IBM Support

Viewing the Java security certificate in a Jar file

Question & Answer


Question

How to view the Java security certificate in a Jar file?

Answer

The following instructions describe how to view the Java security certificate in a specified Jar file. You can use this information to determine when the Java security certificate for the Jar file expires.

When the Java security certificate expires, you will need to re-sign the Jar file to use a newer Java security certificate. Normally this is done by upgrading to a newer product release that re-signs all of the associated Jar files in the product with a newer Java security certificate. (See the technote link listed under "Related information" for a list of product versions that use the latest Java security certificates.)

The recommended method to verify the Java security certificate in a Jar file is using the jarsigner utility. This utility is part of the Java JDK. It is not part of the JRE.

Use the following syntax to return the list of security certificates in a jar file (assuming it is signed).

jarsigner -verify -verbose -certs <jarfilename>.jar

Where <jarfilename> is one of the identified signed Jar files in a given product.

The above syntax outputs the certificates associated with every class in the jar file. Since every class is signed the same, look at the last one in the list to find the expiration date.
a. Make sure that the JDK is installed. (The jarsigner tool is NOT present in the JRE.)
b. Go to <java_home>\bin
c. Run jarsigner -verify -verbose -certs <jarfilename>.jar
d. Check the certificate's "valid from" date under the “CN=International Business Machines Corporation” section.

Example:

C:\Java\jdk1.6.0_11\bin\jarsigner -verify -verbose -certs "C:\Program Files (x86)\FileNet\AE\Workplace\download\javaapi.jar"

...
sm 5513 Tue Mar 11 21:21:02 PDT 2014 com/filenet/wcm/api/util/ServerEnvironment.class

[entry was signed on 3/11/14 9:21 PM]
X.509, CN=International Business Machines Corporation, OU=Industry Solutions, OU=Digital ID Class 3 - Java Object Signing, O=International Business Machines Corporation, L=Armonk, ST=New York, C=US
[certificate is valid from 4/11/13 5:00 PM to 6/10/16 4:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/7/10 4:00 PM to 2/7/20 3:59 PM]
[KeyUsage extension does not support code signing]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 11/7/06 4:00 PM to 11/7/21 3:59 PM]
[KeyUsage extension does not support code signing]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 1/28/96 4:00 PM to 8/2/28 4:59 PM]

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

Run the jarsigner utility on each of the identified signed Jar files in a given product. A list of files for ECM products that use Java security certificates can be obtained from IBM Support.

[{"Product":{"code":"SSNW2F","label":"FileNet P8 Platform"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"5.2.1;5.2;5.1;5.0;4.5.1","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

More support for:
FileNet P8 Platform

Software version:
5.2.1, 5.2, 5.1, 5.0, 4.5.1

Operating system(s):
Windows, AIX, HP-UX, Linux, Solaris

Document number:
526319

Modified date:
17 June 2018

UID

swg21696425