Issue

With the April 2017 update of Oracle Java Runtime Environment (JRE) and Java SE Development Kit (JDK), JAR files signed using MD5 are no longer considered signed. Affected MD5-signed JAR files are not trusted and do not run by default.

This updated behavior may cause issues in a few AEM Forms and LiveCycle components, such as Assembler, Reader Extensions, Signatures, certain OSGI services, among others.

Solution

It is recommended that you do not apply the following Java updates immediately.

  • Java 8 Update 131
  • Java 7 Update 141
  • Java 6 Update 151

Adobe is working to release updated versions of the affected modules. You can update Java after installing the appropriate patch for your application.

Workaround

If you have already applied the April 2017 Java update, some modules or components may not work as expected, because the JRE does not trust MD5-signed JAR files by default.

You can update the security settings to remove MD5-signed files from the untrusted list. You can reinstate this setting after applying the latest patches to your AEM Forms or LiveCycle installations.

  1. Shut down your application server.

  2. Open the java.security file located in the %JAVA_HOME%\jre\lib\security directory.

  3. Update the jdk.jar.disabledAlgorithms settings to remove MD5.

    jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
  4. Restart your application server.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy