jueves, 2 de febrero de 2017

Oracle currently plans to disable MD5 signed JARs

Oracle currently plans to disable MD5 signed JARs in the upcoming Critical Patch Update slated for April 18, 2017.  JAR files signed with MD5 algorithms will be treated as unsigned JARs.

MD5 JAR file signing screenshot

Does this affect EBS environments?
Yes. This applies to Java 6, 7, and 8 used in EBS 12.1 and 12.2.  Oracle E-Business Suite uses Java, notably for running Forms-based content via the Java Runtime Environment (JRE) browser plug-in.  Java-based content is delivered in JAR files.  Customers must sign E-Business Suite JAR files with a code signing certificate from a trusted Certificate Authority (CA). 
A code signing certificate from a Trusted CA is required to sign your Java content securely. It allows you to deliver signed code from your server (e.g. JAR files) to users desktops and verifying you as the publisher and trusted provider of that code and also verifies that the code has not been altered. A single code signing certificate allows you to verify any amount of code across multiple EBS environments. This is a different type of certificate to the commonly used SSL certificate which is used to authorize a server on a per environment basis. You cannot use an SSL certificate for the purpose of signing jar files. 
Instructions on how to sign EBS JARs are published here:
Where can I get more information?
Oracle's plans for changes to the security algorithms and associated policies/settings in the Oracle Java Runtime Environment (JRE) and Java SE Development Kit (JDK) are published here:
More information about Java security is available here:
Getting help
If you have questions about Java Security, please log a Service Request with Java Support.
If you need assistance with the steps for signing EBS JAR files, please log a Service Request against the "Oracle Applications Technology Stack (TXK)" > "Java."

Disclaimer
The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle

No hay comentarios:

Publicar un comentario

Te agradezco tus comentarios. Te esperamos de vuelta.