{"id":5985,"date":"2024-08-22T12:39:45","date_gmt":"2024-08-22T10:39:45","guid":{"rendered":"https:\/\/promatis.com\/at\/automating-code-signing-with-latest-e-business-suite-signing-improvements-part-4\/"},"modified":"2024-08-28T12:55:42","modified_gmt":"2024-08-28T10:55:42","slug":"automating-code-signing-with-latest-e-business-suite-signing-improvements-part-4","status":"publish","type":"post","link":"https:\/\/promatis.com\/at\/automating-code-signing-with-latest-e-business-suite-signing-improvements-part-4\/","title":{"rendered":"Automating Code Signing with latest E-Business Suite Signing Improvements - Part 4"},"content":{"rendered":"
[et_pb_section fb_built=\"1\" custom_padding_last_edited=\"on|tablet\" disabled_on=\"off|off|off\" admin_label=\"Sektion\" _builder_version=\"4.25.1\" _module_preset=\"default\" custom_padding=\"5vh||5vh||true|false\" custom_padding_tablet=\"5vh||5vh||true|false\" custom_padding_phone=\"5vh||5vh||true|false\" global_module=\"4879\" locked=\"off\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_row column_structure=\"1_4,3_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" custom_margin=\"||0px||false|false\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_column type=\"1_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_image src=\"https:\/\/promatis.com\/wp-content\/uploads\/2022\/07\/johannes-michler.png\" alt=\"Johannes Michler PROMATIS Horus Oracle\" title_text=\"johannes-michler\" _builder_version=\"4.20.2\" _module_preset=\"default\" width=\"90%\" custom_margin=\"0vh||0vh||true|false\" border_radii=\"on|516px|516px|516px|516px\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][\/et_pb_image][\/et_pb_column][et_pb_column type=\"3_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_text ul_type=\"square\" _builder_version=\"4.25.1\" _module_preset=\"default\" text_font=\"Open Sans||||||||\" link_font=\"Open Sans||||on|||gcid-0becd5ff-19fc-4653-a221-c8c75771a987|\" link_font_size=\"22px\" ul_font=\"Open Sans||||||||\" ul_font_size=\"17px\" ul_line_height=\"1.6em\" header_2_line_height=\"1.6em\" header_6_font_size=\"16px\" custom_margin=\"2vh||0px||false|false\" custom_padding=\"||||true|false\" text_font_size_tablet=\"20px\" text_font_size_phone=\"17px\" text_font_size_last_edited=\"on|tablet\" header_font_size_tablet=\"\" header_font_size_phone=\"28px\" header_font_size_last_edited=\"on|phone\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22link_text_color%22%93}\" theme_builder_area=\"et_body_layout\"]<\/p>\n
[\/et_pb_text][et_pb_text ul_type=\"square\" _builder_version=\"4.20.0\" _module_preset=\"default\" text_font=\"Open Sans||||||||\" link_font=\"Open Sans||||on||||\" link_text_color=\"#00A9A0\" ul_font=\"Open Sans||||||||\" ul_font_size=\"17px\" ul_line_height=\"1.6em\" header_2_line_height=\"1.6em\" header_6_font_size=\"16px\" custom_margin=\"1vh||0px||false|false\" custom_padding=\"||||true|false\" text_font_size_tablet=\"20px\" text_font_size_phone=\"17px\" text_font_size_last_edited=\"on|tablet\" header_font_size_tablet=\"\" header_font_size_phone=\"28px\" header_font_size_last_edited=\"on|phone\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93}\" theme_builder_area=\"et_body_layout\"]<\/p>\n
