Saturday, April 5, 2014

EBS and Java 7 Security-- missing permissions manifest attribute in main jar, block unsigned

I have faced an incident recently.
It was an EBS 12.2 instance, and the clients were congifured to use Java 7update51.. As known, EBS uses server-side Java  in the interfaces coming from oacore..  Forms interfaces in EBS, on the other hand; are provided throught the client-side Java.. The incident was encountered using client-side Java,  in other words on Forms sessions.
The problem was that; when the user tried to open a new form (For Ex: System Administrator > Concurrent Manager  > Administer)  while another form was already open in the same client, following error was produced;

connectMode=HTTP, native.
Forms Applet version is : 10.1.2.3
Missing Permissions manifest attribute in main jar: http://erman:8000/OA_JAVA/oracle/apps/fnd/jar/fndaol.jar
java.lang.InterruptedException
at java.lang.Object.wait(Native Method)
at oracle.forms.engine.Heartbeat.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
-- DialogThread.showDialog(): Interrupted Exception.
Exception in thread "thread applet-oracle.forms.engine.Main-2" java.lang.NullPointerException
at java.awt.EventQueue.isDispatchThread(Unknown Source)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.runOnEDT(Unknown Source)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.doClearAppletArea(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Missing Permissions manifest attribute in main jar: http://erpdemo.takasdom.takasbank.com.tr:8000/OA_JAVA/oracle/apps/fnd/jar/fndforms.jar
proxyHost=null
proxyPort=0
connectMode=HTTP, native.
oracle.forms.net.ConnectionException: Connection from new browser window not supported 
at oracle.forms.net.HTTPNStream.getInfoFromServlet(Unknown Source)
at oracle.forms.net.HTTPNStream.<init>(Unknown Source)
at oracle.forms.net.HTTPConnection.connect(Unknown Source)
at oracle.forms.engine.FormsDispatcher.initConnection(Unknown Source)
at oracle.forms.engine.FormsDispatcher.init(Unknown Source)
at oracle.forms.engine.Runform.initConnection(Unknown Source)
at oracle.forms.engine.Runform.startRunform(Unknown Source)
at oracle.forms.engine.Main.createRunform(Unknown Source)
at oracle.forms.engine.Main.start(Unknown Source)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.start(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

I suspected from the following message, and focused on that;

"Missing Permissions manifest attribute in main jar.."

Acutally, Java was trying to say, "you didnt give permission for this Main jar."
Also it got my attention that, while opening the forms, a java security warning was appearing.
The following message was displayed on the warning box: Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk.

On the other hand, I could continue using Forms by clicking the OK button on that message box.. By clicking OK, I actually give permission for that running usigned java code in my client machine.

The important thing in here was that, this message box didnt appear when I tried to open a new form (For Ex: System Administrator > Concurrent Manager  > Administer)  while another form was already open in the my client and this caused those missing permissions errors... "Missing Permissions manifest attribute in main jar.."

Note that , when you install EBS, you get unsigned java code or let say:  JAR files that are downloaded to the desktop client from Oracle E-Business Suite have been signed using a self-signed certificate with a 1024-bit key size ,  Using a self-signed certificate is no longer deemed secure when using the latest Java security standards. So the produced warning message by Java is an expected warning message, and also we can push OK button to continue working on Forms..

The problem is, we cannot say "OK for always" or "Remember my answer" any more, because with the Java version 7u40 and above, there is an higher security introduced.
Unfortunately, this creates a problem when opening a new form if there is an already opened form in our clients, because Java doesnt want us  to allow permissions to unsigned code again. (as far as I see). This create the permission problem..

To workaround this, you can use a Java with version 7u39 or lower in your client machine. (I didnt test 7u39.. But according to the document it should be useful..)

To fix this, I mean if you want to continue using 7u51 for instance; then you need to sign the EBS jar files. For signing the jar files , I suggest you to take a look at the following MOS Doc;
Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1)

Lastly;
I share the information below to support my findings.
The information provided below is from Oracle Support and Java documentation. ..


Signing CertificateJRE Security SettingJRE 7u21 and 7u25JRE 7u40 and 7u45JRE 7u51
Self-Signed CertificateVery HighForms won't launchForms won't launchForms won't launch
High (Default Setting)Forms launch normallyForms won't launch1Forms won't launch
MediumForms launch normallyForms launch with warning 2Forms launch with warning 2
Code signing certificate from a Trusted CA 3Very HighForms launch normallyForms launch normallyForms launch normally
High (Default Setting)Forms launch normallyForms launch normallyForms launch normally

1 JRE 7u40 and JRE 7u45 are now both past their expiration date, forms will no longer launch on a High security setting when using a self-signed certificate.
2 The security Warning: Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk will pop when jars using a self-signed certificate are detected. The user can click through this message to launch the Java content. Unlike earlier JRE releases there is no longer the option to remember this decision for future logins. When running JRE 7u40 and later this message will therefore appear every time you start a new session, it can no longer be suppressed unless your jars are signed with a Trusted CA.
3 Unless previously installed into the Java certificate store you will still be asked to trust the publisher when launching an EBS environment for the first time from the desktop. See Step 6.3. Running an Environment for the First Time for further details.


Java documentation
Changes to Security Slider:
The following changes to Security Slider were included in this release(7u51):

Block Self-Signed and Unsigned applets on High Security Setting
Require Permissions Attribute for High Security Setting
Warn users of missing Permissions Attributes for Medium Security Setting
For more information, see Java Control Panel documentation.

3 comments :

  1. how to remove below warning
    "Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk"

    ReplyDelete
  2. I didnt try it but I did a search and it seems the warning can not be disabled. For workaround ; you can downgrade your java version to a less secure version or you can sign the jar files.

    ReplyDelete
  3. Use java7 update 39. I think in java 7 update 39, you can click "Do not show this again for the app" .. That checkbox should be there in java7_u39..

    ReplyDelete