Importing self-signed certificates in Sun JPI

5 September 2005 at 09:57 CEST | In Forms, Oracle, SUN JPI/JVM, Signing and certificates |

As you might now from other blog entries, we’re running Oracle Forms using Sun’s JRE/JPI and not JInitiator. We’re using commercial certificates for some of our webservers, but we’re also using some self-signed certificates for our development/test server and for code signing. Up until now all users where presented with a warning about these “invalid” certificates by Sun’s JPI.

I tried before to import our self-issued certificates in Sun’s keystore, but I never managed to get it working. It was allways asking for the keystore password, and I couldn’t find anywhere what the default password for such a keystore would be. Lukelly I found it today on the internet and the default password is "changeit". That’s probably some good advice :-)

I’ve blogged before about importing certificates in JInitiator. You could read there that we are using oracle Certificate Authority to create our own certificates. The advantage to that is that all self-issued certificates are “children” of our self-issued root certificate. This gives me the advantage that I only have to import this root certificate in a browser/JVM and not all certificates that were created of this root certificate.

You could export the certificate from OCA, or you can just get it from Internet Explorer. Just visit a HTTP site that uses the certificate and double-click on the yellow lock in the status bar. Go to the Certification Path tab and double-click the root certificate to open it. No go to the Details tab. If you do not have a self-issued root certificate you can just start of at the Details tab of your initial certificate. Click on Copy to File and save the certificate in base64 encoding.

Now open a command box and change your working directory to the lib\security subdirectory of your Sun JPI. Then execute the keystore command to import your certificate:

C:\>cd "\Program Files\Java\j2re1.4.2_09\lib\security"

C:\Program Files\Java\j2re1.4.2_09\lib\security>..\..\bin\keytool
   -import -file "c:\temp\self.cer" -keystore cacerts
   -storepass changeit -alias myRootCA
Owner: O=Eurotransplant International Foundation, C=NL
Issuer: O=Eurotransplant International Foundation, C=NL
Serial number: 1
Valid from: Mon Feb 21 08:59:26 CET 2005
   until: Thu Feb 19 08:59:26 CET 2015
Certificate fingerprints:
         MD5:  **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**
         SHA1: **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**
Trust this certificate? [no]:  yes
Certificate was added to keystore

Now, when you try to start your Oracle Forms application the applet will no longer complain about untrusted certificates for SSL communication. It will still ask the user to accept the Java applet as it is trying to run outside its sandbox. You cannot get rid of this message, as it is by design that Java will ask the user permission for an applet to run outside its sandbox.

The applet as shipped by Oracle is signed by “Developer/Oracle” and uses a self-issued certificate. If you want to get rid of this, you’ll have to re-sign the JAR file yourself with your own certificate. For more information see another blog entry.

7 Comments

TrackBack URI

  1. Any ideas where this SSL certificate store lives on non Windows installations–such as using jre on Linux? We require SSL on one of our forms servers and for the life of me, I can’t get this to run on Linux clients.

    Comment by John Tracy — 18 January 2006 #

  2. On Linux the cacerts file is also in the lib/security subdirectory of your JRE. Be sure to check which JRE is used by your browser. It is likely you have multiple JRE’s installed on the machine.

    Comment by Wilfred — 18 January 2006 #

  3. We are attempting to implement Oracle Forms 10g with SSL Client Side Authentication, i.e., setting the OHS/apache directive SSLVerifyClient REQUIRED the accessing the Forms Applet. Everything works with the directive set at optional. However, the Applet crashes after 5 minutes when we set the directive to REQUIRED. We altered the OHS SSL cache to 10 minutes, but nothing changes. Any thoughts as to why or how to fix?

    Comment by Paul — 4 May 2006 #

  4. Hi Paul,

    I think I got the exact same question from someone else in another comment. I’ll send both of you an email so you can see if you can help each other.

    Comment by Wilfred — 4 May 2006 #

  5. Hi,
    I am trying to enable ssl on ohs webserver. I have created the wallet file using owm tool. When I starte the web server web server home page (using https URL) does not come up. I am getting “page cannot be displayed” message. Please see the curl output below
    unixuser@ # /export/home/unixuser/PSR_TESTING/oracle/companionCDHome_2/opmn/bin (2128) %>!curl
    curl -v -i “https://sdcdevsuse02:4458″
    * About to connect() to sdcdevsuse02 port 4458
    * Connected to sdcdevsuse02 (64.181.165.142) port 4458
    * error setting certificate verify locations:
    CAfile: /usr/share/curl/curl-ca-bundle.crt
    CApath: none

    * Closing connection #0
    curl: (60) error setting certificate verify locations:
    CAfile: /usr/share/curl/curl-ca-bundle.crt
    CApath: none

    Please let me know if I am missing anything
    -Thanks
    Sudarsan

    Comment by Sudarsan — 31 July 2006 #

  6. Thanks for the tip on the default password for the keystore

    Comment by Peter Lorenzen — 27 February 2007 #

  7. Thanks for the SSL certificate tips. I’m just struggling with this right now on my own site.

    Comment by cheap ssl certificates — 25 June 2009 #

Trackback/Pingbacks:

  1. OraTransplant » Using self-signed SSL certificates with JInitiator

    [...] 5-sep-2005: Also see http://www.oratransplant.nl/2005/09/05/importing-self-signed-certificates-in-sun-jpi/ on how to import your self-signed certificate in Sun’s [...]

Sorry, the comment form is closed at this time.

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.