{"id":6837,"date":"2024-04-10T10:15:49","date_gmt":"2024-04-10T08:15:49","guid":{"rendered":"https:\/\/promatis.com\/ch\/automating-code-signing-with-multiple-e-business-suite-instances-part-3\/"},"modified":"2024-07-03T11:03:15","modified_gmt":"2024-07-03T09:03:15","slug":"automating-code-signing-with-multiple-e-business-suite-instances-part-3","status":"publish","type":"post","link":"https:\/\/promatis-test.de\/ch\/automating-code-signing-with-multiple-e-business-suite-instances-part-3\/","title":{"rendered":"Automating Code Signing with multiple E-Business Suite instances - Part 3"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" custom_padding_last_edited=\"on|tablet\" disabled_on=\"off|off|off\" admin_label=\"Sektion\" _builder_version=\"4.17.6\" _module_preset=\"default\" custom_padding=\"5vh||5vh||true|false\" custom_padding_tablet=\"5vh||5vh||true|false\" custom_padding_phone=\"5vh||5vh||true|false\" locked=\"off\" global_colors_info=\"{}\" global_module=\"23\" theme_builder_area=\"post_content\"][et_pb_row column_structure=\"1_4,3_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" custom_margin=\"||0px||false|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"1_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_image src=\"https:\/\/promatis.com\/wp-content\/uploads\/2022\/07\/johannes-michler.png\" alt=\"Johannes Michler PROMATIS Horus Oracle\" title_text=\"johannes-michler\" _builder_version=\"4.20.2\" _module_preset=\"default\" width=\"90%\" custom_margin=\"0vh||0vh||true|false\" border_radii=\"on|516px|516px|516px|516px\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][\/et_pb_image][\/et_pb_column][et_pb_column type=\"3_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text ul_type=\"square\" _builder_version=\"4.23.1\" _module_preset=\"default\" text_font=\"Open Sans||||||||\" link_font=\"Open Sans||||on|||gcid-0becd5ff-19fc-4653-a221-c8c75771a987|\" link_text_color=\"gcid-0becd5ff-19fc-4653-a221-c8c75771a987\" link_font_size=\"22px\" ul_font=\"Open Sans||||||||\" ul_font_size=\"17px\" ul_line_height=\"1.6em\" header_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_2_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_2_line_height=\"1.6em\" header_3_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_4_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_5_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_6_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_6_font_size=\"16px\" custom_margin=\"2vh||0px||false|false\" custom_padding=\"||||true|false\" text_font_size_tablet=\"20px\" text_font_size_phone=\"17px\" text_font_size_last_edited=\"on|tablet\" header_font_size_tablet=\"\" header_font_size_phone=\"28px\" header_font_size_last_edited=\"on|phone\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22link_text_color%22%93}\" theme_builder_area=\"post_content\"]<\/p>\n

Johannes Michler<\/a><\/div>\n

[\/et_pb_text][et_pb_text ul_type=\"square\" _builder_version=\"4.20.0\" _module_preset=\"default\" text_font=\"Open Sans||||||||\" link_font=\"Open Sans||||on||||\" link_text_color=\"#00A9A0\" ul_font=\"Open Sans||||||||\" ul_font_size=\"17px\" ul_line_height=\"1.6em\" header_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_2_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_2_line_height=\"1.6em\" header_3_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_4_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_5_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_6_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_6_font_size=\"16px\" custom_margin=\"1vh||0px||false|false\" custom_padding=\"||||true|false\" text_font_size_tablet=\"20px\" text_font_size_phone=\"17px\" text_font_size_last_edited=\"on|tablet\" header_font_size_tablet=\"\" header_font_size_phone=\"28px\" header_font_size_last_edited=\"on|phone\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93}\" theme_builder_area=\"post_content\"]<\/p>\n


Executive Vice President<\/strong> \u2013\u00a0Head of Platforms\u00a0&\u00a0Development<\/p>\n

[\/et_pb_text][et_pb_text ul_type=\"square\" _builder_version=\"4.20.0\" _module_preset=\"default\" text_font=\"Open Sans||||||||\" text_text_color=\"gcid-0becd5ff-19fc-4653-a221-c8c75771a987\" text_font_size=\"22px\" link_font=\"Open Sans||||on||||\" link_text_color=\"#00A9A0\" ul_font=\"Open Sans||||||||\" ul_font_size=\"17px\" ul_line_height=\"1.6em\" header_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_2_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_2_line_height=\"1.6em\" header_3_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_4_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_5_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_6_text_color=\"gcid-32812186-bc94-4de4-814c-2bf202477fd5\" header_6_font_size=\"16px\" custom_margin=\"5px||0px||false|false\" custom_padding=\"||||true|false\" text_font_size_tablet=\"20px\" text_font_size_phone=\"17px\" text_font_size_last_edited=\"on|tablet\" header_font_size_tablet=\"\" header_font_size_phone=\"28px\" header_font_size_last_edited=\"on|phone\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22text_text_color%22%93}\" theme_builder_area=\"post_content\"]<\/i><\/a><\/i><\/a><\/i><\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" custom_padding=\"0vh||10vh||false|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row use_custom_gutter=\"on\" _builder_version=\"4.17.3\" _module_preset=\"default\" custom_padding=\"0px||0px||true|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" background_enable_color=\"off\" custom_padding=\"0px||0px||true|false\" hover_enabled=\"0\" inline_fonts=\"Times New Roman\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22background_color%22%93}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]As you are probably aware by now, since June 1st 2023 all well-known \/ public Certificate Authorities (CA) no longer provide Code Signing Certificates using pure software based private keys (see https:\/\/www.linkedin.com\/posts\/johannes-michler-099892ab_code-signing-key-storage-requirements-will-activity-7090432157688492032-jGvC<\/a>).<\/p>\n

