Friday, March 27, 2020

Re-new Java Signing Key

The server certificate for JAR files expires after some years, for example, in each two years. That is the reason we have to renew it periodically. After run renewal, I got better understanding on the process than in my post Keystore & Java Signing in 2016.

1. Find the current keystore password and key password embedded in EBS R12.1 instance

SQL> set serveroutput on
SQL> declare
spass varchar2(30);
kpass varchar2(30);
begin
ad_jar.get_jripasswords(spass, kpass);
dbms_output.put_line(spass);
dbms_output.put_line(kpass);
end; 
/
puneet
myxuan

If you want to them, use "$ adjkey -storepasswd" and "$ adjkey -keypasswd" to do that.

2. $APPL_TOP/admin/adkeystore.dat is a binary file, which includes, in my file, one key entry and 3 certificates. Use keytool to view its contents:

$ echo $TWO_TASK
EBSDEV
$ hostname
devserver1d

$ keytool -list -keystore adkeystore.dat
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
ebsdev_devserver1d, Apr 15, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): A7:01:6E:76:D7:2D:F5: … ...

$ keytool -list -v -keystore adkeystore.dat    <= View details
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: ebsdev_devserver1d
Creation date: Apr 15, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=Company name, O=Company name, L=City, ST=State, C=US
Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: f7d45adf32f16e ….
Valid from: Thu Jan 03 19:00:00 EST 2019 until: Wed Jan 12 07:00:00 EST 2022
Certificate fingerprints:
         MD5:  17:68:2F:67:CC:F0: … …
         SHA1: A7:01:6E:76:D7:2D: … …
         Signature algorithm name: SHA256withRSA
         Version: 3
Extensions:
#1:
…  … …
Certificate[2]:
Owner: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 409181b5fd5bb667 ......
Valid from: Tue Oct 22 08:00:00 EDT 2013 until: Sun Oct 22 08:00:00 EDT 2028
Certificate fingerprints:
         MD5:  B6:56:37:6C:3D:2A: … …
         SHA1: 92:C1:58:8E:85:AF: … …
         Signature algorithm name: SHA256withRSA
         Version: 3
Extensions:
#1:
…  … …
Certificate[3]:
Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: ce7e0e517d8 … …
Valid from: Thu Nov 09 19:00:00 EST 2006 until: Sun Nov 09 19:00:00 EST 2031
Certificate fingerprints:
         MD5:  87:CE:0B:7B:2A: … …
         SHA1: 05:63:B8:63:0D: … …
         Signature algorithm name: SHA1withRSA
         Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 45 EB  9C A7 A7 21 9D  E.......1-Q...!.
0010: F3 6D C8 0F                                        .m..
]
]
#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 45 EB 8B A7 A7 21 9D  E.......1-Q...!.
0010: F3 6D C8 0F                                        .m..
]
]

3. Before cert's expiration date (01/12/2022 in above keystore), you have to renew it. First, you make request to Security team for a new keystore file that will work for one EBS instance. Then, run adadmin to re-generate JAR files to that instance (as in Step 5). 
I do not know what tool Security team uses to create file adkeystore.dat. If the password in new adkeystore.dat do not match EBS instance's password in Step 1, adadmin in Step 5 will fail with error - jarsigner: unable to recover key from keystore. Commands to change keystore password and key password:

$ keytool -storepasswd -keystore /path/to/temp/adkeystore.dat
Enter keystore password:                <= storePwd
New keystore password:                 <= puneet
Re-enter new keystore password:  
<= puneet

$ keytool -keypasswd -keystore /path/to/temp/adkeystore.dat -alias ebsdev_devserver1d
Enter keystore password:                                                   <= puneet
Enter key password for <ebsdev_devserver1d>                <= keyPWD
New key password for <ebsdev_devserver1d>:                <= myxuan
Re-enter new key password for <ebsdev_devserver1d>:  <= myxuan

4. Make adkeystore.dat to work in other EBS instances. 

The original adkeystore.dat is only for instance EBSDEV. If you have multiple instances, below command worked for me to make it work for QA instance EBSQA (on different servers):

$ cp adkeystore.dat $APPL_TOP/admin
$ cd $APPL_TOP/admin

$ keytool -changealias -alias ebsdev_devserver1d -destalias EBSQA_qaserver1q -keystore adkeystore.dat
Enter keystore password:
Enter key password for <ebsdev_devserver1d>


$ keytool -list -keystore adkeystore.dat
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry
ebsqa_qaserver1q, Apr 20, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1):
A7:01:6E:76:D7:2D:F5: … ...

5. Generate JAR using adadmin utility which will take the new certificates in adkeystore.dat

$ echo $TWO_TASK
EBSQA
$ adstpall.sh
$ adadmin
    ==> 1 Select Generate Applications Files
    ==> 4 Generate Product JAR Files    Yes.  (Do force the regeneration of all JAR files.)
(adadmin can be used to re-load JAR files, which is not required, by 
    ==> 3 Compile/Reload Applications Database Entities menu 
    ==> 3 Reload JAR Files to Database. Seems it uploads some .jar files, but not all .jar files)

NOTES: After JDK was upgraded to JDK 7, adadmin gives warning on more files when generating JAR files. Depending on what EBS components are used, usually it's safe to ignore them.
adearea();
Warning=> unable to locate $FND_TOP/java/3rdparty/stdalone/odi-sdk-invocation10g.zip file.
Warning=> unable to locate $FND_TOP/java/3rdparty/stdalone/ucmscript.zip file.
Warning=> unable to locate $FND_TOP/java/3rdparty/stdalone/oracle-ucm-ridc-12_1_2_0_0.zip file.
Warning=> unable to locate $FND_TOP/java/3rdparty/stdalone/gcm-server.zip file.
Warning=> unable to locate $FND_TOP/java/3rdparty/stdalone/json_simple-1-1.zip file.

6. Verify file's new timestamp and new expiration date

$ ls -al $AD_TOP/java/jar/adxlib.jar      <= pick up a JAR file
$ jarsigner -verify -verbose -certs $AD_TOP/java/jar/adxlib.jar
 ... ... ...
sm      7732 Wed Jan 02 05:02:02 EST 2002 oracle/apps/ad/util/zip/ZipOutputStream.class
      X.509, CN=Company name, O=Company name, L=City, ST=State, C=US
      [certificate is valid from 1/3/19 7:00 PM to 1/12/22 7:00 AM]
      X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
      [certificate is valid from 10/22/13 8:00 AM to 10/22/28 8:00 AM]
      X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
      [certificate is valid from 11/9/06 7:00 PM to 11/9/31 7:00 PM]
... ... ...
  
- Signed by "CN=Company name, O=Company name, L=City, ST=State, C=US"
    Digest algorithm: SHA1
    Signature algorithm: SHA1withRSA, 2048-bit key
jar verified.

Warning:
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not
be able to validate this jar after the signer certificate's expiration date (2019-06-05) or after
any future revocation date.
(Not sure why getting this warning)

NOTE: keytool is part of JDK
$ which keytool
$IAS_ORACLE_HOME/appsutil/jdk/jre/bin/keytool


No comments: