Oracle Forms and Java 7u51

Peter Lorenzen
24/10-2013

Java 7u51 is scheduled for release in January. It will have some consequences for you Forms installation that you need to address.

As far as I know there is no problems with using 7u51 on the server side, only on the client side.

Overview

Jar signing

7u51 requires you to sign all RIAs (Applets and Web Start applications).

Oracle already signs the standard jar files. The oldest 11g Forms I have access to is 11.1.1.6 and here they are already signed.

If you use you own jars you need to sign those with a real certificate, self-signed is not good enough anymore.

If you use third party jars you probably also need to sign them.

You can check via jarsigner.

[oracle@wintermute java]$ jarsigner -verify jacob.jar
jar is unsigned. (signatures missing or not parsable)

Here is an example of how to sign a jar file.

You need a code signing certificate from a CA.

Here we have a my-cert.pfx file that contains a PKCS#12 keystore with a private key and a certificate. The certificate is “your” public key. There is also a couple of intermediate certificates for the trust chain from the certificate to the CA.

First we need to figure out what the keystore alias is for the private key.

[oracle@wintermute ~]$ keytool -list -v -keystore my-cert.pfx -storetype pkcs12 | grep "Alias name"
Enter keystore password:  ********
Alias name: le-d491f28f-ee7b-40e2-b1a7-2b7c3a71979a

Now we can sign the jar with the private key.

jarsigner -keystore my-cert.pfx -storetype PKCS12 -signedjar jacob-signed.jar jacob.jar le-d491f28f-ee7b-40e2-b1a7-2b7c3a71979a

Here we “signed” jacob.jar and generated a new signed version called jacob-signed.jar.

If you do not specify -signedjar the original jar file will be overwritten.

Now we can verify if the jar file is signed OK.

[oracle@wintermute ~]$ jarsigner -verify jacob-signed.jar
jar verified.

For more information.

jarsigner -verify -verbose jacob-signed.jar

I have changed and shortened the output for easier reading.

s  3564 Wed Oct 23 23:24:08 CEST 2013 META-INF/MANIFEST.MF
   3495 Wed Oct 23 23:24:08 CEST 2013 META-INF/LE-C498F.SF
   4287 Wed Oct 23 23:24:08 CEST 2013 META-INF/LE-C498F.RSA
      0 Sat Aug 03 06:30:28 CEST 2013 META-INF/
sm  108 Sat Aug 03 06:30:24 CEST 2013 META-INF/JacobVersion.properties
sm 6616 Sat Aug 03 06:30:26 CEST 2013 com/jacob/activeX/ActiveXComponent.class
sm 1555 Sat Aug 03 06:30:26 CEST 2013 com/jacob/com/ComException.class
      0 Sat Aug 03 06:30:26 CEST 2013 com/
      0 Sat Aug 03 06:30:26 CEST 2013 com/jacob/
      0 Sat Aug 03 06:30:26 CEST 2013 com/jacob/activeX/
      0 Sat Aug 03 06:30:26 CEST 2013 com/jacob/com/

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

For even more information.

jarsigner -verify -verbose -certs jacob-signed.jar

Here is an example.

The only things that has changed in the jar file is the MANIFEST.MF file in the META-INF directory and that two files has been added to the directory. A signature file (.SF) and a signature block file (.RSA/.DSA/.EC).

If you unpack the jar file you can have a look at the manifest and the signature files.

jar xvf jacob-signed.jar

Permissions attribute in the Manifest

Java 7u25 introduced a Permissions attribute in the manifest file.

It can hold two values:

  • sandbox – Indicates that the jar runs in the security sandbox and does not require additional permissions.
  • all-permissions – Indicates that the jar requires access to the user’s system resources.

From 7u51 you are required to set this attribute.

Oracle has released a patch (16837591) that will fix this for the standard Forms jar files. The patch has just been supersede by patch 17448420 that include everything from 16837591 plus a fix for a problem if you use Java 7u45.

Notice that the patches are currently only available for Form 11.1.1.7 and 11.1.2.1.0. A backport to 11.1.1.6 has been requested but noting has happed yet.

For you own or third-party jars you have to fix this yourself.

Check this MOS note:
“How to Add Manifest Entries into Custom Jar Files Such as jacob.jar or Jar Files Containing Icons (Doc ID 1583119.1)”

Forms 10g

Since Forms 10g has reached it’s end of life Oracle will not provide any updates to mitigate the problems caused by 7u51. I assume that you can just sign and change the manifest files for the standard Forms jars yourself. Since Oracle no longer provide support for 10g Forms at least you will not lose your support for tampering with Oracles software 🙂

Might be time for an upgrade.

Additional information

{ 5 comments }

Alex January 15, 2014 at 21:14

So, Java Applets are not free anymore. Not even for self-study. Need to pay to get a “real” certificate.

Peter Lorenzen January 15, 2014 at 21:34

Oracle has added a workaround called Exception Site List. See https://blogs.oracle.com/java-platform-group/entry/upcoming_exception_site_list_in

Jeff Everett February 4, 2014 at 15:54

I just tested the Exception Site List and it did work as a workaround.

Peter Lorenzen February 4, 2014 at 15:58

Thanks for sharing.

Bern October 27, 2014 at 21:21

Hello!
the exception list workarrond worked on java 7, but now here is Java 8 , and exception list does not work anymore.

can you tell me if I can sign the jars without buying a real certificate ?
thanks!

Comments on this entry are closed.

Previous post:

Next post: