Creating a message that is both signed and encrypted by citidirect smimetool

Jephe Wu -

Objective: use citibank smimetool to create both signed and encrypted message for secure email transfer
Environment: Windows 2003 server sp2 with j2re 1.4.2_12 installed, as well as cygwin


1. download and Automated File and Report Delivery (AFRD) Utility Guide at

2. smimetool configuration
unzip smimetool to c:\smimetool, install j2re1.4.2_12 to c:\program files\java\, copy c:\program files\java\j2re1.4.2_12\bin\java.exe to c:\win2k03\system32\ so that you don't have setup PATH environment for c:\program files\java\j2re1.4.2_12

use echo %PATH% to verify path variable if you configure using system environment variables.

You can use md5sum to compare 2 java program to make sure they are the same one.

3. get certificates from trusted CA (e.g. Verisign)
you need to obtain a PKCS12 format certificate(.pfx) before you can use your private key and/or others’ public key(.cer) for secure email communication.

pfx ( file is PKCS#12 format which contains CA public certificates, including intermediate CA public certificates, user certificate and private key, according to wiki, pkcs#12 format defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PFX is a predecessor to PKCS#12.

This container format can contain multiple embedded objects, such as multiple certificates. Usually protected/encrypted with a password. Usable as a format for the Java key store. Usable by Tomcat, but not by Apache.

4. generate encrypt.ini, decrypt.ini and key file

Afte getting public certificate from trusted CA, you can use Genini.bat file to generate above files from your pfx file. If only one receipient is needed, type in genini passwordofpfxcert to generate above 3 files, then modify those files for input,output,log etc part, leave password and hash parts.

note: example of  encrypt.ini (required by genini.bat), if you encounter error like 'cannot find the profile', check if you are using c:\ instead of c:/

5. FAQ
a. does smimetool use cacerts file under c:\program files\java\j2re1.4.2_12\lib\security?
no, you can test it by renaming it then try to run signandencrypt.bat

b. smimetool signandencrypt.bat gives error message which is something like 'not valid pkcs#12 file, no CA certificate for this user

Check the pfx file size, it should be around 5k. And import the pfx into IE certificates to check if the CA and intermediate certificate are missing.

Also, another good method to check is to export pfx file to standard PEM format which is base64 encoded file to check if all primary root CA and intermediate CA public certificates and user's certificate and private key are inside.
use the following command to convert to standard PEM format for pfx file.
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes 

You can also do it from, but the private key will remain on their server, so it's unsecure way.

Then you can view the file certificate.cer or certificate.pem to make sure it contains CA public keys and CA intermediate certificate  and user private and public keys. 

The sequence in .pem file is user RSA private key->user public certificate(take note of the CN and email part for the second certificate part)->CA root certificate->CA intermediate root certificate.

after that, you can save the second part of user public key to a separated file, then use the following command to view it.

openssl x509 -noout -text -in publickey

c. How to check pfx/p12 and cer are in pair?

Import pfx/p12 to IE certificate 'personal', check user's certificate RSA public key part, to compare with the cer file certificate thumbprint value.

You can import this pfx/p12 file into IE, choose the option to make it exportable later in case you lose the original file, you can also verify password, you can import all certificates including CA and user's ones into 'personal' section, then view the CA and user's certificates content, you can also export CA and intermediate certificates after that.

d. Why need to sign first then encrypt message?

You can sign the messsage first then encrypted the signed message or encrypted message first then sign the encrypted message, it's different. for the first case, you have to decrypt it then you can only validate the signature, because the signature is encrypted as well as content of message. Only after message is decrypted, you don't know whether it's signed or not. For the second case, anyone will be able to validate the signature.

Both ways has their pros and cons, however, the first method(sign then encrypt) is strongly preferred.

e. How to export/backup digital ID in case of lose

It is always recommended to create a proper backup file of your Digital ID. Should your suffer from loss or corruption of the Digital ID,  a computer crash, or a new computer, you can import the backup file to re-store the ID in most cases.

