Skip to Content

Unable to launch PO ID and ESR | Unsigned application problem with MD5withRSA

I'm trying to launch a 7.31 SP07 dual stack PI system's ESR and Integration Builder with a 1.8.0_131 JRE client.

As per the note 2073368 - Compatibility matrix: recommended Java version for Integration Builder tools of SAP Process Integration, this shouldn't be a problem. Still, while trying to start the Swing clients this way, I get the following error message:

"Unsigned application requesting unrestricted access to system. The following resource is signed with a weak signature algorithm MD5withRSA and is treated as unsigned"

I'm aware that MD5withRSA is treated as unsigned from JRE 1.8.0_131 onwards. I'm also aware of the (ugly) workaround of modifying the parameter jdk.jar.disabledAlgorithms in the java.security file of the JRE. Still, is there a more secure workaround, or a permanent solution?

[FYI: Clearing the server side cache with the help of the well known ESR and ID logon issue troubleshooting page does not help, either.]

Thanks a lot for your help!

Regards,

Peter

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • May 11, 2017 at 12:24 PM

    Hi Peter!

    You could try to add your PI resources to Exception Site list in Java security settings and to turn off keeping temporary internet files in general settings. As for me, I use java version 8 update 77 with no issues.

    Regards, Evgeniy.

    Add comment
    10|10000 characters needed characters exceeded

  • May 30, 2017 at 12:26 PM

    Dear Péter,

    This change was made from Oracle side:

    http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html

    Changes:

    security-libs/java.security MD5 added to jdk.jar.disabledAlgorithms Security property

    This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:

    - Applets or Web Start Applications
    - Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.

    The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.

    To check if a weak algorithm or key was used to sign a JAR file, one can use the jarsigner binary that ships with this JDK. Running "jarsigner -verify" on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key.

    [...]

    To address the issue, the JAR file will need to be re-signed with a stronger algorithm or key size. Alternatively, the restrictions can be reverted by removing the applicable weak algorithms or key sizes from the jdk.jar.disabledAlgorithms security property; however, this option is not recommended. Before re-signing affected JARs, the existing signature(s) should be removed from the JAR file.

    I recommend to revert back to previous java version, and contact oracle support.

    Best regards,

    Bence

    Add comment
    10|10000 characters needed characters exceeded