IMPORTANT: Downloading JDK and JRE 7 from My Oracle Support requires an account with My Oracle Support.

As of July 14, 2015, JDK 7 and JRE 7 are no longer available for public download. Although the latest version of Oracle Forms, version 11.1.2.2.0 (11gR2) is supported to use JRE 8, it is currently NOT supported to use JDK 8 for Oracle Forms and Reports 11gR2 as well as for other Fusion Middleware products such as ADF (11g and 12c) and OHS (11g and 12c). However, as public downloads for Java 7 are no longer available, there are only two options to download JDK 7.

One method (requires an Oracle account) is to use the Oracle Java Archive: http://www.oracle.com/technetwork/java/archive-139210.html

The second method involves downloading the JDK and JRE from My Oracle Support. The following steps will explain how you can download the latest JDK and JRE 7 from My Oracle Support:

  1. Log into https://support.oracle.com using your My Oracle Support account.
  2. Go to Patches & Updates
  3. Search for the following patches:
    1. JDK/JRE 7u79: 20418638
    2. JDK/JRE 7u80: 20418657
    3. Specify the OS platform of your server environment
    4. image
  4. Select the Patch number on the left side of the table
    1. image
  5. Click “Download”
    1. image
  6. Click the name of the zip file to download it.

Once the JDK and JRE are downloaded, you should be able to find both the JDK and the JRE for the particular OS you selected.

image

To run WebLogic domains especially if one server is hosting multiple WebLogic domains (for ADF, Forms, OAM, etc.), the server must have enough resources to handle all the processes required for WebLogic and all of the Oracle Fusion Middleware components. In Linux, it is not just the amount of available RAM which can prevent additional services including WebLogic servers from starting but also the maximum user processes a specific OS user can have (ulimit –u). If the OS user, e.g. oracle, reaches the maximum user process limit when attempting to start a WebLogic server, WebLogic will fail to start due to the following error:

“java.lang.OutOfMemoryError: unable to create new native thread”

Also, other errors may (but not always) get produced in the server to where you are unable to run anything in the shell or start a new SSH terminal (unless you use the exec command) due to the following error:

“-bash: fork: retry: Resource temporarily unavailable”

image

To solve this problem, you will need to increase the maximum user process limit for the OS user who is starting WebLogic. To increase the limit, please follow these steps:

1. Verify what you have set for ulimit –u by running ulimit -u

2. Log into the server as root

3. Go to /etc/security and make a backup of limits.conf

4. Open up limits.conf in VI

5. At the end of the file, add the following line:

<OS_USER> – nproc # (where # is a value higher than what you currently have set under ulimit –u)

Example: oracle – nproc 4096

image

6. Save and close the file.

7. Close all SSH windows and log back into the server.

8. Verify the change by running ulimit –u. The value should have increased. If not, please reboot the Linux server.

9. If you were trying to start any managed WebLogic servers at the time of the error, please restart any associating AdminServers and Node Managers.

After applying the steps above, you should be able to start up WebLogic normally.

By default, when Oracle WebLogic Server uses HTTPS for secure connections such as for Forms and Reports, SSL (Secure Socket Layer) v3.0 and TLS (Transport Layer Security) v1.0 are configured. SSL is the original protocol used for secure connections via HTTPS where TLS is the newer, more secure protocol. In recent months, a security vulnerability known as Poodle, “Paddling Oracle On Downgraded Legacy Encryption”, was discovered to be. In summary, Poodle is a “man-in-the-middle” exploit which can allow hackers to view encrypted information. More information on Poodle can be found on Oracle’s website: http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html

The vulnerability exists with SSL v3.0, which is commonly used as the secure protocol used for HTTPS connections with using Oracle WebLogic Server. However, the TLS protocol does not contain this vulnerability. If WebLogic is configured for both (it is by default) and the end-user’s Web browser has SSL v3.0 and TLS v1.0 both enabled, there is a possibility that the WebLogic connection via HTTPS may be done using SSL v3.0 instead of TLS v1.0. A WebLogic connection is defined by any connection going to an application (JSP, Forms & Reports, ADF, Discoverer, etc.) which is deployed in Oracle WebLogic Server.

The best approach is to configure WebLogic to only use TLS v1.0. With this, all end-users will be forced to use TLS 1.0 on all HTTPS connections to the WebLogic server whether it is used for running deployed JSP applications, Oracle Forms and Reports applications, Oracle ADF applications, or other Oracle Fusion Middleware applications. The changes are quick and easy to deploy. Also, no new SSL/TLS certificates will need to be created. Implementing TLS v1.0 only for WebLogic can be done with these steps:

1. Log into the WebLogic Administration Console (Example: http://server.domain:7001/console)

2. Log in with the weblogic username and password

3. Go to Environment –> Servers

image

4. Select a WebLogic server where SSL has been set up. We’ll use WLS_FORMS as an example.

image

5. In the top-left corner, click “Lock & Edit”.

image

6. Make sure the Configuration tab is enabled. Select the “Server Start” sub-tab.

image

7. In the Arguments section, type in the following parameter:

-Dweblogic.security.SSL.protocolVersion=TLS1

NOTE: This will force the WebLogic server to use TLS instead of SSL.

