Oracle Forum - The Knowledge Center for Oracle Professionals - Looking Beyond the Possibilities

Full Version: SHA-2 Signed Certificates with EBS
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Recent news published through Steven Chan blog By Elke Phelps (Oracle Development) on Jan 22, 2015Secure Hash Algorithms (SHA) are used for a variety of cryptographic purposes including signing of public key infrastructure (PKI) certificates (e.g., code signing cerificates and Secure Socket Layer (SSL) or Transport Layer Security (TLS) server certificates). Currently, the SHA family of functions include SHA-0, SHA-1, SHA-2 and SHA-3. This article and reference notes focus on the use of the SHA256 hash function of SHA-2 with Oracle E-Business Suite.Why is SHA-2 important to you?Industry standards for encryption algorithms are constantly under review. Many certificate authorities are recommending or mandating SHA-2 as the minumum signature algorithm for issuing certificates. The time frame for moving to SHA-2 varies depending upon the certificate authority that is used. The requirement for SHA-2 also impacts intermediate certificates which must also be SHA2 in order to chain back to the end-entity SHA-2 certificate issued. Root certificates are not impacted.When does Oracle E-Business Suite use certificates?1. HTTPS clients (outbound connections)
HTTPS client connections that originate from Oracle E-Business Suite. For HTTPS clients, you may need to apply product patches to use SHA-2 certificates. Currently, the following products have identified additional requirements to support SHA-2 for HTTPS clients:
  • XML Gateway
    Follow the instructions in the patch README and apply the following patch: 19909850
  • iProcurement
    Follow the instructions for iProcurement in My Oracle Support Note 1937220.1.
In addition to products that initiate outbound connections from java code on the application tier, the Oracle Database may also act as an HTTP client when the UTL_HTTP package is utilized. Some Oracle E-Business Suite products leverage UTL_HTTP for outbound HTTPS connections. You may also use UTL_HTTP for external integrations and customizations.For the Oracle Database to utilize a PKI (including SHA-2 signed) certificate, SSL/TLS for outgoing connections database connections must be configured.  Our testing in Oracle E-Business Suite development has confirmed that UTL_HTTP is SHA-2 compliant as of Oracle Database 11.1.0.7 (we have not tested with earlier database versions).The steps for enabling and testing SSL/TLS configuration for the Oracle Database are documented in the following: 2. Server Side
In addition to client side (outbound connections), the Oracle E-Business Suite application tier utilizes PKI certificates for code signing by AD Jar Signing and for the (inbound) SSL/TLS termination point using the Oracle HTTP Server.AD JAR Signing
During patching, Oracle E-Business Suite uses certificates to sign JARs that will be delivered to the browser. As of Java 1.5, Java and its utilities keytool and jarsigner supports SHA-2 certificates. SHA-2 certificates are certified for JAR signing for all versions of Oracle E-Business Suite (11i, 12.0, 12.1 and 12.2) and Java 1.5 and higher.

Oracle HTTP Server (inbound connections)
SHA-2 certificates are also used by the Oracle HTTP server that is delivered with the Oracle E-Business Suite Applications Technology. The requirements for SHA-2 for the Oracle HTTP Server vary per Oracle E-Business Suite version as follows:
  • Oracle E-Business Suite Release 12.2
    SHA-2 certificates are certified with the Oracle HTTP Server delivered with Oracle E-Business Suite 12.2. The wallet management tools that are shipped with EBS 12.2 generate Certificate Signing Requests (CSRs) signed using MD5. The following note has been updated with the steps necessary to create CSRs signed with other algorithms including SHA-2:
  • Oracle E-Business Suite Releases 12.0 and 12.1
    We are currently working on the certification of SHA-2 certificates with the Oracle HTTP Server for Oracle E-Business Suite Release 12.0 and 12.1. As an option while we are working on this certification, you may use an alternate technology (ie, a load balancer, reverse proxy, etc) that supports SHA-2 as the SSL/TLS termination point. Another alternative is to request that your certificate authority issue a SHA-1 certificate.
  • Oracle E-Business Suite Release 11i
    SHA-2 certificates are certified with Oracle E-Business Suite Release 11i when using mod_ssl.so OpenSSL library version 0.98za or later.  To get the minimum mod_ssl.sl library required for EBS 11i and SHA-2, you must apply the July 2014 CPU. Note: We always recommend that you apply the most current CPU available to your environment. You may refer to the following note for additional details:
Related Articles References