Beginning April 18, 2017, Oracle now considers any jar files signed with MD5 to be unsigned due to the security vulnerabilities with MD5 signatures. Starting with Java Runtime Environment (JRE) 1.8.0_131 (Java 8 Update 131), when it is used for running Oracle Forms (all versions), any jar files signed with MD5 will be blocked:
More information from Oracle on this may be found at https://blogs.oracle.com/java-platform-group/oracle-jre-will-no-longer-trust-md5-signed-code-by-default.
For any of your custom jar files, they will need to be re-signed without MD5 (MD5withRSA). It is recommended to use SHA-256 (or SHA-2).
As for the jar files which come installed with Oracle Forms (frmall.jar, frmwebutil.jar, etc.), if you are using Forms 12c (188.8.131.52.0 or higher), you will have no problem running the application because the jar files are not signed with MD5. However, if you are running Oracle Forms 11gR2 or older (including 184.108.40.206.0), you will get this warning upon launching your application which will result in the application not launching at all. To fix this problem, you will have the following options to choose from:
- Upgrade to Oracle Forms 12c
- Apply Patch 19933795 to your Oracle Forms environment (see steps below to apply the patch).
- NOTE: This patch is only available for Oracle Forms versions 220.127.116.11.0 and 18.104.22.168.0. If you are using a version older than these, you will need to upgrade to either these versions or to 12c.
- Run a JRE older than 8u131 (not recommended due to increased security risks)
- Add your Forms site to the Exception Site List in each end user’s Java Control Panel (not recommended due to the fact that this will need to be done for every user’s PC)
If you decide to apply Patch 19933795 to your Forms environment after downloading it from My Oracle Support, you will need to run these steps:
- Shut down everything in your Oracle Forms environment (all WebLogic servers, Node Manager, and anything running within OPMNCTL).
- Extract the zip file containing the patch.
- Go into the extracted folder and then inside the 19933795 folder.
- Open up Command Prompt as an administrator and change the directory to the 19933795 folder.
- Set ORACLE_HOME to your Forms Oracle Home. Example: set ORACLE_HOME=C:\Oracle\Middleware\Oracle_FRHome1
- Append the PATH to include the OPatch folder inside %MW_HOME%\oracle_common. Example: set PATH=%PATH%;C:\Oracle\Middleware\oracle_common\OPatch
- Run opatch version to make sure that OPatch is working.
- Run opatch apply to apply the patch. Making sure that the Middleware home is the correct home for your Forms environment, type in y when it asks if the local system is ready for patching.
- When the patch is applied successfully, start up everything in the WebLogic environment.
After running the steps above, Oracle Forms should run normally.
NOTE: If you are using PITSS.CON for Forms 12c, although none of the PITSS.CON jar files will be blocked (they are not signed with MD5), the bundled frmwebutil.jar will still be using the MD5-signed jar file. Please contact PITSS Support at email@example.com, and PITSS can provide you an updated jar file which is not signed with MD5 as a part of your maintenance agreement.