[\/et_pb_text][et_pb_text ul_type=\"square\" _builder_version=\"4.20.0\" _module_preset=\"default\" text_font=\"Open Sans||||||||\" text_text_color=\"gcid-0becd5ff-19fc-4653-a221-c8c75771a987\" text_font_size=\"22px\" link_font=\"Open Sans||||on||||\" link_text_color=\"#00A9A0\" ul_font=\"Open Sans||||||||\" ul_font_size=\"17px\" ul_line_height=\"1.6em\" header_2_line_height=\"1.6em\" header_6_font_size=\"16px\" custom_margin=\"5px||0px||false|false\" custom_padding=\"||||true|false\" text_font_size_tablet=\"20px\" text_font_size_phone=\"17px\" text_font_size_last_edited=\"on|tablet\" header_font_size_tablet=\"\" header_font_size_phone=\"28px\" header_font_size_last_edited=\"on|phone\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22text_text_color%22%93}\" theme_builder_area=\"et_body_layout\"]<\/i><\/a><\/i><\/a><\/i><\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" custom_padding=\"0vh||10vh||false|false\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_row use_custom_gutter=\"on\" _builder_version=\"4.17.3\" _module_preset=\"default\" custom_padding=\"0px||0px||true|false\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"et_body_layout\"][et_pb_text _builder_version=\"4.25.1\" _module_preset=\"default\" background_enable_color=\"off\" custom_padding=\"0px||0px||true|false\" hover_enabled=\"0\" inline_fonts=\"Times New Roman\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22background_color%22%93}\" theme_builder_area=\"et_body_layout\" sticky_enabled=\"0\" ul_item_indent=\"50px\" ol_item_indent=\"35px\"]<\/p>\n <\/p>\n Last week, Oracle released a major re-work of its article on Signing JAR Files for Oracle E-Business Suite Release 12 (Doc ID 1591073.1)<\/strong>. Taking into consideration that all major public Code Signing CAs now require Hardware Security Module (HSM) based storage<\/a> of the private key this was long awaited. In previous parts of this blog series I've covered how we can workaround the limitations of jarsigning in E-Business Suite, see part 1<\/a>, part 2<\/a> and part 3<\/a>.<\/p>\n In this 4th part we'll cover how this procedure can be improved by using these latest patches to E-Business Suite.<\/p>\n To take advantage of the new procedures you have to apply a couple of patches (see 1591073.1<\/strong>) for more details:<\/p>\n Note: The Support note explicitly states that you have to apply 36492441 first, so it seems that this has to be done in 2 patching cycles.<\/p>\n Without doing anything in addition applying those patches still signs the jars in KEYSTORE mode (the same way as before). However now you have the possibility to write your own\/modified customarsign.sh script that calls more advanced signing commands. In my case I've changed that file to have the main custom signing method as follows:<\/p>\n Now let us walk through this step by step:<\/p>\n As you have probably noticed there is some additional code though:<\/p>\n Since there is no real way to interact with the user through adjss \/ adadmin\/adop I've decided to have the following workarounds:<\/p>\n The support note describes an easy way to unit-test the script; keep in mind to do some testing both with the Certum tool started and not started. At the end you should have a result similar to:<\/p>\n Once unit testing is successful you have to copy the customjarsign.sh file to $APPL_TOP_NE\/ad\/admin\/customjarsign.sh.<\/p>\n Afterwards you can change the signing mode to CUSTOM:<\/p>\n Once that is done you can test in a more realistic way by calling:<\/p>\n That should produce a result as follows:<\/p>\n <\/p>\n Successful test using adjss<\/em><\/p>\n Keep in mind to also do some negative testing (stopped and only later on started SignTool) as well.<\/p>\n After all the tests were successful you can simply call adadmin (or apply a patch) which should call your customjarsign.sh script and sign modified .jar files \"on the fly\".<\/p>\n The new jar-sign-tooling released by Oracle makes Code Signing a lot more convenient again. Beside of using Certum there is an even more convenient \"partial implementation\" already provided in the script from Oracle that uses the digicert signing which should work entirely without user interaction. If you can spare the additional $$ it is probably easier to go for digicert instead of certum thus.