[EBS] Enhanced Jar Signing for Oracle E-Business Suite

http://lesstif.com/pages/viewpage.action?pageId=6979614


ROOT CA 인증서 생성
-------------------

1. CA 가 사용할 RSA  key pair(public, private key) 생성
   $ openssl genrsa -aes256 -out /etc/pki/tls/private/dosco-rootca.key 2048
   Generating RSA private key, 2048 bit long modulus
   ..........................+++
   ..................................................................................................................................+++
   e is 65537 (0x10001)
   Enter pass phrase for /etc/pki/tls/private/dosco-rootca.key: welcome1
   Verifying - Enter pass phrase for /etc/pki/tls/private/dosco-rootca.key: welcome1


2. 개인키 권한 설정
   $ chmod 600 /etc/pki/tls/private/dosco-rootca.key

3. CSR(Certificate Signing Request) 생성을 위한 rootca_openssl.conf 로 저장
   $ vi rootca_openssl.conf
[ req ]
default_bits            = 2048
default_md              = sha1
default_keyfile         = dosco-rootca.key
distinguished_name      = req_distinguished_name
extensions              = v3_ca
req_extensions          = v3_ca

[ v3_ca ]
basicConstraints       = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier   = hash
##authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = keyCertSign, cRLSign
nsCertType             = sslCA, emailCA, objCA

[req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default    = KR
countryName_min        = 2
countryName_max        = 2

# Company Name
organizationName              = Organization Name (eg, Company)
organizationName_default      = Dosco Inc.

# Org
#organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default  = Condor Project

# SSL domain
commonName                      = Common Name (eg, your name or server's hostname)
commonName_default              = Dosco's Self Signed CA
commonName_max                  = 64



$ openssl req -new -key /etc/pki/tls/private/dosco-rootca.key -out /etc/pki/tls/certs/dosco-rootca.csr -config rootca_openssl.conf
Enter pass phrase for /etc/pki/tls/private/dosco-rootca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KR]:KR
Organization Name (eg, Company) [Dosco Inc.]:Dosco
Common Name (eg, your name or servers hostname) [Doscos Self Signed CA]:Dosco's Self Signed CA




4. 20년짜리 self-signed 인증서 생성

$ openssl x509 -req -days 7300 -extensions v3_ca -set_serial 1 -in /etc/pki/tls/certs/dosco-rootca.csr \
-signkey /etc/pki/tls/private/dosco-rootca.key -out /etc/pki/tls/certs/dosco-rootca.crt -extfile rootca_openssl.conf
Signature ok
subject=/C=KR/O=Dosco/CN=Dosco's Self Signed CA
Getting Private key
Enter pass phrase for /etc/pki/tls/private/dosco-rootca.key:


5. 제대로 생성되었는지 확인을 위해 인증서의 정보를 출력

$ openssl x509 -text -in /etc/pki/tls/certs/dosco-rootca.crt


===================================================================================================================================================


Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1)


Generate Keypair and Certificate Signing Request
------------------------------------------------
$ export JRI_DATA_LOC=$APPL_TOP/admin
$ cd $JRI_DATA_LOC
$ adjkey -initialize -keysize 2048 -alias Dosco
  => javaVersionfile, adsign.txt, adkeystore.dat

$ adjkey -certreq -file $JRI_DATA_LOC/adkeystore.csr
  => adkeystore.csr


인증서 발급
-----------

cp /u02/DEV/apps/apps_st/appl/admin/adkeystore.csr /etc/pki/tls/certs

openssl x509 -req -days 1825 -extensions v3_user -in /etc/pki/tls/certs/adkeystore.csr \
-CA /etc/pki/tls/certs/dosco-rootca.crt -CAcreateserial \
-CAkey  /etc/pki/tls/private/dosco-rootca.key \
-out /etc/pki/tls/certs/dosco.crt
Signature ok
subject=/C=KR/ST=Busan/L=Busan/O=Dosco/OU=Dosco/CN=Dosco
Getting CA Private Key
Enter pass phrase for /etc/pki/tls/private/dosco-rootca.key: welcome1


openssl x509 -text -in /etc/pki/tls/certs/dosco.crt


Import your Certificate(s)
--------------------------

$ export SEC_PROP_LOC=$OA_JRE_TOP/lib/security
$ cd $SEC_PROP_LOC

$ cp /etc/pki/tls/certs/dosco.crt $SEC_PROP_LOC

$ keytool -import -alias Dosco -file dosco.crt -trustcacerts -v -keystore cacerts
Enter keystore password: changeit
Owner: CN=Dosco, OU=Dosco, O=Dosco, L=Busan, ST=Busan, C=KR
Issuer: CN=Dosco's Self Signed CA, O=Dosco, C=KR
Serial number: a1a76cdea5290051
Valid from: Fri Jul 18 11:49:25 KST 2014 until: Wed Jul 17 11:49:25 KST 2019
Certificate fingerprints:
         MD5:  BF:C6:86:D8:67:FA:A9:34:AB:D4:2C:71:9D:65:C7:3E
         SHA1: 7C:E1:32:5D:FE:D0:7B:CC:6E:8D:2F:72:2A:7A:92:04:53:51:8B:FB
         Signature algorithm name: SHA1withRSA
         Version: 1
Trust this certificate? [no]:  y
Certificate was added to keystore
[Storing cacerts]


$ keytool -storepasswd -keystore cacerts
Enter keystore password: changeit
New keystore password: welcome1
Re-enter new keystore password: welcome1


$ cp dosco.crt $JRI_DATA_LOC/adkeystore.crt

$ cd $JRI_DATA_LOC
$ adjkey -import -file adkeystore.crt -trustcacerts