Note: Microsoft still use pfx as file suffix while firefox uses .p12 as suffix, it's basically exchangeable.

Microsoft Internet Explorer 5.x and Higher
  1. Click Tools > Internet Options > Content > Certificates
  2. From the list, under Personal tab, select the corresponding certificate to export
  3. Click Export
  4. A wizard appears, click Next
  5. Select Yes, Export the private key > Next
    Note: if the option to export the private key is grayed out, please see SO5831
  6. Select Include all certificates in the certificates path if possible
  7. Click Next
  8. Enter a password
  9. Click Next
  10. Enter a file name and a location to save the exported file (i.e. mydigitalid.pfx.)
  11. Click Finish

Mozilla Firefox 2.0 and 3.0
1.  From the menu bar, click on Tools > Options
2.  Click on Advanced> Encryption
3.  Click View Certificates
4.  Highlight your certificate by clicking on it
5.  Click  Backup
6.  Select the location you wish to save the certificate to
7.  Enter your master password for the Software Security Device
8.  Enter a password to protect your certificate and private key
9.  Click OK
10. A message confirms that the backup procedure was successful
11. Click OK

f. how to verify the certificate when Verisign installed digital ID for you automatically

Microsoft Internet Explorer

  1. From the menu bar, click Tools > Internet Options > Content tab > Certificates

  2. Under the Personal tab, a certificate issued to your name should appear
Mozilla Firefox:
  1. Open a Mozilla Firefox window.
  2. From the menu bar, click Tools > Options > Advanced > View Certificates
  3. Under Your Certificates tab, a certificate issued to your name should appear
g. how to export out the public key part so that you can sent to other people for encryption

IE: After installed the digital ID by Verisign or importing from another pfx/p12 file, you can export out the certificate, choose 'do not export private key', then save as the first .der format.

Firefox: After installed the digital ID by Verisign, you can just view the certificate, go to detail column, then click on your name to export, then choose der format, there are a lot of other format too.

h. Associate a Digital ID With Your E-mail Account

Microsoft Outlook Express:
  1. Select Accounts from the Tools menu, then the Mail tab.
  2. Select your Mail account, click the Properties button, select the Security tab.
  3. Check the box "Use a digital ID when sending secure messages from", then click the Digital ID button.
  4. Select the certificate you want to use to digitally sign your e-mail.
Outlook 98 and 2000:
  1. In the Tools menu select Options, then the Security tab
  2. Click "Add digital signature to outgoing messages", click the "Change Settings" button
  3. On the next screen click the "Choose..." button. Select the Digital ID you want to use for signing e-mail in Outlook.

    6. References:
    a. convert certificates for all kind of formats:

    b. 60 days trial digital ID at
    just giving your email address and name, it will receive it. then for Firefox, you can use 'backup' button to export to pkcs12 format(.pfx). After importing to IE, export as .der(public key) without exporting private key.

    c. digital id support and FAQ page at


    How to online/offline backup and restore DB2 database

     Jephe Wu  -

    Environment: Linux server and IBM db2 database, backup database on one server, then restore it to another server
    Objective: backup and restore db2 database in both online and offline mode

    Part I - online backup and restore

    1. online backup script by cronjob
    [db2inst1@db1 ~]$ more /db2log/db2inst1/scripts/
    export PATH=/sbin:/usr/sbin:/bin:/usr/bin
    . /db2/db2inst1/sqllib/db2profile
    db2 "BACKUP DATABASE DB1 ONLINE TO \"/db2log/db2inst1/DB1/backups\" WITH 2 BUFFERS BUFFER 1024 PARALLELISM 1 INCLUDE LOGS WITHOUT PROMPTING" > /tmp/db2monthlybackup.log
    sync;sync;sync;sleep 10
    echo "running ls -lart /db2log/db2inst1/DB1/backups/*.001" >> /tmp/db2monthlybackup.log
    ls -lart /db2log/db2inst1/DB1/backups/*.001 >> /tmp/db2monthlybackup.log
    mutt -s "Monthly db2 online backup with logs for DB1 database" < /tmp/db2monthlybackup.log

