Jar File Expiration for Forms 11.1.1.4 and Higher on 6 July 2013
Jar File Expiration for Forms 11.1.1.4 and Higher on 6 July 2013
Titleimage
Posted by Patrick Hamou on 2017:09:26 14:25:33
APPLIES TO: Oracle Forms - Version 11.1.1.4.0 and later
Oracle Forms - Version 11.1.1.4.0 and later
Information in this document applies to any platform.
PURPOSE: Oracle jar files, Forms, Java Warning messages, Signature Time Stamp Support
The trusted certificate used to sign Oracle provided jar files such as frmall.jar, frmwebutil.jar, etc. will expire on July 6, 2013. In previous versions of Forms, such as early versions of Forms 10gR2, Java Warning messages would occur after the expiration date. For examples of what would be seen, please review Note 760645.1 and Note 1307787.1.
Beginning with Forms 11.1.1.4, Forms development began using the Signature Time Stamp Support feature of Java to prevent a warning if the jar file was signed by a valid certificate at the time of its creation prior to the certificate's expiration date. The passage of this date does not cause a change in behavior or security reliability. This date merely means that the jar file had to be signed before that date.
With the use of the Signature Time Stamp method, there is no impact on end users or change in application functionality. The expiration date will pass and no expiration warning will display.
The purpose of this FAQ is to provide details on what will happen after this date and what Oracle Forms users should know related to this.
QUESTIONS AND ANSWERS: Oracle provided jar files
What will users see after the expiration date has been reached?
This will be transparent to end users. Unlike older versions of Forms, such as early versions of 10gR2, end users will not see warnings as described in note 760645.1 and other notes on this topic.
Are there any security risks associated with this?
There are no security risks related to Oracle provided jar files. As mentioned in the documentation on Signature Time Stamp Support, Forms developers have taken advantage of a java feature that allows verification that the certificate was signed prior to its expiration so there is no security risk related to the expiration date.
Since no warning will occur, do I need to perform any actions?
There is no action required on your part since the jar files you are using were properly signed while the certificate signing period was still valid. However, because some security scan utilities may have not yet been updated to reflect this newer Java feature, false positives may be reported. Customers using security validation utilities or other similar tools should update them accordingly and/or contact the utility vendor as soon as possible. As a courtesy, Oracle will be providing patches that have been resigned with a newer certificate in order to help avoid this false reports.
Customers not using security scanning utilities, but have manually identified the passing (or approaching end) validity date can ignore the entry for reasons stated above. Alternatively, you can install the aforementioned courtesy patch if/when available for your Oracle Forms version.
Please understand that Oracle likely will not continue to provide similar patches in the future since the passing validity date does not present any change in behavior nor does it present a vulnerability.
Currently, Oracle has provided patch 17448420 to update the validity date of Oracle supplied jar files. The date for Forms jar files contained in future 11g patches will be 22 Jan 2016.
Oracle strongly encourages customers to be on the latest supported versions and patches for they contain the latest fixes. Even if you are on an earlier version such as 11.1.1.4 which will not display a jar file expiration warning message, this version is still over two years old at the time of this note's writing and should be upgraded to the most recent version.
How can I determine the expiration date of my Oracle provided jar files?
There are a number of ways to do this. Here are two:
1. Assuming you have accepted the certificate for frmall.jar in the JRE, the expiration date can be viewed in the Java Control Panel.
Java Control Panel -> Security Tab -> Certificates -> Click on Details for "Oracle America, Inc."
Place focus on the "Validity" Section and you will see the expiration date. For example ->
2. Note 1268757.1 - How to Determine the Expiration Date of a Jar File Using the Java Keytool Command
What about jar files that I created on my own or that were supplied by non-Oracle vendors?
If you have a non-Oracle provided jar file and it was not signed using the Signature Time Stamp Support then you will receive a security warning related to the expiration. Consequently, when you receive the warning will depend on the expiration date of the certificate used to sign the jar files. Recommend you update the jar file expiration date and/or contact the third party vendor as appropriate.
I'm still on 10gR2. Will my users see jar file expiration warnings?
This depends on the version of 10gR2. 10gR2 is at the end of its lifecycle and has entered Sustaining Support. Please see Oracle Lifetime Support Policy. If you have applied the terminal patches as recommended in Note 1506026.1 "Forms/Reports 10g-R2 (10.1.2) Desupported" you will see no warnings related to Oracle supplied jar files. However, as mentioned earlier, Oracle strongly encourages you to upgrade to a fully supported version.
REFERENCES
http://docs.oracle.com/javase/6/docs/technotes/guides/security/time-of-signing.html
http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf
Posted by Patrick Hamou on 2017:09:26 14:25:33