When finished, click the “Save” button.

image

8. For any other WebLogic servers using SSL/TLS, repeat steps 4-7 (except for step 5 as you will be in “Lock & Edit” mode already).

9. In the top-left corner, click “Activate Changes” to apply all changes.

image

10. If any WebLogic servers which had the changes applied are currently running, they will need to be restarted using the Admin Console. If this includes the AdminServer, you will need to use WLST to start up the AdminServer as you will not be able to use the Admin Console if the AdminServer is down.

Now that WebLogic is configured for TLS v1.0, all end users will need to make sure that TLS 1.0 is enabled in their Web browsers:Internet Explorer:NOTE: It is likely that TLS 1.0 is enabled in Internet Explorer, but it is recommended to check anyway.Go to Tools –> Internet Options (or simply Internet Options from the menu in the top-right corner)In the Advanced tab, scroll down to the Security section. Make sure “Use TLS 1.0” is enabled.

SNAGHTMLaf2c8f

Mozilla Firefox and Google Chrome:All current releases of Firefox and Chrome have at least TLS 1.0 already enabled.After applying the steps above, you should be using TLS when running anything on the WebLogic server (JSP applications, ADF applications, Forms, etc.) using the HTTPS protocol.

Source: Oracle Support note 1936300.1

There is a potentially confusing configuration setting in JDeveloper, when selecting “Android SDK Location” under “Preferences > ADF Mobile > Platforms > Android”. JDeveloper suggests to select a path like “%Root_Path%/Android/android-sdk”. However, if you select the path as suggested (with the latest version of Android), you will be greeted with the following warning message in JDeveloper: “Unable to locate Android SDK in the specified location %some_path%. Do you want to use the specified Android SDK location anyway?”

This is because the later versions of Android SDK (ADT bundle) moved the SDK Home to the location “Android/android-sdk/sdk” directory. Instead of “Android/android-sdk“, as shown below.

Selecting the proper SDK location, lets you continue error free.

 

You might run into an ADF Mobile deployment error below:

Cannot run program “… platform-toolsaapt”

CreateProcess error=2, The system cannot find the file specified.

The cause of the error was that the “Android SDK Tools” was updated from Rev. 21.1 to Rev 22. 

 

The reason Rev. 22 causes the error is more on the side of JDeveloper. It moved appt.exe to a different directory, however you can’t configure JDeveloper where to find this executable.

To fix the issue, take your SDK version back to Rev. 21.1, by extracting the Rev 21.1 zip. You will have to re-install the Android APIs, but it shouldn’t take long to get re-setup. However, if you want use Rev 22, copy the contents of %SDK_Home%/build-tools/android-4.2.2 to%SDK_Home%/platform-tools.

Until Oracle changes how JDeveloper can find the binary, you can use this workaround!

 

Update (05/21/2013): Per Chris Muir, ADF Product Manager, this issue has been officially logged at Oracle as a bug 168376554. You can monitor the status of this bug in My Oracle Support (http://support.oracle.com) – as long as you have access to viewing Oracle Bugs.
Source: https://blogs.oracle.com/onesizedoesntfitall/entry/adf_mobile_deploying_to_android

 

The latest release of JDeveloper 11.1.2.4, brought some new issues to address for the installation process. Below is a guide on making your 11.1.2.4 JDeveloper installation a breeze.

  1. Download and Install JDK 1.6.0_39+ or higher. I installed JDK 1.6.0_43.
    Java Download Location: http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html
    Note: Even if you download the JDEveloper installation kit with a bundled JDK, the bundled JDK will not work. This is because Oracle bundled in an unsupported JDK version. Installing the wrong JDK will result in an error message when trying to start up JDeveloper

  2. Download the JDeveloper 11.1.2.4 release that applies to your system. If you do not know which type to get, the “Generic” installer will always work.
    Download location: http://www.oracle.com/technetwork/developer-tools/jdev/downloads/index.html
    Note: Mac OS X users must download the “Generic” Installer.

  3. Start up the JDeveloper 11.1.2.4 Installer
    For those whom downloaded the Windows JDeveloper Installation kit, simply double click on the “jdevstudio11124install.exe” installer.
    For “generic” jar folks: either double click on the jar, or run the command “%JAVA_JDK_HOME%/bin/java -jar name_of_jar_file.jar” in your command-line utility.
    Note: %JAVA_JDK_HOME% should be replaced with actual file system installation path of your JDK 6. and

  4. Choose your Middleware Home Directory. Make sure the directory you chose is clean/empty. For instance, I have multiple JDevelopers installed. Thus i have a separate middleware home for each JDeveloper install – to keep each environment clean.

  5. At the “Choose Install Type” screen, select “Custom“.

  6. At the “Products and Components” screen, leave all options checked unless you have a preference otherwise.

  7. The following steps are very important, please follow carefully!
  8. At the “JDK Selection” screen, uncheck the SUN JDK 1.6.0_24. (Its not supported to run JDeveloper 11.1.2.4!)

  9. In the “JDK Selection” screen, click “Browse” to locate the JAVA_HOME of your JDK 1.6.0_39+. Click “Select” on the JDK Home.

  10. After selecting your JDK Home, your JDK should show up under “Local JDK”, as shown below. You can now proceed to the next screen!
  11. Confirm your “Product Installation Directories”. and click through the rest of the installer and you have a vanilla installation!


Important For ADF Mobile Developers:

  1. Use the JDeveloper “Help > Check for Updates” utility to download the ADF Mobile Bundle – its quick and easy to do.
  2. If you are developer native OS apps for Android devices, you need to go into your Android SDK Manager, and download the “Google Cloud Messaging for Android Library“, as shown below.

    If you do not download this SDK component, you’ll be greeted with deployment errors in JDeveloper:
    Failed to locate the Google Cloud Messaging for Android Library file named “gcm.jar”. (oracle.adfmf.framework.dt.deploy.android.deployers.ValidatePreferencesDeployer)

 

 

If you have any questions, please contact PITSS.

 

If you are new to JDeveloper and ADF, then it is recommend to read the book, “Quick Start Guide to Oracle Fusion Development: Oracle JDeveloper and Oracle ADF” http://www.amazon.com/Quick-Start-Oracle-Fusion-Development/dp/0071744282. It covers all of the basic areas of JDeveloper and ADF including the topics discussed below.  

While you can define a lot of application logic via JDeveloper/ADF declarative components, most logic that you need to add needs to be coded in Java. This is where AM, VO, and EO implementation classes and managed/backing beans come into play.

Every application has business logic and user interface logic. Web Development in general has fallen into a standard way of developing this logic. By which seperates application objects into four basic layers: Data Services, followed by Model, View, Controller (MVC).

  • Data Services: Database, Web Services, XML Data, etc…
  • Model: Place for queries, C.R.U.D. operations, and any additional business logic
  • View: user interface objects
  • Controller: Determines how user interface objects interact with one another.


Especially in an object oriented world that programming has become, separating your application logic and objects and making them reusable is key to a well structured and maintainable application. The MVC application architecture allows you to accomplish such a goal.

Before we talk about what and how you would use java implementation classes of each Model layer object (AM, EO, VO), you need to understand the use and significance behind each object.

Entity Objects (EO) are the source code representation of a database table. This is ultimately the layer that executes the insert, update, and delete commands against the database, however, an entity view object will need to present the EO.

View Objects (VO) are read-only database queries or updatable view objects that represent an EO. All VOs are what are ultimately exposed as data controls in your Application Module – so that you can generate tables, forms, and other data-bound objects in your JSF pages.

Application Module (AM) are what allow the ADF application to expose VOs and any other custom java business logic to a JSF page. For example, so you have a an employees database table, by which you have setup an EO and VO to work with that table. You can add the VO to your AM as a data control, so that you can generate an Employee insert or update form on your JSF pages. Basically Application Modules are the glue that allows your JSF Pages to view data of a view object.

You can generate implementation classes on all three of these objects (EO, VO, and AM). When it comes to implementation classes, AM and VO Implementation classes are used the most often. Keep in mind these are very basic examples, you can do so much more with these classes:

  • EO: Unless you need to change how records are literally inserted, updated, or deleted, there is almost no need to use these. Once you start getting familiar with how the EO, VO, and AMs work, you’ll understand.


  • VO:
    • ViewObjectImplementation Class: This gives you a comprehensive ability to change how your ViewObject is defined, how it queries an entity object or database, and how it functions in general.
      For example, say you want to set a bind variable that is used in your View Object Query. ViewObjectImplementation classes give you the methods to set those bind variables.
    • ViewObjectRowImplemtation Class: This gives you the ability to change how the data of your view object attributes are set and retrieved.
      For example, say you have a Project Task table where you have a Start Date, End Date, and Task Duration column. You want Task Duration to be  (Start Date – End Date). RowImplementation Classes allow you to calculate (Start Date – End Date) and set the Task Duration Column.

  • AM:
    • Application Module [Implementation] Class:  This gives you comprehensive access to all of the data controls (View Objects) that you added to your AM. In addition, if you need to add any custom business logic, this is the recommended place to “initiate” that logic.
      For example, you can write a custom procedure to move data around or do advanced calculations in your Application Module Implementation class and expose them as a Data Control, so that you can use the data control on your JSF pages.
    • There are additional classes like “Client Interface” and “Client Class”, however all you need to know about these, is that they allow you to expose custom methods written in your Application Module Implementation class as a data control.



This article was written to quickly address, on the high level, many questions surrounding the use of implementation classes. More in-depth and comprehensive examples will be written in the PITSS knowledge base in the days to come.

Oracle ADF 11.1.2.2.0 Requirements

1.     Software Requirements

1.1.    Java JDK 1.6.0_29

1.1.1. Go to http://java.sun.com/products/archive/j2se/6u29/index.html

1.1.2. Click “Java SE 6:”

1.1.3. Click “Java SE Development Kit 6u29”

1.1.4. Please download and install the JDK that applies to your OS.

clip_image001

1.2.    WebLogic 10.3.5

1.2.1. Can be downloaded from: http://www.oracle.com/technetwork/middleware/ias/downloads/wls-main-097127.html

1.2.2. After accepting the license agreement, scroll down to Oracle WebLogic Server 10.3.5. Do NOT install 12c. You will see a plus box next to “Oracle Weblogic Server 10.3.5”. Click the plus box next to “See all files” and more options will be available.

clip_image003

1.2.3. The “Oracle WebLogic Server 11gR1 (10.3.5) + Coherence Package Installer” is the recommended installer of choice.

1.2.4. Please download the file that corresponds to your system OS.  For 64-bit Windows or 64-bit Linux Installations, the “Generic” Installer will need to be downloaded.

NOTE: The Generic location where the bubble states “64-bit Windows” is also used for 64-bit Linux.

 

clip_image005

1.3.    Oracle Application Development Framework (ADF) 11.1.1.6.0

1.3.1. Can be downloaded from:

http://www.oracle.com/technetwork/developer-tools/adf/downloads/index.html

1.3.2. After accepting the license agreement, please download the setup file in the “Application Development Runtime” section.

 

clip_image007

1.4.    Oracle ADF 11.1.2.2.0 Patch Set 1

The following steps will help guide you through Oracle’s Support website to find the Oracle ADF 11.1.2.2.0 Patch set. This is the only Oracle Website location where the patch set can be downloaded.

 

1.4.1. Go to support.oracle.com

1.4.2. Login with your Oracle OTN Login that has your organization’s “oracle support identifier” that lets you download “Patches & Updates”

1.4.3. Click on “Patches & Updates

clip_image009

1.4.4. In the Patch Search window, type in 13656274 for the patch number. Click Search.

clip_image011

1.4.5. In the Patch Search Results, only one patch should appear. Click on the patch number.

clip_image013

1.4.6. After clicking the patch number, click the Download button.

clip_image015

1.4.7. Click on the zip file to download the file. You should be able to download the patch successfully.

clip_image017

 

1.5.    Oracle ADF 11.1.2.2.0 Patch Set 2

The following steps will help guide you through Oracle’s Support website to find the Oracle ADF 11.1.2.2.0 Patch set. This is the only Oracle Website location where the patch set can be downloaded.

 

1.5.1. Go to support.oracle.com

1.5.2. Login with your Oracle OTN Login that has your organization’s “oracle support identifier” that lets you download “Patches & Updates”

1.5.3. Click on “Patches & Updates

clip_image018

1.5.4. In the Patch Search window, type in 13656372 for the patch number. Click Search.

clip_image020

1.5.5. In the Patch Search Results, only one patch should appear. Click on the patch number.

clip_image022

1.5.6. After clicking the patch number, click the Download button.

clip_image024

1.5.7. Click on the zip file to download the file. You should be able to download the patch successfully.

clip_image026

 

If you have any questions on the above, please contact PITSS.

Java Key Store Configuration and SSL Support of WebLogic 11g.

A Walkthrough Guide For Jar File Administration Tasks: Java Key Store creation and Jar Configuration to enable SSL functionality of WebLogic 11g.

 

Table of Contents

1       Introduction.

2       Step-by-Step Documentation.

2.1         Check your PATH Environment Settings.

2.2         Create Identity Keystore.

2.3         Create CSR.

2.4         Send the CSR to Your Certificate Authority.

2.5         Optional: Extract Certificates From Bundled Certificate File.

2.6         Create Full Certificate Chain.

2.7         Conditional: Create Trusted Certificate Chain.

2.8         Import Certificates into Identity Keystore.

2.9         Optional: Trust Keystore Configuration for SSL Implementation.

3       Jar Signing.

3.1         Sign your jar file(s).

3.2         Verify your signed jar files.

4       Working with Jar Files.

4.1         High level Jar Creation/Updating and Signing Processes.

4.2         Create a Jar file.

4.3         Update a Jar File.

5       How to Setup SSL on Oracle WebLogic Server 11g.

5.1         Pre-checks.

5.2         Logon to the Admin Server’s Admin Console.

5.3         Open a server’s configuration panel.

5.4         Enable the SSL Listening Port.

5.5         Install Identity and Trust Keystore(s).

5.6         Configure SSL.

5.7         Activate Changes and Reboot Server(s).

6       How to Setup SSL on Oracle HTTP Server 11g.

6.1         Pre-checks.

6.2         Convert JKS to Oracle Wallet.

6.3         Configure OHS to use new Wallet.

7       Conditional: Install Certificate Authority Certificates on Browser.

1         Introduction

The following documentation provides step-by-step instructions on how to create a Java Key store, Certificate Signing Request (CSR), Import SSL certificates into your key store, sign jar files with the respective certificates, and setup SSL on WebLogic and Oracle HTTP Server (OHS). The following steps account for PKCS#7 encoded certificates and certificates sent via text format.

Note: If your certificate authority sends you another type of certificate, such as PKCS#12 certificates, the key store configuration process will be different.

Each step will show you an example of the various commands and a detailed explanation of the required/recommended arguments for each command. The example commands listed below should not be used for your server environment(s), but used as an example and tailor the script so that it applies to your server environment.

2         Step-by-Step Documentation

2.1       Check your PATH Environment Settings

Before the JDK keystore and jar signing utilities can be used, the JDK’s bin path must be included into your PATH variable and be listed before any other JDKs. The JDK that is used to run your WebLogic servers, should be used for this process.

2.2       Create Identity Keystore

An identity keystore must be created. Please refer to the example command below along with descriptions of the respective arguments.**

Please see the following example command:

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore example.jks -validity 1095 -dname “CN=*.example.com,OU=System Admin, O=PITSS, L=Troy, ST=Michigan, C=us”

Arguments:

·         -genkey: Required. This tells keytool to create a keystore with a private key.

·         -alias: Required. This creates a name for the identity keystore that is created within your java keystore.

·         -keysize: Optional, but recommended. This specifies the encryption key size of the encryption algorithm. Default size is 1024; it is recommended to use an algorithm of at least 2048.
Note: The encryption key size must be a multiple of 64.

·         -keyalg:  Optional, but recommended. This specifies the encryption algorithm type. The default is DSA; it is recommended to use RSA.

·         -keystore: Required. This tells keytool what filename to create the keystore under.

·         -validity: Optional, but recommended. This specifies the time length period of which the default self-signed certificate will use when your keystore is first created. Default is 90 days. It is recommended to use a validity period which reflects your trusted certificates produced by your Certificate Authority (CA).

·         dname: Optional but recommended. This specifies what you would like for your values to be for CN (Common Name), OU (Organizational Unit), O (Organization), L (Location: City), ST (State), C (Country).

o   If the –dname argument is not provided with the values mentioned above, you will be prompted by the keytool program to enter them.

o   For CN, depending on your certificate authority and how your end-users will access your application(s), you can use one the following values listed below. Please use the option that suites to your server architecture and certificate authority.

§  Domain name without asterisk (my.example.com)

§  Domain name with an asterisk (*.example.com)

§  IP Address

After entering the command above in command line interface, you will be prompted to enter a password for your keystore, confirm the keystore password and if you want to specify a password for the alias you are creating. It’s recommended to keep the alias password and keystore password the same.

Once the keystore creation process is done successfully, the keystore file will be created with the “jks” file extension, within the current working directory of your command line interface. For instance, if you run the example command above in “/opt/oracle”, your keystore’s full file path will be “/opt/oracle/example.jks”.

** For more information on “keytool” usage please refer to Oracle’s official keytool documentation: http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html

2.3       Create CSR

Please see the following command for creating a CSR. Refer to the argument usage below for how to tailor the command to your requirements.

Run the following command:

keytool -certreq -alias server -keystore example.jks -file example.csr

Arguments:

·         -certreq: Required. This argument tells keytool to create a CSR.

·         -alias: Required. Must be set to the alias name specified during the keystore creation step above. For the current example, this will be “server”.

·         -keystore: Required. This argument tells keytool which keystore file path to use.

·         -file: Optional but recommended. CSR will output the CSR into the specified filepath. In the example above, CSR will store the CSR into “example.csr”

2.4       Send the CSR to Your Certificate Authority

Once your CSR is generated, you must send the CSR to your Certificate Authority to generate your SSL certificate. If you do not have a Certificate Authority, or if you have any questions on Certificate Authorities, please contact PITSS.

2.5       Optional: Extract Certificates From Bundled Certificate File

Some certificate authorities may send your certificates in a bundled certificate file like PKCS#7 or your certificate authority may send you your certificates in plain text.

IMPORTANT: If you received your certificates in plain text, please skip this step. If you received your certificates in a single base encoded file, like PKCS#7 (.p7b), then this step must be followed.

·         On a Windows system, save the certificate file onto your local file system.

·         Open a Windows Explorer window; navigate to the folder containing your base encoded certificate file.

·         Open the p7b file. This will launch Windows Certificate Manager (certmgr).

·         From the Certificates Navigator on the left hand side, please navigate down into the “Certificates” folder.

·         When the “Certificates” folder is selected you should see two or three certificates listed in the Certificate viewer. Depending on your CA, you will have your public key certificate and your Root CA Certificate, and likely an Intermediate CA Certificate. Some certificate authorities will call these certificates “primary” and “secondary” certificates respectively.

·         For each certificate, right click on each certificate, then click each “export” from the “All Tasks” menu.

·         Please select the “Base-64 encoded X.509” certificate option when prompted for an export file type.

·         Specify the target file name for the certificate file. The following are example filenames for each certificate type.

o   Public key: pub_cert.cer

o   Root CA: root_cert.cer

o   Intermediate CA: inter_cert.cer

2.6       Create Full Certificate Chain

When your certificate authority sends you your certificates, the number of certificates you receive will vary depending on how your certificate authority distributes certificates. However all authorities will give you at least your SSL/X.509 certificate and a root CA certificate.

Some authorities may give you “intermediary” CA certificates, which should be included in your certificate chain. Please refer to the following list on what order certificates must be chained in. Once your chain is completed, you can import that chain into your java keystore.

1.       SSL Certificate

2.       Intermediary CA Certificate(s) (If applicable)

3.       Root CA Certificate

To create a certificate chain, simply concatenate each proper certificate in the respective order above into a blank ASCII text file.

For an example certificate chain, please see the following example. Note the examples below are not actual certificates and are meant for example purposes only.

Certificate: cert.cer

—–BEGIN CERTIFICATE—–
ThisIsMyCert+IGpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWljaGlnYW4xDTAL
ThisIsMyCert+BhMCVVMxFTATBgNVBAoTDFRoYXd0ZSwgSW5jLjEoMCYGA1UECFE
ThisIsMyCert+cxWGdseaDY4RaH+2wCZgTQgmZ1xV0S19cFj1AMyPLD7zT8EfKki
—–END CERTIFICATE—–

Root CA Certificate: root_ca.cer

—–BEGIN CERTIFICATE—–
ThisIsMyRootCertificate+BAoUEGZvcm1zZXhwZXJ0cy5jb20xEDAOBgNVBAsU
ThisIsMyRootCertificate+AsUJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBOb
ThisIsMyRootCertificate+nPjreI9bnhSfh0pkp1Wf4r8Jte3yDB1auvXtyEuz
—–END CERTIFICATE—–

Full Certificate Chain: chain.cer

—–BEGIN CERTIFICATE—–

ThisIsMyCert+IGpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWljaGlnYW4xDTAL

ThisIsMyCert+BhMCVVMxFTATBgNVBAoTDFRoYXd0ZSwgSW5jLjEoMCYGA1UECFE

ThisIsMyCert+cxWGdseaDY4RaH+2wCZgTQgmZ1xV0S19cFj1AMyPLD7zT8EfKki

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

ThisIsMyRootCertificate+BAoUEGZvcm1zZXhwZXJ0cy5jb20xEDAOBgNVBAsU

ThisIsMyRootCertificate+AsUJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBOb

ThisIsMyRootCertificate+nPjreI9bnhSfh0pkp1Wf4r8Jte3yDB1auvXtyEuz

—–END CERTIFICATE—–

2.7       Conditional: Create Trusted Certificate Chain

If you plan on setting up your keystore for SSL support on WebLogic and if you received multiple CA Certificates, this step must be followed. Otherwise if you only received a Root CA Certificate and your actual certificate or if you are only wish sign jar files with your keystore, this step can be skipped.

As described in step 2.6, some certificate authorities will give you multiple CA certificates. For example, some authorities will provide an Intermediate CA Certificate with a Root CA Certificate. Thus you will need to create a trusted certificate chain for when you need to create a trust keystore by starting creating a chain in the following order:

1.       Intermediary CA Certificate

2.       Root CA Certificate

Please see the following example below to create a trusted certificate chain.

Intermediary CA Certificate: inter_ca.cer

—–BEGIN CERTIFICATE—–
IntermediateCertificate+BAoUEGZvcm1zZXhwZXJ0cy5jb20xEDAOBgNVBAsU
IntermediateCertificate+AsUJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBOb
IntermediateCertificate+nPjreI9bnhSfh0pkp1Wf4r8Jte3yDB1auvXtyEuz
—–END CERTIFICATE—–

Root CA Certificate: root_ca.cer

—–BEGIN CERTIFICATE—–
ThisIsMyRootCertificate+BAoUEGZvcm1zZXhwZXJ0cy5jb20xEDAOBgNVBAsU
ThisIsMyRootCertificate+AsUJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBOb
ThisIsMyRootCertificate+nPjreI9bnhSfh0pkp1Wf4r8Jte3yDB1auvXtyEuz
—–END CERTIFICATE—–

Trusted Certificate Chain: trust_chain.cer

—–BEGIN CERTIFICATE—–
IntermediateCertificate+BAoUEGZvcm1zZXhwZXJ0cy5jb20xEDAOBgNVBAsU
IntermediateCertificate+AsUJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBOb
IntermediateCertificate+nPjreI9bnhSfh0pkp1Wf4r8Jte3yDB1auvXtyEuz
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
ThisIsMyRootCertificate+BAoUEGZvcm1zZXhwZXJ0cy5jb20xEDAOBgNVBAsU
ThisIsMyRootCertificate+AsUJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBOb
ThisIsMyRootCertificate+nPjreI9bnhSfh0pkp1Wf4r8Jte3yDB1auvXtyEuz
—–END CERTIFICATE—–

2.8       Import Certificates into Identity Keystore

Once you have your certificate chain created, you can now import the full certificate chain into your identity keystore. To do this, please see the following example command to run in your command line interface.

Run the following command to configure your Identity Keystore:

keytool -import -alias server -file chain.cer -keystore example.jks

Arguments:

·         -import: Required. Tells keytool to import a certificate into the keystore

·         -alias: Required. The value must be the alias name used during the keystore and CSR creation processes.

·         -file: Required. Tells keytool which certificate file to import into the keystore. In the example above, chain.cer is created in step 2.6.

·         -keystore: Required. Tells keytool which keystore to import the certificate into.

2.9       Optional: Trust Keystore Configuration for SSL Implementation

If you need to configure your keystores to support SSL for WebLogic Servers, follow this step to configure your keystores. If you do not need to configure your keystores for SSL support , you may skip this step.

To provide full SSL support, a trust keystore must be created. You can add the trusted keystore onto your existing keystore file or create a new keystore file for your trusted keystores (Oracle Recommended Approach).

Run the following command to create and configure a new trusted keystore:

keytool -alias trust -trustcacerts -import -file root_ca.cer -keystore example_trust.jks

OR – Run the following command to add a trusted keystore into an existing keystore:

keytool -alias truststore -trustcacerts -import -file root_ca.cer -keystore example.jks

Keytool Arguments:

·         -alias: Required. Specify a new alias for your trusted keystore.

·         -trustcacerts: Required. Tells keytool to import a trusted certificate or trusted certificate chain.

·         -import: Required. Tells keytool that you are importing a trusted certificate or trusted certificate chain.

·         -file: Required. Tells keytool the filename of the trusted certificate or trusted certificate to import.

·         -keystore: Required. Specify either a new keystore filename (to separate your trusted keystore from identity keystore) or an existing keystore filename to import your trusted keystore into.

3         Jar Signing

3.1       Sign your jar file(s)

Now that your identity keystore has been created, you can sign your jar file(s) with the trusted certificates.

Common jar files to sign are jacob.jar (used by Oracle’s webutil functionality), icon jar files (used by your forms applications), and any other custom built jar files containing images or java code.

Please see the following example to sign a jar file:

jarsigner -keystore example.jks jacob.jar server

Arguments:

·         -keystore: Required. Specify the identity keystore which has your full certificate chain imported and put a space after your keystore, followed by the alias name of your identity keystore. Do not use the “-alias” argument for the alias.

Note: all jar files beginning with “frm” in the “%ORACLE_HOME%/forms/java” directory which have the same modified timestamp are jar files developed and signed by Oracle. These are critical runtime jar files that should not be modified or otherwise signed with new certificates – as Oracle will not support an Oracle Forms Installation whose jar runtime files have been modified. These jar files are set to expire 2 years after the release date of your installed Oracle Forms release. When these jar file’s certificates expire, it is recommended to patch your Forms release to the most current release.

 

3.2       Verify your signed jar files

After your jar files have been signed, it is recommended to verify that the jar files have been signed with the proper certificates. You can do so by referring to the examples below.

Quick Check Command:

jarsigner -verify -certs file_name.jar

The following will give you one line of output indicating if your jar has been signed or not with two possible results below. However this does not tell you if the jar is signed with expired or authorized certificates.

·         “jar verified” Jar is signed with a proper certificate

·         “jar is unsigned. (signatures missing or not parsable)” Jar is not signed with a proper certificate

Verbose Check Command:

jarsigner -verify -certs -verbose file_name.jar > results.log

This command will give you an in-depth analysis of each respective file that has been signed or unsigned and put the results into a results.log file. It will display detailed information on each certificate that is used to sign each individual file within the jar file that is being checked.

4         Working with Jar Files

In Oracle Forms, applications may use jar files containing image files for the use of the application. After these jar files are created they must be signed with a X.509 certificate before they are deployed to a testing or production server – this process is highlighted above.  This section provides a quick reference for how to work with jar files and sign them for production use.

4.1       High level Jar Creation/Updating and Signing Processes

There are common situations where you will have to create and update jar files and re-sign them respectively. This section will cover high level processes for common situations like creating a new jar file then signing the jar and updating the jar file with new images and signing the respective jar.

New Jar File and Signing the Jar File:

1.       Use the create new jar file command, inserting your required files into the jar. Please refer to step 3.2.

2.       Sign the Jar file. Refer to the jar sign command in step 2.10.

3.       Deploy the jar file to your forms environment(s)

Append new files onto an existing and signed Jar File:

1.       Use the update jar file command, inserting new required files into the jar. Please refer to step 3.3.

2.       Sign the jar file

3.       Deploy the jar file to your forms environment(s)

4.2       Create a Jar file

Refer to the example commands below:

jar cf jar_file.jar input-file(s)

For example, say you have two images (image1.jpg and image2.jpg) that need to be in a app_img.jar file. You would need to run the following command:

jar cf app_img.jar image1.jpg image2.jpg

4.3       Update a Jar File

Refer to the example commands below:

jar uf jar_file.jar input-file(s)

For example say you need add one image (image3.jpg) to an existing jar file. You would need to run the following command:

jar uf app_img.jar image3.jpg

5         How to Setup SSL on Oracle WebLogic Server 11g

The following steps will guide you through the SSL setup process on the WebLogic Servers. If your application’s point of entry is via WebLogic Servers and not the Web Tier (OHS) and your requirement is to setup SSL, this section will help you fulfill that requirement.

However if your point of entry for your applications is the Web Tier, then it is recommended to refer to Section 6.

5.1       Pre-checks

Please check that you have the following pre-requisites before proceeding

·         AdminServer is running

·         Your Identity and Trusted Keystores have been created and configured with X.509 certificates

·         Identify whether your end-user’s internet browsers will accept secure connections from your Certificate Authority. This is most common with internal certificate authorities. If you find that your browsers do not support or accept secure connections from your certificate authority, you will have to import your certificate authority’s Root and Intermediate certificate(s).

5.2       Logon to the Admin Server’s Admin Console

Logon to the Admin Console that is located on your domain’s AdminServer.

Once logged in, click on “Servers” located under the “Environment” link from the left hand navigation, as shown below.

5.3       Open a server’s configuration panel.

Open the server that you are setting up SSL on by clicking on the link with the server’s name, as shown in the example below.