    2. restore online full database backup file with logs from another server
    assuming we are going to restore from db1 to db1dr 

    a. restore to /db2/db2inst1 directory
    db2 "restore database db1 from /data to /db2/db2inst1 into db1dr with 2 buffers buffer 1024 parallelism 1 without prompting"

    b. restore log files to specified logtarget folder from backup image itself
    nice -n 19 "restore db DB1 logs from /db2/db2inst1/backup into DB1DR logtarget /db2/db2inst1/db/DB1/logs"
    c. restore to the end of the logs under /db2/db2inst1/db/DB1/logs and complete
    db2 "rollforward database db1dr to end of logs and complete overflow log path (\"/data/db2log/DB1/logs\")"

    d. restore to the end of the logs under /db2/db2inst1/db/DB1/logs but don't complete
    db2 "rollforward database db1dr to end of logs overflow log path (\"/data/db2log/DB1/logs\")"

    note: if the the number of files is big, you can use the following command to check how many files left waiting for process:

    watch "ls -lut | grep -v 'May 29'| wc -l"

    if the today' date is May 29.

    e. if you need to restore to the specified date
    you need to copy all the necessary log files to the /data/db2log/DB1/logs, then run the following command:
    db2 "rollforward database db1dr to 2008-09-25- using local time and complete overflow log path (\"/data/db2log/DB1/logs\")"

    f. query database last transaction log date and pending status
    db2 "rollforward database db1dr query status"

    g. other commands such as 
    db2 rollforward database dbname complete 

    h. backup db2 configuration information
    db2 get dbm cfg
    db2 get db cfg for db1

    Part II - offline backup and restore

    1. backup (stop db2 server first)
    db2 backup database db1 to .
    note: offline backup database db1 to the current folder

    If it's online backup, use 'db2 backup database db1 online to .'

    2. restore
    db2 "drop database db1"

    db2 "restore database db1 from /home/db2inst1/db1_offline_backup/"
    note: you need to put the backup file to /home/db2inst1/db1_offline_backup first

    Part III - configuration after restoration
    1. login as root, to create schema user, e.g. user1
    useradd user1;passwd user1

    2. assign permission to user1
    db2 connect to db1dr
    db2 "grant createtab,connect,implicit_schema on database to user user1"

    3. test connection for user1
    db2 connect to db1dr user user1

    How to use ILO and vsp to login HP Proliant Linux server

    Jephe Wu -

    Enrionment: Production HP Proliant server installed with CentOS. ILO2 is connected and enabled
    Objective: directly login to Linux console through vsp/ilo, so that you can change server IP address without worries etc

    1. enable firewalls so  that you can ssh into the ILO ip address from office to data center where the production server resides

    2. configure vsp port as com1 or com2 on hp proliant server bios screen (bios: system option)

    3. configure Linux server to accept serial port login (let's assume vsp uses com2 which is ttyS1)

    add this to /etc/inittab:
    sx:2345:respawn:/sbin/agetty 115200 ttyS1 vt100
    then init q to take affect

    4. add  ttyS0 or ttyS1 into /etc/securetty to enable root direct login through serial port

    5. login to ILO2 from putty,  then type in vsp to get Linux login console
    6. use ESC key followed by ( to exit from login console , back to vsp command line

    a. HP Integrated Lights-Out 2 (iLO 2) - Unable to Use Virtual Serial Port (VSP) -

    Upgrading Openssl without touching the existing running Apache httpd

    Jephe Wu -

    Linux server, httpd 2.2.15, Openssl 1.0.0
    : upgrading Openssl from 1.0.0 to 1.0.0a without touching running Apache configuration

    firstly, backup /usr/local/apache2 directory.

