Most of you are already aware of the recent announcement on Steven Chan’s blog about New JRE requirements that require EBS JAR files to be signed by a Code Signing Certificate. This requirement came in as Oracle is tightening up security around Java. Java is one of the most wildly exploited pieces of software by viruses and malware bots.
First note that code signing certificates are different from the SSL certificates which are used for web URLs. Code signing certificates are used for sign files like Java JAR files, Windows kernel drivers, Windows program installation EXEs and ActiveX files. SSL certificates try to verify and establish a secure connection to a web host, whereas code signing certs help users identify any piece of program. One might be wondering why doesn’t Oracle ship signed JAR files by default? Unfortunately Oracle cannot do that, as any java code related patch will overwrite them, and will require a new set of signed JAR files.
Let’s come back to topic of this blog — what is the best certificate authority to buy the code signing certificate? Technology behind Verisign $500 cert and Comodo $70 certificate is the same. The $500 certificate doesn’t do any extra magic — It might offer you some liability assurance, but the technology is the same.
I looked around and found that certs from StartSSL.com are the cheapest, costing around $59. Unfortunately, we cannot use them for JAR signing, as their root certificate is not yet included in cacerts that are shipped with JRE. StartSSL certs are included in windows 7, but not yet in Java. To use StartSSL certs with java, we need to first manually import them into Java cacerts, which is a manual process that you better avoid. You can find list of all certificate authorities included in Java with below command.
$ pwd
/home/oracle/jre1.7.0_45/bin $ ./keytool -list -keystore ../lib/security/cacerts -v |grep Issuer: Enter keystore password: changeit
I went on with my search again to find out what was the least expensive and best way that is included in Java cacerts. COMODO Code Signing certificates seem to be cheapest available, they can be picked from this reseller store for about $80 a year. Going with a root certificate that is already included in java cacert file will avoid the need to manually import the root certificates in java on server as well as JRE on all client machines.
So COMODO seems to be the winner here! For about $400 per 5 years, you can get a certificate that you can use in all your prod and dev/test environments. I am also working on steps to setup an internal Certificate Authority that you can use to sign the jar files for free, which is useful for Demo/LAB environments where user population is much less. Currently working on resolving below error:
com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
See you in my next blog post! Happy Holidays!
9 Comments. Leave new
Vasu,
I enjoyed your post, which I stumbled upon while researching the error you mention at the end:
com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
I have gone through the process in MOS 1591073.1 for getting an In House certificate (we have a certificate server in house) and the steps involved in importing the certificate both to the oracle applications and to the client machine.
Do you know if there is a step that is being missed in the creatiuon of the in house certificate where the OCSP responder value should be? I did not create the certificate, I am just the dba.
Any assistance or advice would be greatly appreciated.
Thanks!
Richard
Setting up OCSP url in certificate varies based on the software that your IT admins are using to generate the certs. In my case, i was using openssl commands to sign and generate certs. For enabling ocsp in openssl, we need to follow https://isrlabs.net/wordpress/?p=169
If you are using Windows Server, then you need follow this technet note https://technet.microsoft.com/en-us/library/cc732526.aspx
It was pain to work 3 days on synology nas filestation, which uses java to get rid of this annoying security warning before I realize that the java simply don’t trust StartSSL certs. Very sad, as I have already bought it fir 2 years.
We have recently installed a Java Code Signing Certificate from Comodo as per Oracle note 1591073.1.
It seems to work fine most of the time. However, we are still in our testing phase and are concerned we are receiving errors once in a while.
Users are being prompted to enter login information, presumably for ocsp.usertrust.com.
If the users press cancel, they seem to be able to proceed within the EBS.
However, once a user pressed cancel and was denied access to EBS,
He is receiving an error message stating .”Cannot complete applications logon”.
Hi Vishnu,
Java by default validates whether a certificate is valid or revoked by checking the ocsp server mentioned in the certificate. For comodo issues certificates its ocsp.usertrust.com. what i understand from your issue is that Java is trying to validate the cert, but some network config ( proxy or firewall ) is preventing accessing the ocsp url from the desktop. if you have firewall or proxy setup, ask your network admins to enable accessing the ocsp host without any username authentication. The ocsp server info for comodo is mentioned in below url
https://support.comodo.com/index.php?/Knowledgebase/Article/View/831/0/ocsp-and-crl-access-information
Hi Vishnu, really good article.
I have recently started to follow note 1591073.1.
Q1. In regards to creating a Root Certificate for the In-House CA configuration, do you know if you manually create the Root Certificate yourself using something like OpenSSL or do you simply request a Root Certificate to be sent to your from the likes of http://www.cacert.org ?
Q2. Do you also have to request a separate Java Code Signing Certificate from the same CA ( eg cacert.org ) and import that into adkeystore.dat ?
Q3. Do any of the commercial CA’s offer a free Root Certificate for In-House CA configuration like cacert.org do ?
Q4. Lastly how does adadmin know which Code Signing Certificate to use ( if you have several in your adkeystore.dat ) ? Traditionally adadmin would use what adsign.txt points to i.e. the unsigned certificate in appltop.cer. Does this file get automatically updated with the signed certificate when you import it into adkeystore.dat ?
Hi Jim,
Q1. I realized during my project setting up internal CA using openssl will not work for us, as Java now checks for CRL & OCSP urls in the certificate. Setting up infrastructure to support OCSP & CRL using openssl commands is too much. Instead of openssl commands, i recommend going with cacerts.org if you are looking for a free option. Also i saw that latest java 1.7.0_76 actually recognizes startssl root CA as well.
Q2: yes. you need separate cert for Java code signing. Before importing the cert to the adkeystore.dat, you need to first import the root CA cert to cacerts file in $OA_JRE_TOP
Q3: I am not aware of any other free alternatives. I recommend startssl, they are real cheap and seems to be working with latest java 1.7
Q4: adadmin reads the cert from adkeystore.dat, based on alias mentioned in adsign.txt. adsign.txt gets updated with the alias name when you run “adjkey -initialize -keysize 4096 -alias EBusiness_Cert” in this case EBusiness_Cert is the alias of the cert that is going to used by adadmin. if you dont mention a alias in adjkey initialize command, alias will default to the CONTEXT_NAME for the instance
Hi Sir,
I have Comodo code signing certificate but unable to import into the Oracle application r12.2.
Kindly help us with the procedure.
Thanks,
Yadav
what is the significance of appltop.cer