Since I prefer using such a trusted \/ public CA to sign Java Applets (that are still crucial for Oracle E-Business Suite or Oracle Forms) I've recently had a look into how we can now sign those Java JAR files. Part 1 of this blog series introduced the topic and an available \"Cloud Based\" Code Signing Certificate provider: Signing EBS\/Forms - Part 1<\/a><\/p>\n

In a second part<\/a> I covered how the code signing can be done on an E-Business Suite Application Server running on Oracle Linux 7 on Oracle Cloud Infrastructure (OCI).<\/p>\n

This third post will look how we can further automate this by installing the Certum tools onto the E-Business Suite Cloud Manager VM. First, we'll cover the latest changes from Certum, then we'll look into some scripts that can be used on multiple E-Business Suite Application servers to send the .jar files for signing to that central signing instance.<\/p>\n

Certum Tool updates (April 2024)<\/h2>\n

Back in the previous post, I've complained about the incomplete translation of the Certum tools still revealing a lot of polish error messages. While it seems this is fixed at least partially, I realized that the 2.9.9 versions available over there https:\/\/files.certum.eu\/software\/SimplySignDesktop\/Linux-RedHat\/<\/a> leads to fatal crashes (segmentation fault). That is why for now I stuck with the 2.9.8 release.<\/p>\n

Installing Certum SimplySignDesktop as a non-root user<\/h2>\n

When installing the SimplySignDesktop tool according to the official documentation it is necessary to do so globally\/as the root user. Since I didn't like the tool to modify my cloud manager VM in that massive way, I've investigated what the installer actually does. With that I was able to get the tool running with a way less privileged user (that I call certum). Run the following as root:<\/p>\n

