Monday, June 29, 2020

Deploy root certificate on Oracle EBS 12.2

Oracle Fusion Middleware provides two types of keystores for keys and certificates:

JKS Keystore and Truststore
Oracle Wallet

JKS Keystore and Truststore
A JKS keystore is the default JDK implementation of Java keystores provided by Sun Microsystems. In 11g all Java components and Java EE applications use the JKS-based keystore and truststore.
You use a JKS-based keystore for the following:
Oracle Virtual Directory
Applications deployed on Oracle WebLogic Server, including:
Oracle SOA Suite
Oracle WebCenter
In Oracle Fusion Middleware, you can use GUI or command-line tools to create, import, export, and delete a Java keystore and the certificates contained in the keystore

Oracle Wallet
An Oracle wallet is a container that stores your credentials, such as certificates, trusted certificates, certificate requests, and private keys. You can store Oracle wallets on the file system or in LDAP directories such as Oracle Internet Directory. Oracle wallets can be auto-login or password-protected wallets.
You use an Oracle Wallet for the following components:
Oracle HTTP Server
Oracle Web Cache
Oracle Internet Directory
In Oracle Fusion Middleware, you can use GUI or command-line tools to create, import, export and delete a wallet and the certificates contained in the wallet.

Commands to verify the certificate,

#cd $OA_JRE_TOP/lib/security
#pwd
/t01/erptest/fs2/EBSapps/comn/util/jdk32/jre/lib/security
# keytool -list -keystore $OA_JRE_TOP/lib/security/cacerts

# cd $APPL_TOP_NE/ad/admin
#pwd
/t01/erptest/fs_ne/EBSapps/appl/ad/admin
# keytool -list -v -keystore adkeystore.dat

Below are the steps to migrate the java certificate into Oracle E-Business Suite 12.2.x version.


<JRI_DATA_LOC> = $<fs_ne>/EBSapps/appl/ad/admin


Generate a new keypair (private key and public key)

PATH:/t01/testerp/fs_ne/EBSapps/ad/admin

[applerp@ed-olaplin1 admin]$ adjkey -initialize -keysize 2048 -alias SAMICORP

 Copyright (c) 2002, 2012 Oracle Corporation

                        Redwood Shores, California, USA

                             AD Java Key Generation

                              s   Version 12.2.0

NOTE: You may not use this utility for custom development

      unless you have written permission from Oracle Corporation.

Reading product information from file...

Reading language and territory information from file...

Reading language information from applUS.txt ...

Enter the APPS username: apps

Enter the APPS password:

Successfully created javaVersionFile.

adjkey will now create a signing entity for you.

Enter the COMMON NAME [ ] : SAMICORP

Enter the ORGANIZATION NAME [SAMICORP] : SAMICORP

Enter the ORGANIZATION UNIT [ ] : IT

Enter the LOCALITY (or City) [ ] : London

Enter the STATE (or Province or County) [ ] : London

Enter the COUNTRY (two-letter ISO abbreviation) [ ] : UK

Enter keystore password:  Re-enter new password: Enter key password for <SAMICORP>

        (RETURN if same as keystore password):  Re-enter new password:

/t01/erptr11225/fs2/EBSapps/comn/util/jdk32/jre/bin/java -Djava.security.egd=file:/dev/urandom sun.security.tools.KeyTool -genkey -alias                                                                                                     SAMICORP -keyalg RSA -keysize  2048 -keystore /t01/erptr11225/fs_ne/EBSapps/appl/ad/admin/adkeystore.dat -validity 14600 -dname " CN=SAMICORP, O=                                                                                                    SAMICORP, OU=IT, L=London, S=London, C=AE"

The above Java program completed successfully.

Your digital signature has been created successfully and

imported into the keystore database. This signature

will now be used to sign Applications JAR files whenever

they are patched.

  IMPORTANT: If you have multiple web servers, you must copy

  files to each of the remaining web servers on your site.

  See the documentation reference for more information.

adjkey is complete.

Additional Information

If required, you can view the contents of adkeystore.dat by running the following command:

$ keytool -list -v -keystore adkeystore.dat

Create a Certificate Signing Request

Create a "Certificate Signing Request" (named adkeystore.csr in this example) to send to your CA provider for signing. This will be created using the same alias name from previous step

Command to Create a Certificate Signing Request

$ keytool -sigalg SHA256withRSA -certreq -keystore /t01/testerp/fs_ne/EBSapps/appl/ad/admin/adkeystore.dat -file /t01/testerp/fs_ne/EBSapps/appl/ad/admin/adkeystore.csr –alias erpprd_erplxprdap1

Enter keystore password:      ----à puneet

Enter key password for <SAMICORP>   --à myxuan

Now Submit your Certificate Signing Request


Submit your certificate signing request 'adkeystore.csr' to your official certificate authority, for example, Verisign, Thawte etc. or to your own in-house certificate authority as applicable. 


Now Import the Root Certificate to the Java Keystore Certificate Store 'cacerts' (if required)

/t01/testerp/fs1/EBSapps/comn/util/jdk32/jre/lib/security

[user@ed-olapplin security]$ keytool -import -alias Root -file Root.cer -trustcacerts -v -keystore cacerts

Trust this certificate? [no]:  yes

Certificate was added to keystore

[Storing cacerts]



Keystore Password: defaultpwdchangeit


Import the Code Signing Certificate into the Keystore

/t01/testerp/fs_ne/EBSapps/appl/ad/admin

[appluat@erplxprdap1 admin]$ keytool -import -file SAMICORPEBS.cer -trustcacerts -alias erpprd_erplxprdap1 -keystore adkeystore.dat

Enter keystore password:  à defaultpuneet

Enter key password for <SAMICORP> à myxuan

Certificate reply was installed in keystore


Regenerate the Jar File

Shutdown the application services.

Source your APPS env file and shutdown your application tier services.


Source your APPS env File

On the Application tier as the file system owner source your APPS env file.

Shutdown the Application Tier

Shut down the application tier services:

$ adstpall.sh <apps_user>/<apps_pwd>

 Regenerate the jar files through adadmin

Regenerate all JAR Files using the force option through adadmin:

Run ADADMIN, and select the following from the AD Administration Main Menu:

Choose Generate Applications Files menu
From this menu choose Generate product JAR files


Enter yes when prompted with: Do you wish to force regeneration of all jar files? [No] ? yes

Once your jar files have been successfully generated, restart the application tier.

Restart the Application Tier

Restart the application tier services:

$ adstrtal.sh <apps_user>/<apps_pwd>

Remove the cache from browser and old jar files from the control tab -> java- > click on General -> Click on View -> Select all files -> And delete -> Apply and Ok.



Open the java forms 1st time you will get the blow page. Click on the Do not show and Run.

Java Forms opened.