    1. compile new version of openssl 1.0.0a first
    mv /usr/local/ssl /usr/local/ssl.1.0.0
    cd ~jephe
    cd openssl1.0.0a
    ./config;make;make test;make install

    2. reconfigure apache with the new version of ssl

    cd ~jephe
    cd httpd-2.2.15

    [root@web1 httpd-2.2.15]# more config.nice
    #! /bin/sh
    # Created by configure

    "./configure" \
    "--prefix=/usr/local/apache2" \
    "--enable-mods-shared=most ssl rewrite deflate headers expires mime-magic unique-id" \
    "--with-ssl=/usr/local/ssl" \

    Now, running the following command to generate new ssl module

    /home/jephe/httpd-2.2.15/srclib/apr/libtool --silent --mode=install cp /tmp
    then copy /tmp/ to replace the working one /usr/local/apache2/modules/ssl/ first)

    or directly install to /usr/local/apache2/modules/

    cd ~jephe/httpd-2.2.15/modules/ssl
    ../../build/ /home/jephe/httpd-2.2.15/srclib/apr/libtool /usr/local/apache2/modules/
    (backup first)

    3. restart apache and confirm the version

    /usr/local/apache2/bin/apachectl graceful
    less /usr/local/apache2/logs/error_log

    4. References

    How to install a db2 database server and apply patches

    Jephe Wu -

    Objective: install IBM db2 version 8 on CentOS 4.4 server and apply patches
    Environment: CentOS 4, IBM db2

     Total 5 parts

    Part I - GUI Installation method


    1.  get the db2 installation file and patch file
    2. extract these 2 tar file under /root/db2install directory
    3.  ssh -X serverip (from a Linux machine X windows )
    4. run command under /root/db2install
    5. in preparing db2 tools catalog part, choose 'use a local database'
    in 'set up the administration contact list', you might want to disable notification
    in 'specify a contact for health monitor notification' choose 'defer this task until after installation is complete'
    6. apply patches
    run command './installfixpak -y' to apply patches
    7. set parameters
    $ db2set  (to display current settings)
    $ db2set DB2AUTOSTART=YES
    $ db2set DB2COMM=TCPIP
    $ db2 update database manager configuration using svcename 50000
    $ db2 update database manager configuration using diaglevel 4

    8. Install license
    login as root
    cd /opt/IBM/db2/V8.1/adm
    ./db2licm -a 331_WSUE_LNX26_32_NLV/db2/license/db2wsue.lic

    9. start up db2 database
    su - db2inst1 ; db2start

    Part II - CLI Installation method

    1. Install original DB2 package

    # cd /usr/local/src
    # cd db2srcfiles/
    # cd 331_WSUE_LNX26_32_NLV/
    # ./db2_install

    if encounter some error regarding “” not found, download compat-libstdc++-8- and install.

    # db2level

    2. Add groups and users and set passwords

    #groupadd -g 101 dasadm1
    #groupadd -g 102 db2grp1
    #groupadd -g 103 db2fgrp1
    # useradd -c "DB2 Admin" -d /db2/dasusr1 -g dasadm1 -m dasusr1
    # useradd -c "DB2 Instance User" -d /db2/db2inst1 -g db2grp1 -m db2inst1
    # useradd -c "DB2 Fenced User" -d /db2/db2fenc1 -g db2fgrp1 -m db2fenc1
    # passwd db2inst1
    # passwd db2fenc1
    # passwd dasusr1

    3. Post-install configuration
    # cd /opt/IBM/db2/V8.1/instance/
    # ./dascrt -u dasusr1 (create db2 administrator server)
    # cd ../adm
    # ./db2licm -a /usr/local/src/db2srcfiles/331_WSUE_LNX26_32_NLV/db2/license/db2wsue.lic
    # cd ..
    # cd instance/
    # ./db2icrt -a SERVER_ENCRYPT -u db2fenc1 db2inst1 (create instance)
    # su - db2inst1
    # mkdir -p /db2log/db2inst1/logs
    # chown db2inst1:db2grp1 -R /db2log/db2inst1/
    # cd /db2log
    # su – db2inst1
    $ db2set
    $ db2set DB2AUTOSTART=YES
    $ db2set DB2COMM=TCPIP
    $ db2 update database manager configuration using svcename 50000
    $ db2 update database manager configuration using diaglevel 4
    $ db2 terminate
    $ db2start

    4. create database
    xhost +
    export DISPLAY=:0
    su – db2inst1
    cd /db2/db2inst1/
    mkdir –p db/db1
    db2cc &

    5. post-configuration of creating database

         * add the following to /db2/db2inst1/.bashrc
    db2set DB2_SCATTERED_IO=ON
    db2set DB2COMM=tcpip
    db2set DB2_LGPAGE_BP=YES
    (dangerous, can cause ‘shared memory cannot be allocated, referring to for how to enable it, it requires some additional steps, not just enable it)

        *configuring database logging (right click database name, choose ‘configuring database logging’)
    change circular logging to archive logging, and choose ‘manual archive log file handling’
    change log patch to /db2log/db2inst1/db1/logs

        *check logretention
    right click database, configure parameter, make sure logretention is set to recovery ( by default should be )

        *configuring db2inst1 cronjob to archive log every hour as follows:

    0 * * * * /db2log/db2inst1/scripts/

    . /db2/db2inst1/sqllib/db2profile
    for DB in db1
    db2 archive log for db $DB

        *right click the database in control center, configure parameters

    change LOGSECOND(-1) and userexit(yes) to make the transaction log infinite

    Part III -   Uninstalling DB2 database

    Note: steps 1 and 2 might cause to delete the whole /db2/db2inst1 directory which might not be your intention. So, be careful to do them.

       1.Remove the DAS by issuing the /opt/IBM/db2/V8.1/instance/dasdrop command as root.
       2.Remove the instance by issuing the /opt/IBM/db2/V8.1/instance/db2idrop db2inst1 command
       3. Run the db2_deinstall command as root.
       4.Remove the users that were created.
          userdel -r db2inst1
          userdel -r dasusr1
          userdel -r db2fenc1
          groupdel dasadm1
          groupdel db2grp1
          groupdel db2fgrp1
          rm –fr /var/db2
          rm –f /tmp/db2* (and other files related to DB2)
          vi /etc/inittab (remove the last line)

       5. (If you created different user names during installation, substitute as necessary.)
       6. Optionally, you can remove IBM's version of the Java 2 package that db2 installed.

    rpm -e IBMJava2-SDK

    Part IV - Installing db2 fix pack for live database

    Su – root
    Su - instancename

    . $HOME/sqllib/db2profile
    db2 force applications all
    db2 terminate
    db2licd –end (run at each physical node)
    su – dasusr1
    db2admin stop
    login as root
    cd /opt/IBM/db2/V8.1/bin
    ./db2fmcu –d
    su – dasusr1
    /db2/dasusr1/das/bin/db2fm –i dasusr1 –D
    su – db2inst1

    ./installFixPack –y

    login as root still
    /opt/IBM/db2/V8.1/bin/instance/db2iupdt db2inst1
    /opt/IBM/db2/V8.1/bin/instance/dasupdt dasusr1

    su – db2inst1

    Part V - Appendix

    a. some commands

    # list db directory
    # list node directory
    # catalog tcpip node db2 remote 59000
    # catalog database db1 as db1alias at node db2

    How to drop and create tablespace and users in Oracle

    Jephe Wu -

    Objective: fully drop the existing tablespace and users in Oracle 11g and create a new ones
    Environment: Oracle 11g 64bit, RHEL 5


    if [ $# -ne 1 ];then echo "usage: $0  schema_name";exit;fi

    SCHEMA=`echo $1 | tr [a-z] [A-Z]`

    # create drop tablespace sql script
    cat > /tmp/droptablespace.sql << END
    drop tablespace $1 including contents and datafiles;

    # create script to kill all existing connections
    cat > /tmp/killusersession.sql <<END
    set head off feedback off pagesize 0 echo off term off linesize 32767 trimsp on tab off define off;
    spool /tmp/killusersessionfinal.sql;
    select 'alter system kill session '''||sid||','||serial#||''' immediate;' from v\$session where username='$SCHEMA';
    select 'exit;' from dual;
    spool off;

