Aslında Jar imzalama olayı code Injection dediğimiz yöntemi engellemeye yarayan bir koruma biçimidir.
Yaptığınız bir program size özel olsun, sizin imzalamadığınız başka bir JAR dosyasını kullanmasın isterseniz böyle bir yönteme başvurabilirsiniz.
Büyük sistemlerde bu çok önemlidir, adamlar sizin programınıza sızabilmek için sizin JAR dosyalarınızı değiştirebilir ve sizin programınızı değiştirebilir.
Bu büyük sistemlerde hiç istenmeyen bir yöntemdir. Bu tür sızmaları engellemek için JAR larınızı imzalarsınız ve programınızda da imzalama yöntemini bildiğiniz için sorunsuz bir şekilde açıp kullanabilirsiniz.
Ama başkaları sizin JAR ınızı değiştirip sızmaya çalıştığında , o JAR lar imzalı olmadığı için programınız o JAR ı okumıcaktır. böylece Injection ı engelleyebilirsiniz.
Bu konuyla ilgili detaylı bilgiyi aşağıdaki yazıda bulabilirsiniz.
Eğer imzalamak istediğiniz JAR dosyası zaten imzalı ise o zaman o JAR ı açıp META-INF directory sine girip .SF ve .RSA isimli dosyaları siliniz. Sonrada MANIFEST.MF isim dosyanın içinde SHA1-Digest: li kısımları siliniz. Bu işlemlerden sonra JAR ınız imzasız hale gelmiş olacaktır. Bundan sonra JAR ınızı imzalayabilirsiniz.
The default JAR file that comes with Oracle Forms is signed by a certificate issued to “Developer” by “Oracle”. This doesn’t sound very trustworthy to most users. Besides that, the dialog of Sun’s JPI/JRE mentions that the security certificate was issued by a company that is not trusted.
You can choose to re-sign the JAR file yourself and have your own company name in this warning. You can even get Sun JPI to trust the company that signed it.
When you’re going to re-sign the JAR file you can either buy a commercial certificate from any of the well known vendors like Verisign or Thawte. You can also decide to issue your own certificate. This is not as secure, but might do the trick for you. If you issue your own certificate, you’re best of using Oracle Certificate Authority, which is part of Oracle Application Server. That way, you can make all your self-issued certificates use one and the same root certificate. You just have to import this one root certificate in your browser and JVM and all your self-issued certificates will be trusted. Read another blog entry for more information.
Signing the JAR file with your own certificate is documented in an Oracle whitepaper. The section about “Problems With Multiple Signing Identities” explains how to resign the f90all.jar yourself. I just used the JDK that comes with Oracle Developer Suite. Be sure to use RSA as the key algorithm as the default won’t work. Basically the steps using Oracle Certificate Authority are as follows:
rem Create key (and keystore)
%ORACLE_HOME%\jdk\bin\keytool -genkey -keyalg RSA
-dname "cn=YourName,o=YourCompany,c=NL" -alias signing_cert
-keypass ******** -keystore c:\keystore -storepass ********
-validity 2922
rem Create Certification request (get it approved by CA)
%ORACLE_HOME%\jdk\bin\keytool -certreq
-file c:\signing_cert.req -alias signing_cert
-keypass ******** -keystore c:\keystore -storepass ********
rem Import the root certificate of your OCA
%ORACLE_HOME%\jdk\bin\keytool -import -alias root_cert
-file c:\root.cer -keystore c:\keystore -storepass ********
rem Import the approved certificate into the keystore
%ORACLE_HOME%\jdk\bin\keytool -import -alias signing_cert
-file c:\signing_cert.cert -keypass ********
-keystore c:\keystore -storepass ********
rem extract Forms 90420 JAR file
md c:\temp\f90all
cd c:\temp\f90all
%ORACLE_HOME%\jdk\bin\jar -xvf
%ORACLE_HOME%\forms90\java\f90all.jar
rem delete meta information from extracted JAR
rd c:\temp\f90all\META-INF /s/q
rem repackage JAR
cd c:\temp\f90all
%ORACLE_HOME%\jdk\bin\jar -cvf c:\temp\f90all_repackaged.jar *.*
rem Sign the new JAR
%ORACLE_HOME%\jdk\bin\jarsigner -keystore c:\keystore
-storepass ******** -keypass ********
c:\temp\f90all_repackaged.jar signing_cert
If you do not want to use Oracle Certificate Authority you can just skip the steps to create a certification request and importing the two certificates from OCA. You can also choose to buy a real signing certificate in which case you do not use OCA to process your certification request, but you use a trusted company like Verisign or Thawte.
Now that you have your self-signed JAR file, just place it in the forms90/java directory on your application server and refer to it in the archive and/or archive_jini parameters of your formsweb.cfg.
Sun JPI will still raise a dialog-box asking the user to allow the Forms applet to run outside of its sandbox. You cannot get rid of this dialog as it is by the design of Java that the user always has to allow an applet to run outside of its sandbox. But now at least it shows your own name and not “Oracle” and “Developer”.
If you’ve not bought a “real” certificate from a commercial party, the dialog will warn the user that the security certificate was issued by a company that is not trusted. You can get rid of this one by importing your own certificate (or root certificate from OCA) in the keystore of your JVM. You can read all about that in a separate blog entry. In the end your warning will look like this:
Source : http://www.oratransplant.nl/2005/09/05/re-signing-forms-jar-file/
![[KickIt]](http://www.dotnetkicks.com/favicon.ico)
![[Dzone]](http://www.dzone.com/favicon.ico)
![[Digg]](http://www.digg.com/favicon.ico)
![[Reddit]](http://www.reddit.com/favicon.ico)
![[del.icio.us]](http://www.delicious.com/favicon.ico)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://www.technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)
Tags: java, oracle forms