Forum Stats

  • 3,875,889 Users
  • 2,266,986 Discussions
  • 7,912,370 Comments

Discussions

fsal client deployment considerations with https url

juliojgs
juliojgs Member Posts: 615 Silver Badge

Hi, we are migrating a forms 11g app to 12c.

Old app is running on iexplorer, and we want to get rid of the browser and go to fsal.

Also , old app is on http , but new has to run over https, with an "authentic" certificate.

Could you point me what would we need to deploy the app for the end users?

Provided they all have installed java, finally they would end up with frmsal.jar file and a desktop shortcut that we would have to distribute somehow.

Any recommendation to distribute and allocate this files?

Anything else? What about the weblogic server machine certificate?

thanks.

Best Answer

  • Michael Ferrante-Oracle
    Michael Ferrante-Oracle Senior Principal Product Manager USMember Posts: 7,493 Employee
    Answer ✓

    @juliojgs

    For versions 12.2.1.4 and older, the Java keystore needs to be manually updated on each user machine. Of course, this could be done with a script or similar. The point is that an automated process is not provided. In future versions there is a plan to expose functionality similar to the JRE whereby users would be prompted to allow the cert to be automatically imported before allowing the app to run. If they accept, the detected cert would be imported and the app would continue. On subsequent runs, the user would no longer be prompted unless a new/different cert was detected.

    For more information about using FSAL and enabling SSL, refer to the doc I mentioned previously.


    Michael Ferrante

    Senior Principal Product Manager

    Oracle

    Twitter: @OracleFormsPM

Answers

  • Michael Ferrante-Oracle
    Michael Ferrante-Oracle Senior Principal Product Manager USMember Posts: 7,493 Employee

    Your (public) certificate chain needs to be imported into the the user's keystore. Specifically the one being used by the java installation that will run FSAL.

    https://www.oracle.com/docs/tech/fsal-usage-12214.pdf


    Michael Ferrante

    Senior Principal Product Manager

    Oracle

    Twitter: @OracleFormsPM

  • juliojgs
    juliojgs Member Posts: 615 Silver Badge

    I understand you mean the keystore of java configuration, not the windows keystore which may contain a bunch of well known certification entities.

    I hope this certificate adding is something that can be achieved through policies in the clients windows machines, without intervention in every single one of them. Or maybe with some kind of wizard to install our application, as we also need to deploy the frmsal.jar ... Can you recommend a method to deploy our fsal app in the client machines?

  • Matej D.
    Matej D. Member Posts: 1,041 Gold Trophy

    For deployment fsal and java check @Frank Hoffmann post here:


    An additional step would be to add the certificate to the java cacerts file.

    For that, you can use Keystore explorer from https://keystore-explorer.org/

    And, the last step is to put exe file somewhere in htdocs on ohs and point a user to a specific HTML page to download it.


    Regards

  • Michael Ferrante-Oracle
    Michael Ferrante-Oracle Senior Principal Product Manager USMember Posts: 7,493 Employee
    Answer ✓

    @juliojgs

    For versions 12.2.1.4 and older, the Java keystore needs to be manually updated on each user machine. Of course, this could be done with a script or similar. The point is that an automated process is not provided. In future versions there is a plan to expose functionality similar to the JRE whereby users would be prompted to allow the cert to be automatically imported before allowing the app to run. If they accept, the detected cert would be imported and the app would continue. On subsequent runs, the user would no longer be prompted unless a new/different cert was detected.

    For more information about using FSAL and enabling SSL, refer to the doc I mentioned previously.


    Michael Ferrante

    Senior Principal Product Manager

    Oracle

    Twitter: @OracleFormsPM

  • Frank Hoffmann
    Frank Hoffmann Member Posts: 825 Gold Badge
    edited Nov 26, 2022 5:52AM

    You can make life much easier if you Codesign your own Jar files with a Codesigning certificate of a CA that is trusted by Java - check the CA store in Java for this. I am using Comodo for this.

    With FSAL the JAR files will be accepted silently.

    Then you can simply deploy an Archiv with JRE, FSAL.jar+starting bat/exe as MSI with silent batch and Java accepts all receiving JAR Files (Oracle and yours). We deploy it like this in one project to 7.200 Clients in 36 networks.

    how else do you want to control all installations and easily replace/control the JRE or FSAL version in an environment like this when needed.

    Frank

  • juliojgs
    juliojgs Member Posts: 615 Silver Badge

    Thanks, first I'm trying to make it work with basic tools.

    I can run http to 9001. But I want https, so I try this url:

    java -jar frmsal.jar -url "https://testserver.corp.com:7002/forms/frmservlet?config=my_standaloneapp" -t 30000

    and I was getting this error:

    sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    I tried adding the root and intermediate to windows client machine java certs, using java configuration gui, but no success.

    Then I searched for cacerts in my windows machine, and used keytool to do the same in this cacert

    First "C:\Program Files (x86)\Java\jre1.8.0_341\lib\security\cacerts"

    (no luck)

    Then here: "C:\Program Files\Java\jre1.8.0_341\lib\security\cacerts"

    Now I don't get the certification error, but I get this other error:

    FRM-92497: El servidor ha devuelto el código de respuesta HTTP 404--Not Found

  • Michael Ferrante-Oracle
    Michael Ferrante-Oracle Senior Principal Product Manager USMember Posts: 7,493 Employee

    A few comments:

    1 You must use your own certificate. Do not attempt to use the "demo" certificate that comes with the installation. This will only work when running directly on the server, but regardless should not be used.

    2 The error you are seeing does not seem to be related to a certificate issue. Translated for everyone else's benefit.

    FRM-92497: Server returned HTTP response code 404--Not Found

    3 To rule out the possibility of using the wrong keystore, explicitly set it. Also, there is no need to include the "-t" switch. Try this, but be sure to change the path I included to the one you believe contains the cacerts file you updated.

    java -Djavax.net.ssl.keystore="C:/Program Files (x86)/Java/jre1.8.0_341/lib/security/cacerts" -jar frmsal.jar -url "https://testserver.corp.com:7002/forms/frmservlet?config=standaloneapp"
    



    Michael Ferrante

    Senior Principal Product Manager

    Oracle

    Twitter: @OracleFormsPM

  • juliojgs
    juliojgs Member Posts: 615 Silver Badge

    Thanks for your help.

    I'm not using demo certs, the client company supplied a cert signed by them (root, intermediate, and server). It is not a well known CA signed, but the cert they use for their intranet.

    Once I added it to my local pc java cacerts , it reaches forms, but got that FRM error .

    Finally it got fixed. I just had to change the WLS_FORMS ssl port. I was using 7002 , but I changed it to 9002 and now it works.

    Just curious: Maybe there is some kind of conflict for using the console port (7002) for WLS_FORMS https?

  • Michael Ferrante-Oracle
    Michael Ferrante-Oracle Senior Principal Product Manager USMember Posts: 7,493 Employee

    You choose the ports at domain creation time. So if there is/was a conflict it could have been avoided at the time Config Wizard was run (or after in the console).

    Glad to hear you got things working.

    Hopefully in the coming versions, the new FSAL improvements will make using SSL easier 😉


    Michael Ferrante

    Senior Principal Product Manager

    Oracle

    Twitter: @OracleFormsPM