After R12.1.3 is upgraded to R12.2.10, I see JRE 1.6.0_27 is the version in the new R12.2.10 instance. It is a low version, which makes R12.2 GUI Forms work only with IE browser. For R12.2 to work with MS Edge and Google Chrome browsers, we have to upgrade JRE and enable JWS.
1) First, per Doc ID 2188898.1 (Using Java Web Start with Oracle E-Business Suite), confirmed patch 26825525 (replaces 25441839 Merge Request On Top Of 10.1.2.3.2 PSU, Doc ID 2554599.1) was applied during R12.2.10 upgrade. (Section 4.2.2).
$ opatch lsinventory | grep 26825525
Patch 26825525 applied on xxxx, 2021
2) Confirmed ALL below 13 patches were applied (Section 4.2.3). Some patches may show up twice in below query.
< <config_option type="techstack" oa_var="s_forms_launch_method">browser</config_option>
> <config_option type="techstack" oa_var="s_forms_launch_method">jws</config_option>
< <sun_plugin_ver oa_var="s_sun_plugin_ver">1.6.0_27</sun_plugin_ver>
> <sun_plugin_ver oa_var="s_sun_plugin_ver">1.8.0_281</sun_plugin_ver>
< <sun_clsid oa_var="s_sun_clsid">CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA</sun_clsid>
> <sun_clsid oa_var="s_sun_clsid">CAFEEFAC-0018-0000-0281-ABCDEFFEDCBA</sun_clsid>
Forcing generation of all product jar files.
Creating and signing every jar file can take about thirty minutes depending on the hardware being used.
You can watch the file $NE_BASE/EBSapps/log/adadmin/log/Gen_JAR.log to see the progress of jar file generation.
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
SQL> SELECT bug_number, creation_date, ad_patch.is_patch_applied('R12',-1, bug_number) status
FROM ad_bugs
where bug_number in (
'24498616', -- AD: Add Java Web Start support to Oracle E-Business Suite
'25449925', -- TXK: Add Java Web Start support to Oracle E-Business Suite
'25380324', -- Oracle E-Business Suite Java Applets launching with Java Web Start
'29058008', -- Oracle E-Business Suite Java Applets Launching with JWS rel 2
'29024389', -- WS: New Preference To Indicate Launch of New Forms Session
'28713780', -- 12.2.6+:Oracle Workflow Java Applets launching with Java Web Start
'23645622', -- GL: Add Java Web Start Support to AHM Java applet
'23586286', -- MSC: Add Java Web Start Support to PS/SNO 12.2.6
'26100397', -- R12.TXK.C (see Doc ID 393931.1 for deploying JRE)
'22806350', -- R12.OWF.C (see Doc ID 1367293.1 for enabling TLS 1.2)
'21473055', -- R12.ICX.D (iProcurement, Doc ID 1937220.1 for TLS1.2)
'22522877', -- R12.IBY.C (iPayment)
'22326911' -- R12.ECX.C (Oracle XML Gateway)
) order by bug_number;
FROM ad_bugs
where bug_number in (
'24498616', -- AD: Add Java Web Start support to Oracle E-Business Suite
'25449925', -- TXK: Add Java Web Start support to Oracle E-Business Suite
'25380324', -- Oracle E-Business Suite Java Applets launching with Java Web Start
'29058008', -- Oracle E-Business Suite Java Applets Launching with JWS rel 2
'29024389', -- WS: New Preference To Indicate Launch of New Forms Session
'28713780', -- 12.2.6+:Oracle Workflow Java Applets launching with Java Web Start
'23645622', -- GL: Add Java Web Start Support to AHM Java applet
'23586286', -- MSC: Add Java Web Start Support to PS/SNO 12.2.6
'26100397', -- R12.TXK.C (see Doc ID 393931.1 for deploying JRE)
'22806350', -- R12.OWF.C (see Doc ID 1367293.1 for enabling TLS 1.2)
'21473055', -- R12.ICX.D (iProcurement, Doc ID 1937220.1 for TLS1.2)
'22522877', -- R12.IBY.C (iPayment)
'22326911' -- R12.ECX.C (Oracle XML Gateway)
) order by bug_number;
3) Backup CNOTEXT_FILE
$ cd (to a folder for backup folder)
$ cp -p $CONTEXT_FILE ${CONTEXT_NAME}.xml_BK_JRE
Replace "browser" by "jws" for <s_forms_launch_method>
$ vi $CONTEXT_FILE
Optionally, stop EBS services by adstpall.sh if they are running.
4) Follow ID 393931.1 (Deploying JRE for Windows Clients, go to a long table in Appendix E section) to download patch 30425890 - p30425890_180241_WINNT.zip (Oracle JRE 8 Update 241 for Windows 32-bit). I used JRE 1.8.0_241 because it is the version installed currently on all users' Window PC. If a higher version on the apps server is deployed, all users have to remove the lower version and re-install a matching version on their PC. (Note: later, I used p32140627_180281_WINNT.zip after users' PC got a newer JRE).
