01-25-2015, 06:14 PM
Recent news published through Steven Chan blog By Elke Phelps (Oracle Development) on Jan 22, 2015Secure Hash Algorithms (SHA) are used for a variety of cryptographic purposes including signing of public key infrastructure (PKI) certificates (e.g., code signing cerificates and Secure Socket Layer (SSL) or Transport Layer Security (TLS) server certificates). Currently, the SHA family of functions include SHA-0, SHA-1, SHA-2 and SHA-3. This article and reference notes focus on the use of the SHA256 hash function of SHA-2 with Oracle E-Business Suite.Why is SHA-2 important to you?Industry standards for encryption algorithms are constantly under review. Many certificate authorities are recommending or mandating SHA-2 as the minumum signature algorithm for issuing certificates. The time frame for moving to SHA-2 varies depending upon the certificate authority that is used. The requirement for SHA-2 also impacts intermediate certificates which must also be SHA2 in order to chain back to the end-entity SHA-2 certificate issued. Root certificates are not impacted.When does Oracle E-Business Suite use certificates?1. HTTPS clients (outbound connections)
HTTPS client connections that originate from Oracle E-Business Suite. For HTTPS clients, you may need to apply product patches to use SHA-2 certificates. Currently, the following products have identified additional requirements to support SHA-2 for HTTPS clients:
In addition to client side (outbound connections), the Oracle E-Business Suite application tier utilizes PKI certificates for code signing by AD Jar Signing and for the (inbound) SSL/TLS termination point using the Oracle HTTP Server.AD JAR Signing
During patching, Oracle E-Business Suite uses certificates to sign JARs that will be delivered to the browser. As of Java 1.5, Java and its utilities keytool and jarsigner supports SHA-2 certificates. SHA-2 certificates are certified for JAR signing for all versions of Oracle E-Business Suite (11i, 12.0, 12.1 and 12.2) and Java 1.5 and higher.
Oracle HTTP Server (inbound connections)
SHA-2 certificates are also used by the Oracle HTTP server that is delivered with the Oracle E-Business Suite Applications Technology. The requirements for SHA-2 for the Oracle HTTP Server vary per Oracle E-Business Suite version as follows:
HTTPS client connections that originate from Oracle E-Business Suite. For HTTPS clients, you may need to apply product patches to use SHA-2 certificates. Currently, the following products have identified additional requirements to support SHA-2 for HTTPS clients:
- XML Gateway
Follow the instructions in the patch README and apply the following patch: 19909850
- iProcurement
Follow the instructions for iProcurement in My Oracle Support Note 1937220.1.
- Oracle E-Business Suite Release 12.2: See Section 4 in Enabling SSL in Oracle E-Business Suite Release 12.2 (Note 1367293.1)
- Oracle E-Business Suite Release 12.1: See Section 4 in Enabling SSL in Oracle E-Business Suite Release 12, Section 4 (Note 376700.1)
- Oracle E-Business Suite Release 11i: See Chapter 5 - Option 5.3 in A Guide to Understanding and Implementing SSL for Oracle Applications(Note 123718.1)
In addition to client side (outbound connections), the Oracle E-Business Suite application tier utilizes PKI certificates for code signing by AD Jar Signing and for the (inbound) SSL/TLS termination point using the Oracle HTTP Server.AD JAR Signing
During patching, Oracle E-Business Suite uses certificates to sign JARs that will be delivered to the browser. As of Java 1.5, Java and its utilities keytool and jarsigner supports SHA-2 certificates. SHA-2 certificates are certified for JAR signing for all versions of Oracle E-Business Suite (11i, 12.0, 12.1 and 12.2) and Java 1.5 and higher.
Oracle HTTP Server (inbound connections)
SHA-2 certificates are also used by the Oracle HTTP server that is delivered with the Oracle E-Business Suite Applications Technology. The requirements for SHA-2 for the Oracle HTTP Server vary per Oracle E-Business Suite version as follows:
- Oracle E-Business Suite Release 12.2
SHA-2 certificates are certified with the Oracle HTTP Server delivered with Oracle E-Business Suite 12.2. The wallet management tools that are shipped with EBS 12.2 generate Certificate Signing Requests (CSRs) signed using MD5. The following note has been updated with the steps necessary to create CSRs signed with other algorithms including SHA-2:- Enabling SSL in Oracle E-Business Suite Release 12.2 (Note 1367293.1)
- Enabling SSL in Oracle E-Business Suite Release 12.2 (Note 1367293.1)
- Oracle E-Business Suite Releases 12.0 and 12.1
We are currently working on the certification of SHA-2 certificates with the Oracle HTTP Server for Oracle E-Business Suite Release 12.0 and 12.1. As an option while we are working on this certification, you may use an alternate technology (ie, a load balancer, reverse proxy, etc) that supports SHA-2 as the SSL/TLS termination point. Another alternative is to request that your certificate authority issue a SHA-1 certificate. - Oracle E-Business Suite Release 11i
SHA-2 certificates are certified with Oracle E-Business Suite Release 11i when using mod_ssl.so OpenSSL library version 0.98za or later. To get the minimum mod_ssl.sl library required for EBS 11i and SHA-2, you must apply the July 2014 CPU. Note: We always recommend that you apply the most current CPU available to your environment. You may refer to the following note for additional details:
- Secure Configuration Guide for Oracle E-Business Suite Release 12 (Note 403537.1)
- Enabling SSL in Oracle E-Business Suite Release 12.2 (Note 1367293.1)
- Enabling SSL in Oracle E-Business Suite Release 12 (Note 376700.1)
- Secure Configuration Guide for Oracle E-Business Suite Release 11i (Note 189367.1)
- 11i: A Guide to Understanding and Implementing SSL for Oracle Applications (Note 123718.1)