Topics
See More

How to Sign EBS Jar Files Using DigiCert’s HSM

As of June 1, 2023, reputable third-party Certificate Authorities began issuing new code signing certificates based on Hardware Security Modules (HSMs) or tokens. For Oracle E-Business Suite (EBS) users, this change requires a specific setup to continue signing jar files securely. Although Oracle provides guidelines via Doc ID 2806640.1, these do not cover the initial configuration of an HSM. This blog post will guide you through the process of setting up an HSM issued by DigiCert, providing detailed instructions to ensure a smooth setup.

 

1. Provisioning Options

Start by logging into your DigiCert CertCentral account and selecting “DigiCert KeyLocker (Cloud HSM)” as the provisioning method on the request form.

2. Creating a Token

Navigate to your Account homepage, click on “Profile,” then “Admin Profile,” and create an API token by clicking “Create” under the API Tokens section. Be sure to copy the token code, as it will be necessary during the setup of DigiCert on your system.

3. Create a Client Authentication Certificate

From the Manager Menu, select “KeyLocker,” then click on “Create” to generate your client authentication certificate. Provide the necessary details such as Nickname, desired validity date, and encryption options, then click “Generate.” Save the prompted password and download the certificate.

4. Setting up DigiLocker Client Tools

Choose the appropriate operating system (Windows or Linux) and download the required tools. For this guide, we’ll assume Linux is the operating system in use.

  1. Unzip Keylocker Tools:
    tar -zxf Keylockertools-linux-x64.tar.gz
  1. Unzip JDK:
    tar -zxf jdk-8u202-linux-x64.tar.gz
  1. Unzip Certificate:
    unzip Certificate_pkcs12.zip
  1. Create an Environment File: Define necessary environment variables such as JAVA_HOME, SM_API_KEY, and others required for the setup. Source the environment file and verify the Java path and version to ensure they are correctly configured.
  2. Perform a Health Check: Use the smctl command to check the status and credentials, ensuring the setup is properly connected and ready for use.

5. Signing the Jar Files

Generate a list of jar files that need to be signed by running ADADMIN and selecting the appropriate options. If the list contains only one entry, combine it with a backup list to ensure all necessary jar files are included before signing, back up these jar files.

To remove the previously signed EBS signature:

zip -d ${jar} ‘META-INF/*.SF’ ‘META-INF/*.RSA’

6. Preparing the Jar Files for Signing

Use the jarsigner command with appropriate arguments to sign the jar files, specifying the path to the PKCS11 properties configuration file and the key to be used for signing.

7. Verifying the Signed Jar Files

Verify the newly signed jar files using the jarsigner -verify command to ensure they have been signed correctly and contain the proper signatures.

8. Moving the Signed Jar Files

After signing, move the signed jar files back to their original location and restart the necessary services.

Conclusion

Signing EBS jar files with DigiCert’s HSM involves several steps, but with the right guidance, it can be accomplished smoothly. If you find this process overwhelming, consider partnering with a specialized service provider like Apps Associates to assist you with all your EBS needs. By following these steps, you can ensure the security and integrity of your EBS applications while complying with industry standards and best practices.