This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permission attribute.
In this post, I will present steps to create a .jar file that has proper permission in its manifest. I will then sign the JAR file with a self-signed certificate. If you have purchased a certificate from a certificate authority, you don't need to add the certificate to key store on client's computers.
Prerequisite: you have installed JDK on the server where you perform following steps and $JDK_HOME/bin is in your PATH.
1. Create a key store containing a self-signed certificate, which will be valid for four years:
keytool -genkey -validity 1460 -alias danzheng -keystore /home/oraias/dan/sign_jar/TESTstore
What is your first and last name?
[Unknown]: you organization_name
(note: It is probably a good idea to use your organization’s name instead of your name, as this will be shown as the publisher of the certificate.)
What is the name of your organizational unit?
[Unknown]: IT Department
What is the name of your organization?
[Unknown]: My University
What is the name of your City or Locality?
[Unknown]: New York
What is the name of your State or Province?
[Unknown]: New York
What is the two-letter country code for this unit?
[Unknown]: NY
Is CN=my_school_name_here, OU=IT Department, O=My University, L=New York, ST=New York, C=NY correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
2. Put a file in a JAR file so we can sign it. Here I will create my_instatitution.jar from my school's logo, my_institution.gif:
jar cvfm my_institution.jar permission.txt my_institution.gif
Note that permission.txt is a text file with one line and ended with carriage return:
Permissions: all-permissions
3. Sign the JAR file with self-signed certificate:
jarsigner -keystore TESTstore -signedjar smy_institution.jar my_institution.jar danzheng
4. Save above signed JAR file in the directory on the webserver. For example, save smy_institution.jar in $ORACLE_HOME/forms/java on an 11g Fusion Middleware server.
5. Extract the certificate from the key store created above:
keytool -export -keystore TESTstore -alias danzheng -file teststore.cer
6. Transfer the certificate teststore.cer to the client's computer.
7. Add the certificate to the key store on the client's computer, in my case a Windows 7 64-bit PC:
Right click Command Prompt from Start --> All Programs --> Accessories and click Run as administrator
At command prompt type:
C:\PROGRA~2\Java\jre7\bin\keytool -importcert -file C:\temp\teststore.cer -keystore C:\PROGRA~2\Java\jre7\lib\security\cacerts
Note the default password of the key store cacerts is changeit.
8. You can use following command to see the list of certificates in the key store:
C:\PROGRA~2\Java\jre7\bin\keytool -list -keystore C:\PROGRA~2\Java\jre7\lib\security\cacerts
The certificate you just imported should be shown as:
mykey, Oct 31, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): ........
You now can run your application containing the JAR file and it will not be blocked by java plug-in.
Update:
Starting with java 7 update 51 which came out January 14th. 2014, I have seen these in trace file in java console when running the Oracle forms:
Missing Application-Name manifest attribute for: http://my.school.edu:8888/forms/java/smy_institution.jar
security: Missing Codebase manifest attribute for: http://my.school.edu:8888/forms/java/smy_institution.jar
security: Missing Application-Library-Allowable-Codebase manifest attribute for: http://my.school.edu:8888/forms/java/smy_institution.jar
According to:
https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias
only the Permissions attribute is required. But if you prefer not to see above messages, you could update the permission.txt file with following lines, recreate the JAR file and re-sign your jar file:
Permissions: all-permissions
Codebase: *
Application-Name: OracleForms
Application-Library-Allowable-Codebase: *
Again, the last line of the manifest file, permission.txt must end in a new line or carriage return.
References:
http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
http://download-llnw.oracle.com/javase/6/docs/technotes/tools/windows/jarsigner.html
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#permissions
http://docs.oracle.com/javase/tutorial/deployment/jar/modman.html
http://docs.oracle.com/javase/tutorial/deployment/jar/secman.html
No comments:
Post a Comment