5 Replies Latest reply: Dec 23, 2013 9:16 AM by Christian Erlinger RSS

    About self-signed (sign_webutil.bat) certificates, CA for ISV

    myluism

      Hi all.

       

      Currently using 11g rel2.

       

      I'm getting deeply concerned about issues related to self signed certificates and the way Oracle Forms Java Client will behave in future java updates.

       

      Since every application will probably have their own jar files: for example jars for deployment of icon files, or probably some provided by third parties, such as calendar bean, google map bean, etc. one must provide the best deployment scenario for your owned developed applications.

       

      Another issue that arises, is the java auto update feature, meaning that is hard to control which java version a given client actually has or might be running.

       

      Coming from Oracle Forms background, this jar signing issues really become a pain in the ... So, I'd like to ask for some guidance for experts from this community.

       

      1) Possibly the best situation will be to have all jar files signed from a CA. If this is the case, a couple of questions:

          1.1) If you are an ISV, who should by the CA software?. From the way i see it, is the ISV who provides the solution, and as part of this solution, apart from the Forms Application, would be to deliver trusted jar files.

         1.2) What happens if jar files come from different CAs?. For examples, Oracle provided files are already signed. What happens with your own jars files?. Will this be an issue? I've heard all files specified on the archive must share the same certificate. Is this true?

        1.3) Apart from VeriSign, where can i find other cheaper CAs?

       

      2) Although this might not be the best solution, can one lock or force forms client to use a lower JRE?. One that does not have many security enforcement?.

       

      Help will be greatly appreciated.....!!!!

        • 1. Re: About self-signed (sign_webutil.bat) certificates, CA for ISV
          CraigB

          I'll offer my thoughts on your questions...

          1) Possibly the best situation will be to have all jar files signed from a CA. If this is the case, a couple of questions:

              1.1) If you are an ISV, who should by the CA software?. From the way i see it, is the ISV who provides the solution, and as part of this solution, apart from the Forms Application, would be to deliver trusted jar files.

             1.2) What happens if jar files come from different CAs?. For examples, Oracle provided files are already signed. What happens with your own jars files?. Will this be an issue? I've heard all files specified on the archive must share the same certificate. Is this true?

            1.3) Apart from VeriSign, where can i find other cheaper CAs?

           

          1.1 - As an Independent Software Vendor (ISV) I would expect the cost of the CA to be included in the price of the software.  You want to make the customer's experience as easy and trouble-free as possible.

          1.2 - No, this is not an issue.  Our Forms application (even though it is an internally used application and is not publicly licensed) uses .jar files that we have created and signed with our own trusted certificate.  Oracle doesn't care if the jar files are not signed by the same certificate...only that they are signed by a trusted certificate.

          1.3 - Well, I just did a simple GOOGLE search and found this web site, which reviews serveral certificate issuers.  SSL Certificate Reviews.

           

          Hope this helps.

           

          Craig...

          • 2. Re: About self-signed (sign_webutil.bat) certificates, CA for ISV
            myluism

            Thanks Craigh for the information provided. Valuable indeed....!

             

            A little about 1.1: maybe i didn't make it clear enough:

             

            As an ISV, i should buy or acquire a certificate through a CA, sign all my jars (beans, pjcs) and delivered them to my customers, so they don't have to buy anything or is it mandatory to have the customer buy the CA software?.is this is so, i would have to include the CA software as part of the solution.

             

            What do you think?. Are both proposal viable or not?

             

            Regards, Luis

            • 3. Re: About self-signed (sign_webutil.bat) certificates, CA for ISV
              Christian Erlinger
              A little about 1.1: maybe i didn't make it clear enough:

               

              As an ISV, i should buy or acquire a certificate through a CA, sign all my jars (beans, pjcs) and delivered them to my customers, so they don't have to buy anything or is it mandatory to have the customer buy the CA software?.is this is so, i would have to include the CA software as part of the solution.

              As a customer I'd expect from a ISV that they sign their .jar files properly. After all on the client you trust *their* software, and not software from yourself.

               

              cheers

              • 4. Re: About self-signed (sign_webutil.bat) certificates, CA for ISV
                CraigB

                myluism wrote:

                 

                ...As an ISV, i should buy or acquire a certificate through a CA, sign all my jars (beans, pjcs) and delivered them to my customers, so they don't have to buy anything or is it mandatory to have the customer buy the CA software?.is this is so, i would have to include the CA software as part of the solution.

                 

                What do you think?. Are both proposal viable or not?

                You don't have to include the CA Certificate with your application, you simply need to sign your .jar files using the CA Certificate.

                 

                Craig...

                • 5. Re: About self-signed (sign_webutil.bat) certificates, CA for ISV
                  Christian Erlinger
                  You don't have to include the CA Certificate with your application

                  Just to add: I'd even extend that to "You *must not* include the CA Certificate with your application."

                  After all you use this certificate so your customer can verify where the software he is using came from; if anybody could sign any software with your private key this would most certainly lead blocking code signed with your key by default plus a huge image loss for your company.

                   

                  Long story short: don't give away your private keys, and also see to it that nobody abuses it to sign software *not* originating from you.

                   

                  cheers