Skip to Content
0

Unable to launch PO ID and ESR | Unsigned application problem with MD5withRSA

May 10, 2017 at 05:35 PM

1.7k

avatar image

I'm trying to launch a 7.31 SP07 dual stack PI system's ESR and Integration Builder with a 1.8.0_131 JRE client.

As per the note 2073368 - Compatibility matrix: recommended Java version for Integration Builder tools of SAP Process Integration, this shouldn't be a problem. Still, while trying to start the Swing clients this way, I get the following error message:

"Unsigned application requesting unrestricted access to system. The following resource is signed with a weak signature algorithm MD5withRSA and is treated as unsigned"

I'm aware that MD5withRSA is treated as unsigned from JRE 1.8.0_131 onwards. I'm also aware of the (ugly) workaround of modifying the parameter jdk.jar.disabledAlgorithms in the java.security file of the JRE. Still, is there a more secure workaround, or a permanent solution?

[FYI: Clearing the server side cache with the help of the well known ESR and ID logon issue troubleshooting page does not help, either.]

Thanks a lot for your help!

Regards,

Peter

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Evgeniy Kolmakov May 11, 2017 at 12:24 PM
0

Hi Peter!

You could try to add your PI resources to Exception Site list in Java security settings and to turn off keeping temporary internet files in general settings. As for me, I use java version 8 update 77 with no issues.

Regards, Evgeniy.

Show 3 Share
10 |10000 characters needed characters left characters exceeded

Hi Evgeniy,

Thanks for the answer. In my case, selecting another Java version is no option, because of company restrictions. The problem I'm facing with the MD5withRSA signature algorithm only exists since the latest Java release:

https://www.java.com/en/download/help/jcp_security.xml#md5

Regards,

Peter

0

Hi Peter!

Did you try the steps with security settings and temporary files?

Regards, Evgeniy.

0

Hi Evgeniy,

Yes I did, and I get the same error.

Regards,

Peter

0
Bence Somlyo
May 30, 2017 at 12:26 PM
0

Dear Péter,

This change was made from Oracle side:

http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html

Changes:

security-libs/java.security MD5 added to jdk.jar.disabledAlgorithms Security property

This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:

- Applets or Web Start Applications
- Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.

The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.

To check if a weak algorithm or key was used to sign a JAR file, one can use the jarsigner binary that ships with this JDK. Running "jarsigner -verify" on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key.

[...]

To address the issue, the JAR file will need to be re-signed with a stronger algorithm or key size. Alternatively, the restrictions can be reverted by removing the applicable weak algorithms or key sizes from the jdk.jar.disabledAlgorithms security property; however, this option is not recommended. Before re-signing affected JARs, the existing signature(s) should be removed from the JAR file.

I recommend to revert back to previous java version, and contact oracle support.

Best regards,

Bence

Share
10 |10000 characters needed characters left characters exceeded