How to Export and Import the Product Management Certificate Created from the sign_webutil Script
APPLIES TO: Oracle Forms - Version 10.1.2.3.0 and later
Oracle Forms - Version 10.1.2.3.0 and later
Information in this document applies to any platform.
Checked for relevance 28-Apr-2015
GOAL: Oracle, Certificate Authority, JRE
NOTE: This document discusses the usage of self-signed certificates which are valid to use. However, for the highest possible security, Oracle recommends using certificates generated from a genuine Certificate Authority.
Using later versions of the JRE such as 1.7.0_40 and higher and later versions of 1.6 will result in Security Warning messages related to self-signed code caused by enhanced security verification features enabled in these JRE versions. Note that earlier JRE versions allowed the end user to check a check box stating "I accept the risk and want to run this application". A subsequent dialog box allowed one to check a check box stating "Do not show this again for apps from the publisher and location above". Checking this would import the certificate into the JRE and the code would be considered trusted from then on and cause no further security warnings. This can be seen in the Figure 2 and Figure 3 in Note 1542463.1. This import option is no longer allowed in JRE 1.7.0_40 and later. To avoid these Security Warnings in later JRE versions, one must export the public key for the self signed certificate and import it into the JRE.
The goal of this note is to show how the public key can be exported and imported into the JRE certificate store. Two solutions are offered. The first shows how it can be done if the certificate is already in the Trusted Certificates section of the JRE which may occur if the JRE has been upgraded from an earlier version. The second shows how to export the public key from the self signed certificate created from the sign_webutil.sh(bat) courtesy script and manually import it into the JRE.
SOLUTION: Product Management (PM) certificate, Trusted Certificates
Solution 1 -The Product Management (PM) certificate is already present in the Trusted Certificates Section of the JRE but not in the Signer CA Section.
This scenario is common if you upgraded your JRE version from an earlier version where it was allowed to import the certificate by checking the dialog box check box mentioned above. If this is the case, here is what would be seen in the JRE ->
Above, the PM certificate is seen in the Trusted Certificates section.
Here there are no certificates in the Signer CA section.
The solution steps for this scenario are:
1. Export the PM certificate from the Trusted Certificates section onto the file system. A file dialog will appear (not shown) once you press the Export button and you can save the certificate on the file system.
2. Import the certificate into the Signer CA section. A file dialog will appear (not shown) once you press the Import button and you can import the certificate from step one into the Signer CA section.
3. Once you accomplish steps 1 & 2 the PM certificate will appear in the Signer CA section and no further Security Warnings will appear.
Solution 2 - The PM certificate is not present in the Trusted Certificates Section of the JRE
The sign_webutil.sh(bat) courtesy script was provided to Oracle Forms customers as an example showing how custom jar files such as jacob.jar, jar files containing icons, custom jar files containing pjcs, etc., could be signed with a self signed certificate. Once the script is successfully run, the certificate created can be used to export the public key portion and import it into the JRE to prevent JRE Security Warnings.
Note that the script can be customized. All the script is doing is automating self signed certificate creation and jar file signing. The steps used are documented in the Java Tutorials.
The name of the keystore and its alias can be modified as can the Distinguished Name that is created. By default the values are as follows in the 11gR2 script:
Distinguished Name values:
The keystore file is called .keystore and located by default in:
UNIX = /home/<user>/.keystore
Windows = c:/users/<username>/.keystore
The alias is -> webutil2
The following steps assume the default values for keystore and alias were used when the sign_webutil.sh(bat) script was first run. If different values were used, substitute as appropriate.
Exporting the Public Key
1. Ensure your path includes the location of the jdk. If it does not, you will not be able to execute the keytool command.
2. cd to the directory where the .keystore file is located.
3. Issue the following command:
keytool -export -keystore .keystore -alias webutil2 -file publicpmkey.csr
You will be prompted to enter the keystore password. If you do not know this password, it cannot be recovered and you will need to create a new keystore.
4. A file called publicpmkey.csr will be created.
Importing the Public Key into the JRE
Bring up the JRE and import the publicpmkey.csr you created as shown in the following diagram:
Once you import the file, you will see the certificate show up inside the JRE as indicated below:
The JRE will display no further Security Warnings for jar files signed by this certificate. When first run a notification such as the following may occur:
Checking the check box will prevent subsequent displays of the notification.