yum install https:\/\/rpmfind.net\/linux\/epel\/8\/Everything\/x86_64\/Packages\/s\/stalonetray-0.8.3-15.el8.x86_64.rpm\nyum install libxslt.x86_64 pulseaudio-libs-glib2.x86_64 libwebp.x86_64 xkeyboard-config\nuseradd certum\nsudo su \u2013 certum\nmkdir .ssh\nvi .ssh\/authorized_keys\n# add the SSH public key(s) of your oracle@ebs-appserver\nchmod 700 .ssh\nchmod 600 .ssh\/authorized_keys\n<\/pre>\n
Then connect a SSH Session with X-Forwarding as certum:<\/p>\n
wget https:\/\/files.certum.eu\/software\/SimplySignDesktop\/Linux-RedHat\/2.9.8-9.1.6.0\/SimplySignDesktop-2.9.8-9.1.6.0-x86_64-prod-centos.bin\nsh SimplySignDesktop-2.9.8-9.1.6.0-x86_64-prod-centos.bin --target \/home\/certum\/\ncp \/home\/certum\/SSD-2.9.8-dist\/SimplySignDesktop.xml \/home\/certum\/<\/pre>\n
Create a \/home\/certum\/provider_simplysign.cfg file as follows:<\/p>\n
name=SimplySignDesktop\/SimplySignPKCS\nlibrary=\/home\/certum\/SSD-2.9.8-dist\/SimplySignPKCS_64-MS-1.0.20.so\nslot=-1<\/pre>\n
Furthermore, create a script startGUI.sh as follows:<\/p>\n
export LD_LIBRARY_PATH=\/home\/certum\/SSD-2.9.8-dist\/\nexport QT_QPA_PLATFORM_PLUGIN_PATH=\/home\/certum\/SSD-2.9.8-dist\/plugins\nexport OPENSSL_CONF=\/etc\/ssl\/\nstalonetray &\n\/home\/certum\/SSD-2.9.8-dist\/SimplySignDesktop<\/pre>\n
Finally start the Script and sign in with a one-time-token.<\/p>\n
Do a test as follows (in new SSH Session):<\/p>\n
\/home\/certum\/SS-9.1.6.0-dist\/jre\/bin\/keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg \/home\/certum\/provider_simplysign.cfg -v<\/pre>\n
This will provide an alias, in our case: 4F4F410D1234A9110B16DA9C83BD6F59<\/p>\n
Furthermore, create a \/home\/certum\/mychain.pem file as described in the previous episode.<\/p>\n
Passing the jars<\/h2>\n
On the E-Business Apps-Server first create a ~\/sign_1.sh script as follows:<\/p>\n
folderstamp=$(date +%Y-%m-%d-%H:%M)\nmkdir -p \/home\/oracle\/sign_bkp\/${folderstamp}\njar=$1\n# Remove Signature from jar files created through ADADMIN in EBS\necho \" ** Removing EBS signature from: ${jar} \"\ncp -i ${jar} \/home\/oracle\/sign_bkp\/${folderstamp}\/\nzip -d ${jar} 'META-INF\/*.SF' 'META-INF\/*.RSA'\nscp ${jar} certum@10.1.2.199:\/tmp\/signing-dummy.jar\n\nssh certum@10.1.2.199 \"\/home\/certum\/SS-9.1.6.0-dist\/jre\/bin\/jarsigner -keystore NONE -tsa \\\"http:\/\/time.certum.pl\\\" -certchain \/home\/certum\/mychain.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg \/home\/certum\/provider_simplysign.cfg -storepass 12345 \/tmp\/signing-dummy.jar 4F4F410D1234A9110B16DA9C83BD6F59\"\n\nscp certum@10.1.2.199:\/tmp\/signing-dummy.jar ${jar}<\/pre>\n
The script first creates a backup of the jar, then un-signs the .jar files and copies it to the cloud-manager VM (in my case with IP 10.1.2.199). There the jar is signed and finally the signed .jar is copied back to the E-Business Suite Apps Tier.<\/p>\n
This allows signing a single .jar file; the script may be helpful when applying a patch with \"options=nojarsigning\". Then in there should be a file such as \/u01\/install\/APPS\/fs_ne\/EBSapps\/log\/adop\/176\/20240327_132920\/apply\/mastebsapp01\/36177213\/log\/jarlist.txt containing all the .jar files that require re-signing.<\/p>\n
For the initial signing the procedure in the previous episode can be combined with the copying of the .jar to the Cloud Manager VM.<\/p>\n
Verifying and patching<\/h2>\n
As an alternative to signing \"just\" the files in $NE_BASE\/EBSapps\/log\/adadmin\/log\/jarlist.txt I found it useful to just sign all .jar files under $JAVA_TOP. For this the following script proved helpful:<\/p>\n
folderstamp=$(date +%Y-%m-%d-%H:%M)\nmkdir -p \/home\/oracle\/sign_bkp\/${folderstamp}\n# Select the jar files from jarlist.txt\nfor jar in $(find $JAVA_TOP\/oracle\/apps -name \\*.jar)\ndo\n# Remove Signature from jar files created through ADADMIN in EBS\necho \" ** Removing EBS signature from: ${jar} \"\ncp -i ${jar} \/home\/oracle\/sign_bkp\/${folderstamp}\/\nzip -d ${jar} 'META-INF\/*.SF' 'META-INF\/*.RSA'\nscp ${jar} certum@10.1.2.199:\/tmp\/signing-dummy.jar\nssh certum@10.1.2.199 \"\/home\/certum\/SS-9.1.6.0-dist\/jre\/bin\/jarsigner -keystore NONE -tsa \\\"http:\/\/time.certum.pl\\\" -certchain \/home\/certum\/mychain.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg \/home\/certum\/provider_simplysign.cfg -storepass 12345 \/tmp\/signing-dummy.jar 4F4F410D1234A9110B16DA9C83BD6F59\"\nscp certum@10.1.2.199:\/tmp\/signing-dummy.jar ${jar}\ndone<\/pre>\n
It is helpful to first to a check if the $jar is already signed as follows:<\/p>\n
result=`jarsigner -verify -certs ${jar}| tr -d '[:space:]'`\nif [[ \"jarverified.\" != \"$result\" ]]\nthen\necho ${jar} needs re-sign; $result\n# put the signing here\nfi<\/pre>\n
Summary<\/h2>\n
Using above scripts, it is amazingly easy to sign all .jar files both initially as well as after applying a patch. The version using a \"find\" on $JAVA_TOP may sign \"a bit more than needed\", but in my experience that does not do any harm.<\/p>\n
I am still hoping that Oracle will provide a way to \"Hook\" a script such as sign_1.sh into the signing process called during patching or through adadmin. This would probably be announced in \"Signing EBS Jar Files With HSM (Hardware Security Module) - (Doc ID 2806640.1)\".[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
This third part will look how we can further automate this by installing the Certum tools onto the E-Business Suite Cloud Manager VM. First, we'll cover the latest changes from Certum, then we'll look into some scripts that can be used on multiple E-Business Suite Application servers to send the .jar files for signing to that central signing instance.<\/p>\n","protected":false},"author":2,"featured_media":1243,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[23],"tags":[85,104],"dipi_cpt_category":[],"class_list":["post-6837","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-techblog","tag-oracle","tag-oracle-ebs"],"_links":{"self":[{"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/posts\/6837"}],"collection":[{"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/comments?post=6837"}],"version-history":[{"count":0,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/posts\/6837\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/media\/1243"}],"wp:attachment":[{"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/media?parent=6837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/categories?post=6837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/tags?post=6837"},{"taxonomy":"dipi_cpt_category","embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/wp-json\/wp\/v2\/dipi_cpt_category?post=6837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}