Copy certificate chains from CHROME/HTTPS

From Windows copies chain certificates into p7b.der format
so, you can convert it into pem format with p7b content
openssl pkcs7 -inform der -in api.imagine.df.uatper.sbpe.p7b.der -out openssl.api.imagine.df.uatper.sbpe.p7b.pem

or you can too convert it into cert chains pem format (it's recommended):
openssl pkcs7 -in api.imagine.df.uatper.sbpe.p7b.der -inform DER -print_certs -outform PEM -out openssl.api.imagine.df.uatper.sbpe.certs_chain.raw.pem

then, you have to edit the above file, deleting all the content outside from the marker of ---Beging-Certificate-- and ---End-Certificate--
the final file renames it to openssl.api.imagine.df.uatper.sbpe.certs_chain.pem

then, Divide the openssl.api.imagine.df.uatper.sbpe.certs_chain.pem file into unique certificate files, each file with only one certificate from bottom to top
then, Import it into der format files
openssl x509 -inform PEM -outform DER -text -in openssl.api.imagine.df.uatper.sbpe.certs_chain_2.pem -out openssl.api.imagine.df.uatper.sbpe.certs_chain_2.der //root
openssl x509 -inform PEM -outform DER -text -in openssl.api.imagine.df.uatper.sbpe.certs_chain_1.pem -out openssl.api.imagine.df.uatper.sbpe.certs_chain_1.der //intermediarie
openssl x509 -inform PEM -outform DER -text -in openssl.api.imagine.df.uatper.sbpe.certs_chain_0.pem -out openssl.api.imagine.df.uatper.sbpe.certs_chain_0.der //entity

keytool -import -alias api.imagine.df.uatper.sbpe.certs_chain_2 -keystore api.imagine.df.uatper.sbpe.certs_chain.jks -file openssl.api.imagine.df.uatper.sbpe.certs_chain_2.der
keytool -import -alias api.imagine.df.uatper.sbpe.certs_chain_1 -keystore api.imagine.df.uatper.sbpe.certs_chain.jks -file openssl.api.imagine.df.uatper.sbpe.certs_chain_1.der
keytool -import -alias api.imagine.df.uatper.sbpe.certs_chain_0 -keystore api.imagine.df.uatper.sbpe.certs_chain.jks -file openssl.api.imagine.df.uatper.sbpe.certs_chain_0.der

Recording aac native from your sound card v.2.0

Ok, I’ve got this, I think it’s better in quality.

ffmpeg.exe -y -rtbufsize 100M -f dshow -i audio=”Mezcla estereo (Realtek High De” -c:a aac -strict -2 -ar 44100 -ac 2 -b:a 192k “output.aac”

output.aac is put in ADTS container.

if you put output.m4a then ffmpeg saves it in different container.

Sample of tomcat’s context.xml for SSL connector

<?xml version="1.0" encoding="UTF-8"?>
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  See the License for the specific language governing permissions and
  limitations under the License.
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="" />
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    <Resource name="UserDatabase" auth="Container"
              description="User database that can be updated and saved"
              pathname="conf/tomcat-users.xml" />

  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>

    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    <Connector port="8080" protocol="HTTP/1.1"
               redirectPort="8443" />
    <!-- A "Connector" using the shared thread pool-->
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               redirectPort="8443" />
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation. The default
         SSLImplementation will depend on the presence of the APR/native
         library and the useOpenSSL attribute of the
         Either JSSE or OpenSSL style configuration may be used regardless of
         the SSLImplementation selected. JSSE style configuration is used below.
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />

        <SSLHostConfig truststoreFile=""
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                        type="RSA" />
           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
         This connector uses the APR/native implementation which always uses
         OpenSSL for TLS.
         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
         configuration is used below.
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         type="RSA" />

        <SSLHostConfig truststoreFile="C:/Users/s6026865/projects/temp/imagine-api-1.0.0-sources-0.3/server-truststore.jks"
            <Certificate certificateKeystoreFile="C:/Users/s6026865/projects/temp/imagine-api-1.0.0-sources-0.3/server-keystore.jks"
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />


Create certificate chain

#create certificate chain init
#@see | bc=ca:true
keytool -genkey -keyalg RSA -keysize 2048 -alias rsa-2048-root-key-pair -keystore root-cert.jks -dname "CN=Root Certificate,O=MPLB ORG,C=PE" -validity 10000 -ext bc:c
keytool -exportcert -alias rsa-2048-root-key-pair -keystore root-cert.jks -file rsa-2048-root-crt.cer