    # create user creation sql script
    cat > /tmp/dropuser.sql << END
    drop user $1 cascade;

    sqlplus / as sysdba @/tmp/droptablespace.sql
    sqlplus / as sysdba @/tmp/killusersession.sql
    sqlplus / as sysdba @/tmp/killusersessionfinal.sql
    sqlplus / as sysba @/tmp/dropuser.sql

    cat > /tmp/createtablespaceanduser.sql <<END
    create tablespace  datafile '/u01/app/oracle/oradata/orcl/${1}.dbf' size 100m autoextend on next 10m;
    create user $1 identified by password default tablespace $1 temporary tablespace temp;

    sqlplus / as sysdba @/tmp/createtablespaceanduser.sql

    How to duplicate all codes from one Oracle schema to another

    Jephe Wu  -
    Objective: replicate all procedures, packages, functions, triggers from schema jephe to schema jephe2.
    Environment: Oracle 11g 64bit, RHEL 5, SQL developer,

    Method 1 - SQL Developer 1.5.5
    1.  export existing objects
    go to tools menu, database export, choose export file name export.sql and connections

    at DDL Option part, please choose Terminator, Pretty Print and tick 'include Drop Statement'
    at next screeen, untick 'Toggle All', select Package Spec, Package Body, Procedures, Functions, Triggers, Types and Sequences.

    at 'GO' dialog box, type in '%%', click GO to show all relevant objojects.

    2. copy above exported file to database server
    also convert file format from DOS to Unix

    dos2unix filename

    3. import objects to another schema
    If you are not sure both schemas have the exact same codes, you might vi the filename, extract all the DROP commands first to drop.sql, then run this drop.sql to destinatioin scehma

    sqlplus jephe2

    sqlplus jephe2
    set define off sqlblanklines on 

    4. compile schema
    sqlplus / as sysdba
    SQL> exec dbms_utility.compile_schema('JEPHE2');
    SQL> exit;

    Method 2 - impdp/expdp
    to be continued.

    How to proceed SSL certificate renewal yearly

    Jephe Wu -

    Updated on 26th May 2011

    Objective: How to check and send CSR file to CA for SSL certificate renewal and install the updated SSL certificate on web server.
    Environment: Apache SSL website, Linux server


    1. Prepare CSR file for SSL certificate renewal

    If there's no existing CSR file, you can generate like this:

    openssl req -new -key server.key -out server.csr

    then view content of CSR file like this:

    openssl req -noout -text -in server.csr

    2.make sure the existing/generated CSR file matches with private key file as well as cert file, also the CN should be correct domain name

     openssl req -noout -modulus -in server.csr | openssl md5
     openssl rsa -noout -modulus -in server.key | openssl md5

     openssl x509 -notout -modulus -in server.crt | openssl md5

    In addition, you can use 'stat server.key' or 'stat server.crt' command check the acces time to match the apache startup time(ps -efH) on Linux so that you can be sure which server.key or server.crt file is correct.

    3. submit CSR file to CA for renewal

    4. verify the CRT file from CA
     openssl x509 -noout -modulus -in server.crt | openssl md5

    online check:

    5. Install it on the Linux Apache server and restart Apache
    ps -efH to check the parent ID of Apache, then use 'kill -USR1 parent_pid' to re-read the new configuration so that apache will use new certificate file.

    Note: what if you received a chain certificate also? Such as GeoTrust SSL CA issued certificate, it's parent CA is GeoTrust Global CA. Some IE browser doesn't have root CA buildin for GeoTrust SSL CA, Firewall 4.0 should have it.

    What you need to do is to put the following into Apache ssl configuration file:

    SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
    then run 'kill -USR1 parentid' to re-read configuration file.

    6. verification after installing new cert
    a. command line
    on the server, use command 'openssl s_client -showcerts -connect' to check if the output is giving new cert

    b. browser check

    use IE or firefox to access website to check if the new certficate is put in the place(new expiry date)

    c. online tools check