$ cd $COMMON_TOP/webapps/oacore/util/javaplugin
$ unzip p32140627_180281_WINNT.zip
Archive: p32140627_180281_WINNT.zip
inflating: jre-8u281-windows-i586.exe
inflating: jre-8u281-windows-i586.tar.gz
inflating: readme.txt
Archive: p32140627_180281_WINNT.zip
inflating: jre-8u281-windows-i586.exe
inflating: jre-8u281-windows-i586.tar.gz
inflating: readme.txt
$ mv jre-8u281-windows-i586.exe j2se18281.exe
$ echo $FILE_EDITION
run
$ $FND_TOP/bin/txkSetPlugin.sh 18281
/u02/app/$TWO_TASK/fs1/EBSapps/appl/fnd/12.0.0/bin
Starting interoperability upgrade script...
Sending logfile output to:
$INST_TOP/logs/txkSetPlugin.log
etc … …
$INST_TOP/logs/txkSetPlugin.log
etc … …
AutoConfig completed successfully.
Done
Done
$ sh $ADMIN_SCRIPTS_HOME/adautocfg.sh (optional)
Go to the backup folder and confirm the configuration changes:
$ diff $CONTEXT_NAME.xml_BK_JRE $CONTEXT_FILE
< <config_option type="techstack" oa_var="s_forms_launch_method">browser</config_option>
> <config_option type="techstack" oa_var="s_forms_launch_method">jws</config_option>
< <sun_plugin_ver oa_var="s_sun_plugin_ver">1.6.0_27</sun_plugin_ver>
> <sun_plugin_ver oa_var="s_sun_plugin_ver">1.8.0_281</sun_plugin_ver>
< <sun_clsid oa_var="s_sun_clsid">CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA</sun_clsid>
> <sun_clsid oa_var="s_sun_clsid">CAFEEFAC-0018-0000-0281-ABCDEFFEDCBA</sun_clsid>
... ...
$ cat $FORMS_WEB_CONFIG_FILE|grep sun_plugin_version| cut -c 1-35
sun_plugin_version=1.8.0_281
Next is to sign JAR file. Otherwise, launching EBS Forms will give a popup with Exception: JAR resources in JNLP file are not signed by same certificate.
5) Jar signing
Follow Doc ID 1591073.1 (Enhanced Jar Signing for Oracle E-Business Suite)
a) copy two files adkeystore.dat and adsign.txt (from old $APPL_TOP/admin of R12.1.3) to folder $NE_BASE/EBSapps/appl/ad/admin, assuming JAR signing worked in R12.1.3 instance. Verify basic info:
SQL> set serveroutput on
SQL> declare
spass varchar2(30);
kpass varchar2(30);
begin
ad_jar.get_jripasswords(spass, kpass);
dbms_output.put_line(spass);
dbms_output.put_line(kpass);
end;
/
$ keytool -list -keystore adkeystore.dat
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
ebsdev_nodename, April 10, 2021, PrivateKeyEntry, ...
... ...
If necessary, use command to create/re-new .dat file from the one for instance1 on the node1:
$ keytool -changealias -alias instance1Name_node1Name -destalias EBSDEV_nodeName -keystore adkeystore.dat
b) Make sure all apps services are stopped
c) $ adadmin
=> 1 (Generate Applications Files menu)
=> 4 (Generate product JAR files)
=> 4 (Generate product JAR files)
Do you wish to force regeneration of all jar files? [No] ? Yes
Forcing generation of all product jar files.
Creating and signing every jar file can take about thirty minutes depending on the hardware being used.
You can watch the file $NE_BASE/EBSapps/log/adadmin/log/Gen_JAR.log to see the progress of jar file generation.
Recording Adadmin action :ADADMIN_GEN_JARS
Tokens:FORCE_JAR_GENERATION=Yes
Tokens:FORCE_JAR_GENERATION=Yes
Signing product JAR files in JAVA_TOP - $JAVA_TOP
using entity $CONTEXT_NAME and certificate 1.
using entity $CONTEXT_NAME and certificate 1.
Successfully created javaVersionFile.
Generating product JAR files in JAVA_TOP -
$JAVA_TOP with command:
$JAVA_TOP with command:
adjava -mx2048m -nojit oracle.apps.ad.jri.adjmx @$APPL_TOP/admin/$TWO_TASK/out/genjars.cmd
Successfully generated product JAR files in JAVA_TOP -
$JAVA_TOP.
Copying Registry.dat from the Forms Java directory to $JAVA_TOP ...
Generating customall.jar ...
Not creating customall.jar as no custom java directories found under JAVA_TOP.
customall.jar generated successfully.
** Updating appsborg.zip ...
Reading adjborg.txt...
adearea();
No files listed in $APPL_TOP/admin/adjborg.txt
Ignoring ...
adjborg.txt file seems to be empty.
No files listed in $APPL_TOP/admin/adjborg.txt
Ignoring ...
adjborg.txt file seems to be empty.
Done reading adjborg.txt.