5.4       Enable the SSL Listening Port

Click the “Lock & Edit” button to enable server changes

Complete the following changes listed below:

·         Optional: Clear out the “Listen Address” property. Clearing out the Listen Address property enables your server to listen on multiple destination host names instead of one.

·         Required: Enable the “SSL Listen Port Enabled” checkbox.

·         Required: Specify an SSL port for your WebLogic Server in the “SSL Listen Port” field.

After your changes are completed, click the  button.

5.5       Install Identity and Trust Keystore(s)

Click on the “Keystores” tab, located under the “Configuration” tab set.

Specify Custom Identity and Custom Trust Settings

·         Click the “Change” button in the “Keystores” field.

·         Select “Custom Identity and Custom Trust” and Save your changes.

Fill out the following Identity Keystore fields:

·         Custom Identity Keystore: Absolute file path of your identity keystore.

·         Custom Identity Keystore Type: Type of keystore. In this case: JKS.

·         Custom Identity Keystore Passphrase: Passphrase specified during the identity keystore creation process.

Fill out the following Trust Keystore fields:

·         Custom Trust Keystore: Absolute file path of your trust keystore.

·         Custom Trust Keystore Type: Type of keystore. In this case: JKS.

·         Customer Trust Keystore Passphrase: Passphrase specified during your trust keystore creation.

Save your changes once the identity and trust keystore fields are completed with the proper changes.

 

5.6       Configure SSL

Please select the “SSL” tab under the “Configuration” tab of the server you are configuring for SSL.

Please fill out the following fields. See below for an example. Save your changes once they are completed.

·         Private Key Alias: the alias name of your Identity Keystore.

·         Private Key Passphrase: the password of your Identity Keystore alias

5.7       Activate Changes and Reboot Server(s)

Once your changes have been completed for the SSL server setup, please “Activate” changes. Once changes are activated, please reboot the server(s) you have setup with SSL.

For a step-by-step on how to reboot WebLogic Servers, please do the following:

·         Select “Servers”, under “Environment”.

·         Select the “Control” tab in the server summary page.

·         Please click “Shutdown” and then “Force Shutdown Now”. Click the  icon, to have the server status list automatically updated. Please wait until the server shutdown process is complete.

·         Select the server(s) that have been shutdown, click “Start”. Click the  icon, to have the server status list automatically updated. Please wait until the server(s) say “RUNNING” in the “State” column.

6         How to Setup SSL on Oracle HTTP Server 11g

6.1       Pre-checks

Please check that you have the following pre-requisites before proceeding

·         AdminServer is running

·         Your Identity and Trusted Keystores have been created and configured with X.509 certificates

·         Identify whether your end-user’s internet browsers will accept secure connections from your Certificate Authority. This is most common with internal certificate authorities. If you find that your browsers do not support or accept secure connections from your certificate authority, you will have to import your certificate authority’s Root and Intermediate certificate(s).

6.2       Convert JKS to Oracle Wallet

·         Open a Command Line Interface

·         Set JAVA_HOME environment variable to your JDK’s JAVA_HOME.

For example, if your jdk is installed in “/opt/oracle/jdk1.6.0_24” or “C:\java\jdk1.6.0_24” that will be your JAVA_HOME value respectively.

To set an environment variable, please use the following examples:

Windows: set JAVA_HOME=”C:\java\jdk1.6.0_24”

UNIX: export JAVA_HOME=/opt/oracle/jdk1.6.0_24

·         Set MW_HOME environment variable to your Middleware Home

·         Set ORACLE_INSTANCE environment variable to your Oracle Instance Home

·         Create Oracle Wallet – please use the command below as an example (Lines below are to be executed as one command):

%MW_HOME%/oracle_common/bin/orapki wallet create
-wallet ORACLE_INSTANCE%/config/OHS/ohs1/keystores/%NAME_OF_WALLET%

·         Convert JKS Keystore to PKCS12 – Please use the command below as an example to convert your JKS to Oracle Wallet (Lines below are to be executed as one command):

%MW_HOME%/oracle_common/bin/orapki wallet jks_to_pkcs12
-wallet %ORACLE_INSTANCE%/config/OHS/ohs1/keystores/%NAME_OF_WALLET%
-keystore  C:pathtoid.jks

6.3       Configure OHS to use new Wallet

Now that your new Oracle Wallet has been created and configured, OHS must be configured to read from the new wallet.

·         Open %ORACLE_INSTANCE%/config/OHS/ohs1/ssl.conf

·         Locate the “SSLWallet” parameter

Change from:
${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default

Change to:

${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/%wallet_name%  

·         Save ssl.conf changes

·         Reboot OHS

Navigate to “%ORACLE_INSTANCE%/bin

Run “opmnctl restartproc process-type=OHS

7         Conditional: Install Certificate Authority Certificates on Browser

Depending on the CA certificates sent by your CA, you may have to install them onto your browser. This may be because the Certificate Authority is not a recognized Certificate Authority by your browser or the CA Certificates sent by your CA may not be used for production/public use. To install CA Certificates into your browser, please refer to your Certificate Authority or System Administration Group for installing CA Certificates into an internet browser.