#generate a key pair Child CA where the certificate of it will be signed by the Root CA above.
keytool -genkey -keyalg RSA -keysize 2048 -alias rsa-2048-ca-key-pair -keystore ca-cert.jks -dname "CN=CA Certificate,O=MPLB ORG,C=PE" -validity 10000 -ext bc:c
keytool -importcert -keystore ca-cert.jks -file rsa-2048-root-crt.cer -alias rsa-2048-root-crt -trustcacerts -noprompt

#a certificate request for the "CN=CA Certificate" certificate needs to be created.
keytool -certreq -keystore ca-cert.jks -alias rsa-2048-ca-key-pair -file ca-cert-request.csr

#creating the certificate with the certificate request generated above.
keytool -gencert -keystore root-cert.jks -alias rsa-2048-root-key-pair -infile ca-cert-request.csr -outfile ca-signed-certificate.cer -ext bc=0 -ext "san=dns:rsa-2048-ca-key-pair"

#This certificate can be imported to some other keystore or truststore so that it can be used to verify server identify in the future.
#keytool -importcert -keystore ca-cert.jks -file ca-signed-certificate.cer

#Or it can be installed into the original keystore to become the leaf certificate of the certificate chain for alias leaf.
keytool -importcert -keystore ca-cert.jks -file ca-signed-certificate.cer -alias rsa-2048-ca-key-pair
keytool -exportcert -keystore ca-cert.jks -file rsa-2048-ca-crt.cer -alias rsa-2048-ca-key-pair

#generate private keys for server
keytool -genkey -keyalg RSA -keysize 2048 -alias rsa-2048-server-key-pair -keystore server-keystore.jks -dname "CN=Server Certificate,O=MPLB ORG,C=PE" -validity 10000
keytool -certreq -keystore server-keystore.jks -alias rsa-2048-server-key-pair -file server-cert-request.csr
keytool -gencert -keystore ca-cert.jks -alias rsa-2048-ca-key-pair -infile server-cert-request.csr -outfile server-signed-certificate.cer -ext ku:c=dig,keyEncipherment -ext "san=dns:TCDIGITAL35ZZZ,ip:" -ext eku=serverAuth,clientAuth
keytool -importcert -keystore server-keystore.jks -file rsa-2048-root-crt.cer -alias rsa-2048-root-crt
keytool -importcert -keystore server-keystore.jks -file rsa-2048-ca-crt.cer -alias rsa-2048-ca-crt
keytool -importcert -keystore server-keystore.jks -file server-signed-certificate.cer -alias rsa-2048-server-key-pair
keytool -exportcert -keystore server-keystore.jks -file server-exported-certificate.cer -alias rsa-2048-server-key-pair

# import server cert chain into server-truststore.jks
keytool -importcert -keystore server-truststore.jks -trustcacerts -noprompt -alias rsa-2048-root-crt -file rsa-2048-root-crt.cer
keytool -importcert -keystore server-truststore.jks -alias rsa-2048-ca-crt -file rsa-2048-ca-crt.cer
keytool -importcert -keystore server-truststore.jks -alias rsa-2048-server-crt -file server-exported-certificate.cer

#generate private keys for client
#for java ssl native, you hava to specify the same password for keystorePassword and keyPassword. For the system property ''
keytool -genkey -keyalg RSA -keysize 2048 -alias rsa-2048-client-key-pair -keystore client-keystore.jks -dname "CN=Client Certificate,O=MPLB ORG,C=PE" -validity 10000
keytool -certreq -keystore client-keystore.jks -alias rsa-2048-client-key-pair -file client-cert-request.csr
keytool -gencert -keystore ca-cert.jks -alias rsa-2048-ca-key-pair -infile client-cert-request.csr -outfile client-signed-certificate.cer -ext ku:c=dig,keyEncipherment -ext "san=uri:http://client.instance" -ext eku=serverAuth,clientAuth
keytool -importcert -keystore client-keystore.jks -file rsa-2048-root-crt.cer -alias rsa-2048-root-crt
keytool -importcert -keystore client-keystore.jks -file rsa-2048-ca-crt.cer -alias rsa-2048-ca-crt
keytool -importcert -keystore client-keystore.jks -file client-signed-certificate.cer -alias rsa-2048-client-key-pair
keytool -exportcert -keystore client-keystore.jks -file client-exported-certificate.cer -alias rsa-2048-client-key-pair

# import client cert chain into client-truststore.jks
keytool -importcert -keystore client-truststore.jks -trustcacerts -noprompt -alias rsa-2048-root-crt -file rsa-2048-root-crt.cer
keytool -importcert -keystore client-truststore.jks -alias rsa-2048-ca-crt -file rsa-2048-ca-crt.cer
keytool -importcert -keystore client-truststore.jks -alias rsa-2048-client-crt -file client-exported-certificate.cer

