Important Notice for customers using Oracle Demantra version 12.2.

3 and earlier

Java April Critical Patch Update

Oracle is planning to release a Critical Patch Update for Java on April 18, 2017. This update will require
that all JAR (Java Archive) files be signed using the SHA-256 algorithm. JAR files signed with the MD5
algorithm will be blocked. This change will result in the Demantra application being blocked for most
customers running Demantra versions 12.2.3 and earlier.
Note that if the Java settings on the client are configured for automatic updates, then the Java April
Critical Patch Update will be applied automatically. If this occurs without taking the actions listed below,
then users will not be able to access Demantra versions 12.2.3 and earlier.
For more information on the Java change related to MD5 algorithms refer to: java.com/cryptoroadmap
which includes instructions on disabling MD5 signed jars in case you want to test the impact of this
change using the current version of Java prior to the release of the April Critical Patch Update.
Customers running Demantra versions 12.2.4 and later
Demantra versions 12.2.4 and later use the SHA-256 algorithm and will not be affected by this Java
update. Customers running Demantra 12.2.4 or later can ignore this note.
Customers running Demantra versions 12.2.3 and earlier
Customers running Demantra versions 12.2.3 or earlier who intend to apply the Java update, must
replace the existing JAR files in their Demantra instance with new JAR files that have been signed using
the SHA-256 algorithm. Failure to do this will result in users not being able to access the Demantra
application.
Customers running Demantra versions 12.2.3 or earlier must first determine if they are running a
standard release version or if they have applied custom patches. To determine your current Demantra
version and build, sign-on to Demantra Collaborator Workbench and select Help and then About.
This will display a pop-up window showing the version number and build.
If you are running one of the standard release versions and builds listed below, then you should apply
Patch Request 20859792 / Bug 25103402 - RE-SIGNED JAR FILES WITH SHA-256 FOR DEMANTRA 12.2.3
AND BELOW. This patch can be applied at any point in time. However, in order to avoid users not being
able to access the Demantra application, it should be applied before applying the Java April Critical Patch
Update. In order to apply this patch you must be running a version and build that exactly matches one
of the following:
12.2.3 build 6
12.2.2 build 11
12.2.1 build 15
7.3.1 build 5207
If you are running one of the standard release versions and builds listed above, then you should file a
Support Request with Oracle Support and request the current password for Patch Request 20859792 /
Bug 25103402 - RE-SIGNED JAR FILES WITH SHA-256 FOR DEMANTRA 12.2.3 AND BELOW. The patch
cannot be downloaded without the password. Passwords are only valid for seven days. In the Support
Request you should provide your Demantra Version details history. You can obtain this by running the
following query against your Demantra database schema: select * from version_details_history order by
upgrade_date desc;
If you are not running one of the standard release versions and builds listed above then you have custom
patches applied and you should not apply Patch Request 20859792 / Bug 25103402 - RE-SIGNED JAR
FILES WITH SHA-256 FOR DEMANTRA 12.2.3 AND BELOW. Applying this patch will overwrite any custom
patches that have previously been applied. In this case you must file a Support Request with Oracle
Support and request a set of signed JAR files that include your custom patches. You will be requested to
provide your current JAR files and you will receive a new set of signed JAR files that match the existing
ones. In the Support Request, you should provide the following:
1. Your Demantra Version details history. You can obtain this by running the following query
against your Demantra database schema: select * from version_details_history order by
upgrade_date desc;
2. The following JAR files from the Windows environment where your existing Demantra is
installed:
a. The following 6 JAR files in the folder %Demantra_Installation
%\Collaborator\demantra\portal (replace %Demantra_Installation% with the Demantra
installation folder):
collaborator.jar
editPluginApplet.jar
logout.kar
offlineHelp.jar
TaskListApplet.jar
UserListApplet.jar
b. The file log4j.jar from the folder %Demantra_Installation
%\Collaborator\demantra\common
c. The file XMLEditor.jarGo from the folder %Demantra_Installation
%\Collaborator\demantra\workflow
Support will then send you back the eight JAR files with the same names but re-signed with SHA-256.
You will need to replace the original JAR files with the new JAR files. Be sure to put them in the same
location as the original files and to overwrite the existing files. If Demantra is deployed on Linux then you
will need to re-create the WAR file and deploy it on your application server (e.g. Weblogic). When done,
you must restart the application server.
Implications
Customers running Demantra versions 12.2.3 or earlier that apply the Java April Critical Patch Update
without replacing the existing JAR files in their Demantra instance with new JAR files that have been
signed using the SHA-256 algorithm will likely get a Security Warning after applying the Java April Critical
Patch Update. The Security Warning will state that an unsigned application is requesting permission to
run. Although the Security Warning gives the impression that if you choose Run the application will
run, this is not the case. If you choose Run you will still encounter errors with the Java applet.
Temporary Workarounds
Note that the options listed below are only intended as temporary workarounds. The long-term solution
is to either take the appropriate action outlined above to obtain new JAR files that have been signed
using the SHA-256 algorithm or to upgrade to version 12.2.4 or later of Demantra.
Option 1: Do not apply the Java April Critical Patch Update. In order to do this you must ensure that all
clients are not configured for automatic Java updates.
Option 2: If the Java April Critical Patch Update has already been applied, then you can revert to a prior
version of Java. To do this you must first uninstall the current version of Java and then install an older
version. This will need to be done on every client. In order to prevent the Java April Critical Patch
Update from being reapplied, you must ensure that all clients are not configured for automatic Java
updates.
Option 3: Manually allow the MD5 algorithm by doing the following on each client machine:
1. Go to the JRE folder being used by the browser. For example, the default location on Windows
should be C:\Program Files (x86)\Java\jre1.X.0_XXX (1.X.0_XXX is the version number of the JRE)
2. Go to the lib\security folder under this JRE folder, open the file java.security
3. In the file java.security, look for the key jdk.jar.disabledAlgorithms, whose values should contain
MD5.
4. Remove MD5 from the values, save the change.
5. Clear the client side Java cache.
6. Reopen the Demantra web page (e.g. Collaborator Workbench or Workflow). The Java applets
should now be working.

Summary
Customers running Demantra versions 12.2.3 and earlier must take action to obtain new JAR files that
have been signed using the SHA-256 algorithm in order to prevent users from not being able to access
the Demantra application after the April Critical Patch Update for Java is applied.