IMPORTANT: To bypass any Java security warning message, it is strongly recommended to sign all custom jar files (all of the jar files beginning with “frm” are already signed by Oracle and should NOT be updated in any way) with trusted X.509 certificates. Having all jar files signed with trusted certificates will eliminate the Java security warnings as well as to keep your PC and server safe from any security vulnerabilities. The below article is for knowledge purposes only and should NOT be used in production environments or any PCs which have access to the Internet. PITSS will not be held responsible for malware that may enter your PC or server when applying the below JRE security settings; use at your own risk!
The main issue and largest question from customers is why do they get the following warning-prompt-box:
Firstly, this issue can be completely bypassed by importing the certificate that the customer’s jar files were signed with into the end-client’s JRE trusted certificates file (“trusted.certs”). No Java Warning Prompt will occur once the certificate is loaded into the JRE. Steps on how to do this are below. However doing this requires a customer’s system admin team to be involved, so they can modify every one of their end-client’s JRE’s. Thus, the second recommendation.
Secondly, there will be times when an end-client can’t have their JRE loaded with the proper settings without manual interaction. Thus actually clicking through the prompt. However, if the any jar files are not signed with a X.509 Certificate, JRE’s default action is to cancel running the jar file, thus interrupt Forms’ ability to run properly. Therefore, it is recommend to sign all jar files with an X.509 Certificate, so that if this warning does occur, the user can be assured, that the jar file has been signed with a certificate that is verified by a major Certificate Authority.
How to Configure JRE Security
- Retrieve Certificate File. If the customer is using X.509, the security or system admin will know where this is. Once you have the file continue on to step 3. If you deployed jar files with a self-signed certificate, continue onto step 2.
- (Conditional step) Complete this step only if you sign your jar files with a self-signed certificate.
- Login to your application server where Forms runs.
- Open a command-line tool
- Verify your JDK’s bin directory path is in your PATH environment variable.
- Navigate to where your keystore is. If you don’t know where the certificate is and you use sign_webutil.bat/sh, the location of the keystore will be in the sign_webutil script.
When looking in sign_webutil, retrieve your alias and keystore password as well. - Run the following command to export the certificate from the keystore:
keytool -export -alias KeystoreAliasName -file NewCertificateFileName.crt -keystore NameOfKeystore.jks - The command above will export your certificate to a certificate file.
- Login to a end-client-machine that you wish to configure. Locate your “trusted.certs” file of your JRE.
- For example, on Win 7, with username johndoe, the path would be C:\Users\johndoe\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
- On Windows XP, with username johndoe, the path would be C:\Documents and Settings\johndoe\Application Data\Sun\Java\Deployment\security (NOTE: If security does not exist, the cache directory can also be used)
- NOTE: The AppData/Application Data directory is hidden. You may need to type it in the taskbar on the top of Windows Explorer.
- Copy the certificate to the filesystem on the client-machine
- Open Command line on the client-machine
- Navigate to the directory where the certificate is loaded.
- Load Certificate into the JRE Trusted Certificates Store. See the following command example to load the certificate into your JRE’s trusted certificate store:
- Windows 7: keytool -importcert -file CertificateFileName.crt -keystore C:\Users\johndoe\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs -storepass “” -noprompt -v
- Windows XP: keytool -import -file CertificateFileName.crt -keystore “C:\Documents and Settings\johndoe\Application Data\Sun\Java\Deployment\security\trusted.certs” -storepass “” -noprompt -v
- The command above should load in the certificate successfully.
- Test your changes.