As adjborg.txt file is empty, skipping the generation of appsborg.zip
As adjborg.txt file is empty, skipping the generation of appsborg.zip
** Updating appsborg2.zip ...
Reading adjborg2.txt...
adearea();
No files listed in $APPL_TOP/admin/adjborg2.txt
Ignoring ...
adjborg.txt file seems to be empty.
No files listed in $APPL_TOP/admin/adjborg2.txt
Ignoring ...
adjborg.txt file seems to be empty.
Done reading adjborg2.txt.
As adjborg2.txt file is empty, skipping the generation of appsborg2.zip
As adjborg2.txt file is empty, skipping the generation of appsborg2.zip
Review the messages above, then press [Return] to continue.
Notes from Doc ID 2065496.1: In release 12.2 the files appsborg.zip and appsborg2.zip have been replaced with file ebsAppsborgManifest.jar. The new file ebsAppsborgManifest.jar should appear in the CLASSPATH. In summary for R12.2 the files appsborg.zip and appsborg2.zip are not used. The messages are expected and can be safely ignored.
$ echo $CLASSPATH | grep ebsAppsborgManifest
will give a long list
$ cd $FMW_HOME/Oracle_EBS-app1/shared-libs/ebs-appsborg/WEB-INF/lib
$ ls -al
-rw-r--r-- 1 user group 806 Feb 23 16:32 ebsAppsborgManifest.jar
d) To verify the digital signature of the Jar file:
$ jarsigner -verify -verbose -certs $AD_TOP/java/jar/adxlib.jar
… …
sm 6924 Fri Jan 14 03:00:00 EST 2011 oracle/apps/ad/util/zip/ZipOutputStream.class
X.509, CN=Company_name Inc., O=Company_name Inc., L=City, ST=State, C=US
[certificate is valid from 1/3/19 7:00 PM to 1/12/22 7:00 AM]
X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[certificate is valid from 10/22/13 8:00 AM to 10/22/28 8:00 AM]
X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[certificate is valid from 11/9/06 7:00 PM to 11/9/31 7:00 PM]
[certificate is valid from 1/3/19 7:00 PM to 1/12/22 7:00 AM]
X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[certificate is valid from 10/22/13 8:00 AM to 10/22/28 8:00 AM]
X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[certificate is valid from 11/9/06 7:00 PM to 11/9/31 7:00 PM]
X.509, CN=nodename, O=nodename, OU=apps, L=, ST=, C=US
[certificate is valid from 2/12/21 12:02 PM to 2/2/61 12:02 PM]
[CertPath not validated: Path does not chain with any of the trust anchors]
[certificate is valid from 2/12/21 12:02 PM to 2/2/61 12:02 PM]
[CertPath not validated: Path does not chain with any of the trust anchors]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-12) or after any future revocation date.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-12) or after any future revocation date.
If you see message "This jar contains entries whose certificate chain is not validated.", it had a signing problem.
e) Start apps services by adstrtal.sh (or, start them later after TLS1.2 is enabled).
After about steps, R12.2.10 webpage and Forms can be launched from MS Edge and Google Chrome. The file download may be slow, and so do not click too quick. If EBS forms does not open up in the 1st launch, you may go the downlead directory in Window's Explore and double click on file frmservlet.jnlp to fire the Java form up.
6) Useful commands
- To view the keystore contents
$ keytool -list -v -keystore $NE_BASE/EBSapps/appl/ad/admin/adkeystore.dat
Enter keystore password: <== get it by a SQL if forgot.
Enter keystore password: <== get it by a SQL if forgot.
Keystore type: JKS
Keystore provider: SUN
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: <ebsdev_nodename> <== all are lower case and $TWO_TASK is EBSDEV
Creation date: Apr 2, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Creation date: Apr 2, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
etc ... …
- To sign a single jar file fndgantt.jar:
$ jarsigner -keystore $NE_BASE/EBSapps/appl/ad/admin/adkeystore.dat $FND_TOP/java/jar/fndgantt.jar ebsdev_nodename
Enter Passphrase for keystore:
Enter key password for <ebsdev_nodename>:
jar signed.
Enter Passphrase for keystore:
Enter key password for <ebsdev_nodename>:
jar signed.
Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-12) or after any future revocation date.
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2022-01-12) or after any future revocation date.
- Another way to to verify a digital signing by adding option "-keystore":
$ jarsigner -verify -verbose -keystore $NE_BASE/EBSapps/appl/ad/admin/adkeystore.dat -certs $JAVA_TOP/oracle/apps/fnd/jar/fndaol.jar
- In custom development by Java, use below line to generate and sign mycustom.jar file, assuming mycustom.zip has all .class files and .xml files (and .xml file was imported to database by java oracle.jrad.tools.xml.importer.XMLImporter):
$ adjava oracle.apps.ad.jri.adjmx -areas $JAVA_TOP/mycustom.zip -outputFile $JAVA_TOP/mycustom.jar -jar $CONTEXT_NAME 1 CUST jarsigner -storePass <KeyStore Password> -keyPass <Key Password>
No comments:
Post a Comment