Starting June 2023, the commercial CAs changed their policy and stopped issuing code signing certificates where your private key was kept in a disk file such as the Java KeyStore (JKS) file used by EBS JAR signing tools. In short, the private key used for code signing now needs to be kept in a Hardware Security Module.
In this article, we will advise about the process of EBS Jar signing with HSM based Certificate
Initial Configuration
(A) First, we need to set up the HSM Based Certificate configuration. We have three types of configuration available in the Market
(i) USB Stick :
(ii) HSM Based on Prem Hardware
(iii) Cloud-Based HSM
USB Stick
We can purchase Certs in USB sticks from the Certs Vendor and then that USB stick can be attached to a window box and can be used to sign the jar files.
HSM Based on Prem Hardware:
- These are physical devices installed in a data centre. The HSM device generates and securely stores private keys for code signing certificates.
- Cryptographic operations, such as signing jar files, are performed within the HSM’s secure environment, ensuring that private keys never leave the device.
- Options available are Thales nShield, Utimaco CryptoServer, Entrust nShield
Cloud-Based HSM
- In this approach, private keys for code signing certificates are securely stored within a Cloud HSM, which is owned and maintained by the cloud provider.
- Signing operations are executed by invoking the Cloud Hardware Security Module (Cloud HSM) through API calls to sign EBS jar files as needed. This eliminates the need for the organization to install and manage physical hardware.
- Options are Azure HSM Key Vault, Google HSM cloud
Once we decide on the configuration, we need to confirm the steps of jar signing with these HSMs with the Cert Provider.
Once the certs are procured and stored in HSM, we can move forward to other steps
(B)Generate a list of jar files to sign by running ADADMIN, and select the following from the AD Administration Main Menu:
Choose Generate Applications Files menu
From this menu choose Generate product jar files
Enter yes when prompted with: Do you wish to force regeneration of all jar files? [No] ? yes
All the files listed in [ jarlist.txt ] located in [ $NE_BASE/EBSapps/log/adadmin/log/ ] directory will need to be signed.
If [ jarlist.txt ] contains only one entry (customall.jar); combine [ jarlist.txt.bak ] and [ jarlist.txt ] to get the full list of JARs that need to be signed.
(C) Remove the Certs present in the adadmin generated file if present
# Code signing script to sign client jars using jarlist.txt
adjarlist="<path to jarlist.txt>"
# Select the jar files from jarlist.txt
jars_to_sign=`cat $adjarlist | grep '\.jar'`
for jar in ${jars_to_sign}
do
# Remove Signature from jar files created through ADADMIN in EBS
echo " ** Removing EBS signature from: ${jar} "
zip -d ${jar} 'META-INF/*.SF' 'META-INF/*.RSA'
done
(D) Use the HSM signing software to initially sign the jar files from the above step
After the jar files have been signed via HSM, they need to be moved back to their original location if it is signed on another location.
Patching and Maintainance
(i) Jar files could be generated again either while applying the patch or running adcgnjar in R12.2. We can find the change jar files using the below command
$ find $JAVA_TOP/oracle/apps/*/jar -mmin -60 -ls --> Finds jar files updated in the last 1 hour
$ find $JAVA_TOP/oracle/apps/*/jar -mtime -1 -ls --> Finds jar files updated in the last 1 day
(ii) Once we have the list of jar files, we can remove the old certs and sign using HSM certs
FAQ
(1)Do the jar files need to be copied from the application file system to some other system for jar signing via HSM?
Answer This will depend on your HSM solution, all of them do not have a requirement to copy to your HSM and sign there. Cloud-based signing solutions can be done in the same location. You would have to reach out to the HSM provider you are using to see what is available
(2) Do the jar files need to be copied from the RUN or the PATCH filesystem?
Answer Initially you do it on your RUN file system, then typically it would be from your PATCH before cutover
(3) After the jar files have been signed by (HSM) and copied back over, is downtime required, before the jar files
Answer Yes, the services need to be bounced when they are replaced
(4) During the patching cycle, we normally apply the patch on our testing instance first. Can I get the new signed Jar files from the testing instance and replace them on production later since they are the same release level? That way I don’t need to sign the same jar file for each instance.
Answer No.
(5) What is the impact of the adcgnjar utility?
Answer You will need to resign any new custom jar files with HSM
(6) Can we use a Windows-based HSM interface or does it have to be a Linux-based interface machine? (we use Linux 7 on our app servers).
Answer Yes, you can sign the jar files on Windows and copy them back to Linux
(7) Is there any database impact – (ie anything we need to be mindful of on the database tier in our ebs system?)
Answer No, this is only the jar files on the application tier
I hope you like this article on EBS Jar signing with HSM Based Certificate
Related Articles
Jar Signing in Oracle EBS
adjss Utility in Oracle EBS
How to verify the Digital Signature of a Signed jar File
How to Create a Minimally Viable Private CA for Jar Signing using OpenSSL
keytool command