{"id":5057,"date":"2014-05-15T13:29:40","date_gmt":"2014-05-15T13:29:40","guid":{"rendered":"https:\/\/pitss.org\/us\/?p=5057"},"modified":"2017-09-05T15:17:09","modified_gmt":"2017-09-05T19:17:09","slug":"trust-java-self-signed-certificate","status":"publish","type":"post","link":"https:\/\/pitss.org\/us\/2014\/05\/15\/trust-java-self-signed-certificate\/","title":{"rendered":"How to Add Self-Signed Certificates to the List of Trusted Certificates in the Java Runtime"},"content":{"rendered":"

[et_pb_section bb_built=”1″ admin_label=”section” custom_padding=”0px||50px|” _builder_version=”3.0.51″][et_pb_row custom_padding=”0px|||” _builder_version=”3.0.51″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″][et_pb_text _builder_version=”3.0.64″ custom_margin=”||30px|” background_layout=”light” text_orientation=”left” border_style=”solid”]<\/p>\n

How to Add Self-Signed Certificates to the List of Trusted Certificates in the Java Runtime<\/h1>\n

Self-signing jar files to use for Oracle Forms have been a way to sign jar files without using a trusted vendor. Oracle has provided the sign_webutil.bat (or sign_webutil.sh) script to use for self-signing a jar file. As the self-signed certificates do not contain a trusted publisher name, any time a Forms application starts up, you may notice a Java security warning with a publisher \u201cUNKNOWN\u201d. This is because the self-signed certificate is not generated from a trusted vendor (VeriSign, Comodo, GoDaddy, etc.) and is not in the \u201cSigner CA\u201d list in the Java Control Panel on a user\u2019s PC. This has been noticed more in recent months as users are unable to \u201calways remember this option\u201d when choosing to run an application with an UNKNOWN publisher starting with Java 7 Update 40 (or even getting an Application Blocked error when using JRE 7u51 or higher).<\/p>\n

The best solution would be to sign your jar files with trusted code-signing certificates from a trusted vendor. However, you also have the option to add the self-signed certificate to your Java Control Panel to the list of Signer CA certificates which will add the self-signed certificate to the trusted list allowing you to run the application without the warning appearing (however, a Java notification will still appear with a publisher name that would be considered more trustworthy than \u201cUNKNOWN\u201d).<\/p>\n

[\/et_pb_text][et_pb_divider color=”#e2e2e2″ show_divider=”on” divider_position=”center” _builder_version=”3.0.51″ custom_css_main_element=”margin-bottom:30px !important;” \/][et_pb_text _builder_version=”3.0.64″ custom_margin=”||30px|” background_layout=”light” text_orientation=”left” border_style=”solid”]<\/p>\n

What you’ll learn in this article:<\/strong><\/h3>\n

\u2713<\/strong> How to update the sign_webutil script in your platform
\u2713<\/strong> How to export a CSR certificate from the keystore fo the script to use<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row custom_padding=”40px|40px|30px|40px” background_color=”#006bb3″ background_position_1=”top_left” background_repeat_1=”no-repeat” _builder_version=”3.0.51″][et_pb_column type=”4_4″][et_pb_text background_layout=”dark” _builder_version=”3.0.64″ background_color=”#006bb3″]<\/p>\n

Fill out this form to get immediate access to the article.
\n<\/strong><\/h2>\n

[\/et_pb_text][et_pb_code module_class=”white-text” _builder_version=”3.0.64″][ninja_form id=12][\/et_pb_code][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

How to Add Self-Signed Certificates to the List of Trusted Certificates in the Java Runtime Self-signing jar files to use for Oracle Forms have been a way to sign jar files without using a trusted vendor. Oracle has provided the sign_webutil.bat (or sign_webutil.sh) script to use for self-signing a jar file. As the self-signed certificates […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"Self-signing jar files to use for Oracle Forms have been a way to sign jar files without using a trusted vendor. Oracle has provided the sign_webutil.bat (or sign_webutil.sh) script to use for self-signing a jar file. As the self-signed certificates do not contain a trusted publisher name, any time a Forms application starts up, you may notice a Java security warning with a publisher \u201cUNKNOWN\u201d. This is because the self-signed certificate is not generated from a trusted vendor (VeriSign, Comodo, GoDaddy, etc.) and is not in the \u201cSigner CA\u201d list in the Java Control Panel on a user\u2019s PC. This has been noticed more in recent months as users are unable to \u201calways remember this option\u201d when choosing to run an application with an UNKNOWN publisher starting with Java 7 Update 40 (or even getting an Application Blocked error when using JRE 7u51 or higher).\r\n\r\nThe best solution would be to sign your jar files with trusted code-signing certificates from a trusted vendor. However, you also have the option to add the self-signed certificate to your Java Control Panel to the list of Signer CA certificates which will add the self-signed certificate to the trusted list allowing you to run the application without the warning appearing (however, a Java notification will still appear with a publisher name that would be considered more trustworthy than \u201cUNKNOWN\u201d).\r\n\r\nTo configure this, you will need to update the sign_webutil script (used for self-signing jar files) in the platform running the Forms and Reports environment. After this, you will need to export a CSR certificate from the keystore which the script uses. The following steps will accomplish this:\r\n\r\n1. Locate your sign_webutil.bat or sign_webutil.sh script. If you are using one provide by PITSS, it should be located in either %ORACLE_HOME%\\forms\\webutil\\win32 or %ORACLE_HOME%\\forms\\webutil\\win64. If you are, you may skip step 3 as the password will be \u201cwebutilpasswd\u201d . If it does not exist here, you can find it in %ORACLE_INSTANCE%\\bin. Please make a backup of this file.\r\n\r\n2. Open the file in a text editor.\r\n\r\n3. Modify the following variables:\r\n

a. SET KEYSTORE_PASSWORD= Create a keystore password of your choice (CAUTION: The password will NOT be encrypted)\r\n\r\nb. SET JAR_KEY_PASSWORD= Create a private key password of your choice (CAUTION: The password will NOT be encrypted)<\/blockquote>\r\n4. Locate the line \u201cSET DN_CN=Product Management\u201d. This is the self-signed certificate information. If you want to use your own information, you may update the following four lines (below is an example). If you are fine with using the values Oracle has provided, you may skip to step 5.\r\n
a. SET DN_CN=Forms Self-Signed Certificate (Common Name or name of the certificate)\r\n\r\nb. SET DN_OU=Oracle Forms (Organization Unit)\r\n\r\nc. SET DN_O=PITSS America LLC (Organization)\r\n\r\nd. SET DN_C=US (Country code such as US for United States, CA for Canada, etc.)<\/blockquote>\r\n5. Save and close the file\r\n\r\n6. Re-sign your jar file(s) with the sign_webutil script:\r\n
Windows: %PATH_TO_SCRIPT%\\sign_webutil.bat %PATH_TO_JAR_FILE%\\jarfile.jar\r\n\r\nUnix: $PATH_TO_SCRIPT\/sign_webutil.sh $PATH_TO_JAR_FILE\/jarfile.jar<\/blockquote>\r\n7. Deploy the signed jar file in %ORACLE_HOME%\\formsjava\r\n\r\n8. Restart WLS_FORMS if it is running\r\n\r\n9. Go to the location of your keystore file that is specified in the sign_webutil script inside Command Prompt or your SSH terminal.\r\n\r\n10. Ensuring that the JDK is in the PATH environment variable run the following command to extract a CSR from the keystore:\r\n
keytool -export -keystore .keystore -alias webutil2 -file name_of_cert.csr<\/blockquote>\r\n11. Please keep the CSR file handy. This file will need to be sent to any end user who plans to use the application.\r\n\r\n12. In the end-user\u2019s PC, open up the Java Control Panel from Control Panel. This can be done by clicking on Control Panel from the Start button. Once there, expand the Control Panel and select \u201cAll Control Panel Items\u201d. Double-click on Java.\r\n\r\n13. Go to the Security tab and click \u201cManage Certificates\u2026\u201d.\r\n\r\n\"SNAGHTMLf94c50\"<\/a>\r\n\r\n14. Specify \u201cSigner CA\u201d as the Certificate type. Click \u201cImport\u201d to import the CSR.\r\n\r\n15. Once it is imported, it will be in your list of trusted certificates for that PC.\r\n\r\n\"SNAGHTMLfa3518\"<\/a>\r\n\r\nAfter applying the steps above, you should see a more trustworthy Java notification similar to the one below instead of a security warning which will allow you to remember the option to run the application (even when using the latest JRE):\r\n\r\n\"image\"<\/a>\r\n\r\nNOTE 1: Steps 1-10 only need to be done once in the PC\/server where Forms is installed. Steps 11-15 will need to be done for every user who plans to access the application.<\/strong>\r\n\r\nNOTE 2: Make sure your jar files also contain the permissions, codebase, and Application-Name manifest attributes or the jar files may be blocked starting with Java 7 Update 51. For more information, please review https:\/\/pitss.org\/us\/2013\/10\/24\/how-to-modify-custom-jar-files-with-permissions-and-codebase-attributes\/<\/a>.<\/strong>\r\n\r\nNOTE 3: The Oracle jar files (they start with \u201cfrm\u201d) are signed with Oracle\u2019s trusted certificates. Do not attempt to modify or replace them as it will cause the Forms environment to not run correctly if at all.<\/strong>\r\n\r\nSource: Oracle Support note 1596871.1<\/strong>","_et_gb_content_width":"","footnotes":""},"categories":[22,4],"tags":[11,16,41,23,44],"class_list":["post-5057","post","type-post","status-publish","format-standard","hentry","category-forms","category-install-config","tag-11g","tag-11gr2","tag-configuration","tag-forms","tag-java"],"_links":{"self":[{"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/posts\/5057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/comments?post=5057"}],"version-history":[{"count":5,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/posts\/5057\/revisions"}],"predecessor-version":[{"id":9820,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/posts\/5057\/revisions\/9820"}],"wp:attachment":[{"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/media?parent=5057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/categories?post=5057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pitss.org\/us\/wp-json\/wp\/v2\/tags?post=5057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}