Oracle E-Business Suite Security - Signed JAR Files - What Should You Do – Part II
In our blog post on 16-May, we provided guidance on Java JAR signing for the E-Business Suite. We are continuing our research on E-Business Suite Java JAR signing and will be presenting it in a forthcoming educational webinar. Until then we would like to share a few items of importance based on recent client conversations -
- Apply latest patches - The latest patches for Oracle E-Business Suite JAR signing are noted in 1591073.1. There are separate patches for 11i, 12.0.x, 12.1.x and 12.2.x. To fully take advantage of the security features provided by signing JAR files the latest patches need to be applied.
- Do not use the default Keystore passwords - Before you sign your JAR files change the keystore passwords. The initial instructions in 1591073.1 note that a possible first step before you start the JAR signing process is to change the keystore passwords. Integrigy recommends that changing the keystore passwords should be mandatory. The default Oracle passwords should not be used. Follow the instructions in Appendix A of 1591073.1 to change both keystore passwords. Each password must be at least six (6) characters in length. If you have already signed your JAR files, after changing the keystore passwords you must create a new keystore and redo all the steps in 1591073.1 to create a new signed certificate (it is much easier to change the keystore passwords BEFORE you sign your JAR files).
- The keystore passwords are available to anyone with the APPS password - Using the code below anyone with the APPS password can extract the keystore passwords. Ensure that this fact is allowed for in your polices for segregation of duties, keystore management and certificate security.
SQL> set serveroutput ondeclare spass varchar2(30); kpass varchar2(30); begin ad_jar.get_jripasswords(spass, kpass); dbms_output.put_line(spass); dbms_output.put_line(kpass); end; /
This will output the passwords in the following order:
store password (spass) key password (kpass)
If you have questions, please contact us at info@integrigy.com
References
- 16-May-2014 Integrigy Blog post Oracle E-Business Suite Security - Signed JAR Files - What Should You Do
- Enhanced JAR Signing for Oracle E-Business Suite, 19-March-2014, Doc ID 1591073.1 https://support.oracle.com/rs?type=doc&id=1591073.1
- Oracle Tutorial on Java JAR signing: http://docs.oracle.com/javase/tutorial/deployment/jar/intro.html
