Since 2010, OraERP is a Oracle Forums, Community of Oracle Professionals including Fusion/Cloud Application Consultants, Enterprise Architects, ERP Cloud, HCM Cloud, CX Cloud and OCI Experts, ERP Experts, Oracle Apps Functional Consultants, Apps DBAs, DBAs, Cloud DBAs, Digital Architect, PaaS Experts, IaaS, OCI Architects, Technical Consultants, Fusion Middleware Experts, SQL, PL/SQL Developers and Project Managers. Welcome to OraERP.com Social Community, a friendly and active community of Oracle Technology Professionals who believe that technology can ‘make the world a better place’. By joining Oracle ERP Community you will have the ability to Post Topics, Receive our Newsletter, subscribe to threads and access many other special features. Registration is Quick and Simple. Get unlimited access to Oracle Tutorials, Articles, eBooks, Tools and Tips .
Oracle Forum - The Knowledge Center for Oracle Professionals - Looking Beyond the Possibilities News and Career Other - Non-product related Oracle Discussions News v
SHA-2 Signed Certificates with EBS

Thread Rating:
  • 11 Vote(s) - 3.45 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SHA-2 Signed Certificates with EBS
01-25-2015, 06:14 PM,
#1
admin Offline
Administrator
*******
 		Posts: 216
Joined: Oct 2010
Reputation: 4
SHA-2 Signed Certificates with EBS
Recent news published through Steven Chan blog By Elke Phelps (Oracle Development) on Jan 22, 2015Secure Hash Algorithms (SHA) are used for a variety of cryptographic purposes including signing of public key infrastructure (PKI) certificates (e.g., code signing cerificates and Secure Socket Layer (SSL) or Transport Layer Security (TLS) server certificates). Currently, the SHA family of functions include SHA-0, SHA-1, SHA-2 and SHA-3. This article and reference notes focus on the use of the SHA256 hash function of SHA-2 with Oracle E-Business Suite.Why is SHA-2 important to you?Industry standards for encryption algorithms are constantly under review. Many certificate authorities are recommending or mandating SHA-2 as the minumum signature algorithm for issuing certificates. The time frame for moving to SHA-2 varies depending upon the certificate authority that is used. The requirement for SHA-2 also impacts intermediate certificates which must also be SHA2 in order to chain back to the end-entity SHA-2 certificate issued. Root certificates are not impacted.When does Oracle E-Business Suite use certificates?1. HTTPS clients (outbound connections)
HTTPS client connections that originate from Oracle E-Business Suite. For HTTPS clients, you may need to apply product patches to use SHA-2 certificates. Currently, the following products have identified additional requirements to support SHA-2 for HTTPS clients:
  • XML Gateway
    Follow the instructions in the patch README and apply the following patch: 19909850
  • iProcurement
    Follow the instructions for iProcurement in My Oracle Support Note 1937220.1.
In addition to products that initiate outbound connections from java code on the application tier, the Oracle Database may also act as an HTTP client when the UTL_HTTP package is utilized. Some Oracle E-Business Suite products leverage UTL_HTTP for outbound HTTPS connections. You may also use UTL_HTTP for external integrations and customizations.For the Oracle Database to utilize a PKI (including SHA-2 signed) certificate, SSL/TLS for outgoing connections database connections must be configured.  Our testing in Oracle E-Business Suite development has confirmed that UTL_HTTP is SHA-2 compliant as of Oracle Database 11.1.0.7 (we have not tested with earlier database versions).The steps for enabling and testing SSL/TLS configuration for the Oracle Database are documented in the following: 2. Server Side
In addition to client side (outbound connections), the Oracle E-Business Suite application tier utilizes PKI certificates for code signing by AD Jar Signing and for the (inbound) SSL/TLS termination point using the Oracle HTTP Server.AD JAR Signing
During patching, Oracle E-Business Suite uses certificates to sign JARs that will be delivered to the browser. As of Java 1.5, Java and its utilities keytool and jarsigner supports SHA-2 certificates. SHA-2 certificates are certified for JAR signing for all versions of Oracle E-Business Suite (11i, 12.0, 12.1 and 12.2) and Java 1.5 and higher.

Oracle HTTP Server (inbound connections)
SHA-2 certificates are also used by the Oracle HTTP server that is delivered with the Oracle E-Business Suite Applications Technology. The requirements for SHA-2 for the Oracle HTTP Server vary per Oracle E-Business Suite version as follows:
  • Oracle E-Business Suite Release 12.2
    SHA-2 certificates are certified with the Oracle HTTP Server delivered with Oracle E-Business Suite 12.2. The wallet management tools that are shipped with EBS 12.2 generate Certificate Signing Requests (CSRs) signed using MD5. The following note has been updated with the steps necessary to create CSRs signed with other algorithms including SHA-2:
  • Oracle E-Business Suite Releases 12.0 and 12.1
    We are currently working on the certification of SHA-2 certificates with the Oracle HTTP Server for Oracle E-Business Suite Release 12.0 and 12.1. As an option while we are working on this certification, you may use an alternate technology (ie, a load balancer, reverse proxy, etc) that supports SHA-2 as the SSL/TLS termination point. Another alternative is to request that your certificate authority issue a SHA-1 certificate.
  • Oracle E-Business Suite Release 11i
    SHA-2 certificates are certified with Oracle E-Business Suite Release 11i when using mod_ssl.so OpenSSL library version 0.98za or later.  To get the minimum mod_ssl.sl library required for EBS 11i and SHA-2, you must apply the July 2014 CPU. Note: We always recommend that you apply the most current CPU available to your environment. You may refer to the following note for additional details:
Related Articles References
Find
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  EBS 12.2: Getting Started Flowchart and Go-Live Readiness Checklist https://blogs.ora admin 0 3,000 05-21-2015, 04:21 PM
Last Post: admin
  EBS 12.x certified with Apple Mac OS X 10.10 (Yosemite) admin 0 6,686 03-28-2015, 10:26 PM
Last Post: admin
  Publishing EBS 12.2 PL/SQL APIs as REST Services admin 0 3,314 03-28-2015, 10:22 PM
Last Post: admin
  EBS 12.1 certified with Oracle Database 12.1.0.2 on HP-UX Itanium, IBM AIX admin 0 3,156 03-28-2015, 10:20 PM
Last Post: admin
  EBS 12.0 Extended Support Ends January 31, 2015 admin 0 2,053 01-19-2015, 06:32 PM
Last Post: admin
  Oracle VM Templates For EBS 12.2.4 For Exalogic admin 0 2,315 01-08-2015, 09:41 PM
Last Post: admin
  EBS Upgrade Recommendations admin 0 2,090 12-31-2014, 12:39 AM
Last Post: admin
  EBS 12.2 certified with Oracle WebTier Utilities 11.1.1.7 admin 0 2,693 12-28-2014, 03:33 PM
Last Post: admin
  DB 12.1.0.1 Certified with EBS 11i & R12 on Linux on IBM System z admin 0 2,349 12-25-2014, 07:37 PM
Last Post: admin
  Preparing Customizations for EBS 12.2 admin 0 1,712 12-25-2014, 07:34 PM
Last Post: admin



Users browsing this thread: 1 Guest(s)