown above signing the code using Certum Cloud.<\/p>\n
    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    Johannes MichlerExecutive Vice President \u2013\u00a0Head of Platforms\u00a0&\u00a0DevelopmentAs you're probably aware by now, since June 1st 2023 all well-known \/ public Certificate Authorities (CA) no longer provide Code Signing Certificates using pure software based private keys (see https:\/\/www.linkedin.com\/posts\/johannes-michler-099892ab_code-signing-key-storage-requirements-will-activity-7090432157688492032-jGvC). Since I prefer using such a trusted \/ public CA to sign Java Applets (that are still crucial […]<\/p>\n","protected":false},"author":2,"featured_media":1243,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[23],"tags":[],"dipi_cpt_category":[],"class_list":["post-5572","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-techblog"],"_links":{"self":[{"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/posts\/5572"}],"collection":[{"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/comments?post=5572"}],"version-history":[{"count":0,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/posts\/5572\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/media\/1243"}],"wp:attachment":[{"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/media?parent=5572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/categories?post=5572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/tags?post=5572"},{"taxonomy":"dipi_cpt_category","embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/dipi_cpt_category?post=5572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}