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" Last week, Oracle released a major re-work of its article on Signing JAR Files for Oracle E-Business Suite Release 12 (Doc ID 1591073.1). Taking into consideration that all major public Code Signing CAs now require Hardware Security Module (HSM) based storage of the private key this was long awaited. In previous parts of this blog series I've covered how we can workaround the limitations of jarsigning in E-Business Suite. <\/p>\n In this 4th part we'll cover how this procedure can be improved by using these latest patches to E-Business Suite.<\/p>\n","protected":false},"author":2,"featured_media":1234,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[23],"tags":[501,115,122],"dipi_cpt_category":[],"class_list":["post-5985","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-techblog","tag-ebs","tag-oracle-e-business-suite","tag-oracle-ebs"],"_links":{"self":[{"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/posts\/5985"}],"collection":[{"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/comments?post=5985"}],"version-history":[{"count":0,"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/posts\/5985\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/media\/1234"}],"wp:attachment":[{"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/media?parent=5985"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/categories?post=5985"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/tags?post=5985"},{"taxonomy":"dipi_cpt_category","embeddable":true,"href":"https:\/\/promatis.com\/at\/wp-json\/wp\/v2\/dipi_cpt_category?post=5985"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Executive Vice President<\/strong> \u2013\u00a0Head of Platforms\u00a0&\u00a0Development<\/p>\nInstallation of required patches<\/h2>\n
adop phase=prepare,apply,finalize,cutover,cleanup patches=36492441\nadop phase=prepare,apply,actualize_all,finalize,cutover,cleanup patches=36407980,36505379,36555711,36499096 finalize_mode=full mtrestart=no cleanup_mode=full<\/pre>\n
Implementation of a customjarsign.sh for Certum<\/h2>\n
signjar_custom () # $1 name of 1 JAR file\n{\necho \"INFO: Signing JAR '$1' with certum...\"\nzip -d ${jar} 'META-INF\/*.SF' 'META-INF\/*.RSA'\nscp $1 certum@172.31.2.199:\/tmp\/signing-dummy.jar\nretry_count=0\nwhile true; do\nssh certum@172.31.2.199 \"\/home\/certum\/SS-9.1.11.0-dist\/jre\/bin\/jarsigner -keystore NONE -tsa \\\"http:\/\/time.certum.pl\\\" -certchain \/home\/certum\/mychain.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg \/home\/certum\/provider_simplysign.cfg -storepass 12345 \/tmp\/signing-dummy.jar 4F4F410D0356A9110B16AC9C73BD6F59\" | tee -a ~\/customsign.log\nif [ ${PIPESTATUS[0]} -eq 0 ]; then\nbreak\nfi\nif [ $retry_count -eq 0 ]; then\nssh certum@172.31.2.199 \"echo \\\"Please start certum on Cloud Manager\\\" | mailx -s \\\"Please start and sign in to Certum for patching\/signing!\\\" XX@promatis.de\"\nfi\nretry_count=$((retry_count + 1))\necho `date`\":in retry-loop for $1 , iteration $retry_count\" >> ~\/customsign.log\necho \"signing failed; will try again in 5 seconds. Press q to abort\"\nread -t 5 -n 1 key\nif [ \"$key\" = 'q' ]; then\necho \"Loop aborted by user.\"\nreturn 1\nfi\nJAR_EXISTS_FILE=\/home\/oracle\/NO_JAR_SIGNING\nif [ -f \"$JAR_EXISTS_FILE\" ]; then\necho \"\/home\/oracle\/NO_JAR_SIGNING exists. Exit with error\" | tee -a ~\/customsign.log\nreturn 1\nfi\ndone\nscp certum@172.31.2.199:\/tmp\/signing-dummy.jar $1\necho \"`date`signing of $1 succesful\" >> ~\/customsign.log\nreturn 0\n}\n<\/pre>\n
\n
\n
\n
Unit Testing the script<\/h2>\n
successful test calling<\/em><\/p>\nUsing the new CUSTOM method<\/h2>\n
adjss -mode CUSTOM<\/pre>\n
adjss -sign<\/pre>\n
Re-Signing using adadmin<\/h2>\n
Summary<\/h2>\n