Self-signing jar files to use for Oracle Forms have been a way to sign jar files without using a trusted vendor. Oracle has provided the sign_webutil.bat (or sign_webutil.sh) script to use for self-signing a jar file. As the self-signed certificates do not contain a trusted publisher name, any time a Forms application starts up, you may notice a Java security warning with a publisher âUNKNOWNâ. This is because the self-signed certificate is not generated from a trusted vendor (VeriSign, Comodo, GoDaddy, etc.) and is not in the âSigner CAâ list in the Java Control Panel on a userâs PC. This has been noticed more in recent months as users are unable to âalways remember this optionâ when choosing to run an application with an UNKNOWN publisher starting with Java 7 Update 40 (or even getting an Application Blocked error when using JRE 7u51 or higher).
The best solution would be to sign your jar files with trusted code-signing certificates from a trusted vendor. However, you also have the option to add the self-signed certificate to your Java Control Panel to the list of Signer CA certificates which will add the self-signed certificate to the trusted list allowing you to run the application without the warning appearing (however, a Java notification will still appear with a publisher name that would be considered more trustworthy than âUNKNOWNâ).
To configure this, you will need to update the sign_webutil script (used for self-signing jar files) in the platform running the Forms and Reports environment. After this, you will need to export a CSR certificate from the keystore which the script uses. The following steps will accomplish this:
1. Locate your sign_webutil.bat or sign_webutil.sh script. If you are using one provide by PITSS, it should be located in either %ORACLE_HOME%\forms\webutil\win32 or %ORACLE_HOME%\forms\webutil\win64. If you are, you may skip step 3 as the password will be âwebutilpasswdâ . If it does not exist here, you can find it in %ORACLE_INSTANCE%\bin. Please make a backup of this file.
2. Open the file in a text editor.
3. Modify the following variables:
a. SET KEYSTORE_PASSWORD= Create a keystore password of your choice (CAUTION: The password will NOT be encrypted)
b. SET JAR_KEY_PASSWORD= Create a private key password of your choice (CAUTION: The password will NOT be encrypted)
4. Locate the line âSET DN_CN=Product Managementâ. This is the self-signed certificate information. If you want to use your own information, you may update the following four lines (below is an example). If you are fine with using the values Oracle has provided, you may skip to step 5.
a. SET DN_CN=Forms Self-Signed Certificate (Common Name or name of the certificate)
b. SET DN_OU=Oracle Forms (Organization Unit)
c. SET DN_O=PITSS America LLC (Organization)
d. SET DN_C=US (Country code such as US for United States, CA for Canada, etc.)
5. Save and close the file
6. Re-sign your jar file(s) with the sign_webutil script:
Windows: %PATH_TO_SCRIPT%\sign_webutil.bat %PATH_TO_JAR_FILE%\jarfile.jar
Unix: $PATH_TO_SCRIPT/sign_webutil.sh $PATH_TO_JAR_FILE/jarfile.jar
7. Deploy the signed jar file in %ORACLE_HOME%\formsjava
8. Restart WLS_FORMS if it is running
9. Go to the location of your keystore file that is specified in the sign_webutil script inside Command Prompt or your SSH terminal.
10. Ensuring that the JDK is in the PATH environment variable run the following command to extract a CSR from the keystore:
keytool -export -keystore .keystore -alias webutil2 -file name_of_cert.csr
11. Please keep the CSR file handy. This file will need to be sent to any end user who plans to use the application.
12. In the end-userâs PC, open up the Java Control Panel from Control Panel. This can be done by clicking on Control Panel from the Start button. Once there, expand the Control Panel and select âAll Control Panel Itemsâ. Double-click on Java.
13. Go to the Security tab and click âManage CertificatesâŠâ.
14. Specify âSigner CAâ as the Certificate type. Click âImportâ to import the CSR.
15. Once it is imported, it will be in your list of trusted certificates for that PC.
After applying the steps above, you should see a more trustworthy Java notification similar to the one below instead of a security warning which will allow you to remember the option to run the application (even when using the latest JRE):
NOTE 1: Steps 1-10 only need to be done once in the PC/server where Forms is installed. Steps 11-15 will need to be done for every user who plans to access the application.
NOTE 2: Make sure your jar files also contain the permissions, codebase, and Application-Name manifest attributes or the jar files may be blocked starting with Java 7 Update 51. For more information, please review https://pitss.com/us/2013/10/24/how-to-modify-custom-jar-files-with-permissions-and-codebase-attributes/.
NOTE 3: The Oracle jar files (they start with âfrmâ) are signed with Oracleâs trusted certificates. Do not attempt to modify or replace them as it will cause the Forms environment to not run correctly if at all.
Source: Oracle Support note 1596871.1