#interchange certificates
keytool -importcert -keystore server-truststore.jks -alias rsa-2048-client-crt -file client-exported-certificate.cer -noprompt
keytool -importcert -keystore client-truststore.jks -alias rsa-2048-server-crt -file server-exported-certificate.cer -noprompt

#create certificate chain end

Notes on openssl and keytool

Generate an plain pem file including the private and public key
openssl genrsa -out rsa-2048bit-key-pair.pem 2048

Generate an jks file including the private, public key and selfsigned certificate
keytool -genkey -keyalg RSA –keysize 2048 -alias rsa-2048 -keystore keystore.jks

Generate an encrypted pem file with passphrase from scratch - It's equivalent to create the "root key"
openssl genrsa -aes128 -passout pass:myP4ss -out rsa-2048bit-key-pair-encrypted.pem 2048

Generate an encrypted pem file with passphrase from plain pem file
openssl rsa -in rsa-2048bit-key-pair.pem -aes128 -passout pass:myP4ss -out rsa-2048bit-key-pair-encrypted.pem

Remove the passphrase and the encryption:
openssl rsa -in rsa-2048bit-key-pair-encrypted.pem -out rsa-2048bit-key-pair-nonencrypted.pem

Extract the public key:
openssl rsa -in rsa-2048bit-key-pair.pem -pubout -out rsa-2048bit-public-key.pem

what's inside the public key file
openssl rsa -noout -text -inform PEM -in rsa-2048bit-public-key.pem -pubin

what's inside the private key file
openssl rsa -noout -text -in rsa-2048bit-key-pair.pem

Creating an empty keystore jks
keytool -genkey -keyalg RSA –keysize 2048 -alias alias-example -keystore keystore.jks
keytool -delete -alias alias-example -keystore keystore.jks

Creating an empty keystore jceks
keytool -genseckey -keyalg AES -keysize 256 -alias alias-example -storetype jceks -keystore keystore.jck
keytool -delete -alias alias-example -storetype jceks -keystore keystore.jck

Convert pem file into DER format
openssl pkcs8 -topk8 -nocrypt -in rsa-2048bit-key-pair.pem -inform PEM -out rsa-2048bit-key-pair.der -outform DER

Convert PEM formatted public key to DER
openssl rsa -pubin -inform PEM -in rsa-2048bit-public-key.pem -outform DER -out rsa-2048bit-public-key.der

Generate a Self-Signed Certificate from an Existing Private Key
openssl req -key rsa-2048bit-key-pair.pem -new -x509 -days 365 -out self-signed-certificate.crt

Generate the CSR
openssl req -new -sha256 -key rsa-2048bit-key-pair.pem -out certificate-signing-request.csr

Generate the PKCS 12 file using your private key and CA self signed certificate of it
openssl pkcs12 -export -in self-signed-certificate.crt -inkey rsa-2048bit-key-pair.pem -certfile self-signed-certificate.crt -out rsa-2048bit-key-pair.p12

Import pkcs12 into JKS
keytool -importkeystore -srckeystore rsa-2048bit-key-pair.p12 -srcstoretype pkcs12 -srcalias 1 -destalias rsa-2048 -destkeypass k3y -destkeystore keystore.jks -deststoretype JKS

List Keys in JKS
keytool -list -v -keystore keystore.jks

Rename Alias
keytool -changealias -alias domain -destalias newdomain -keystore keystore.jks

List pkcs12
keytool -v -list -storetype pkcs12 -keystore rsa-2048bit-key-pair.p12

List jceks
keytool -v -list -storetype jceks -keystore keystore.jck

Export public key from keystore to pem
keytool -exportcert -rfc -alias rsa-2048 -keystore keystore.jks -file rsa-2048-crt.pem
openssl x509 -in rsa-2048-crt.pem -pubkey -noout > rsa-2048-public-key.pem

Symmetric encription with AES 256
openssl enc -aes-256-cbc -k secret -P -md sha256

Generation of key, iv for symmetric encription with AES 128
openssl enc -aes-256-cbc -k secret -P -md sha1

Direct access on docker windows

Create an direct access in windows like this:
Destiny: C:\Windows\System32\cmd.exe /k “D:\mplescano\programs\DockerToolbox\mplescano.cmd”

The content of mplescano.cmd is:
´´set proxy=http://pxsis.sunat.peru:8080
set HTTP_PROXY=%proxy%
set HTTPS_PROXY=%proxy%
set PATH=%PATH%;D:\mplescano\programs\DockerToolbox
docker-machine.exe start mplescano
for /f %%j in (‘docker-machine.exe ip mplescano’) do set DOCKER_HOST=%%j
@FOR /f “tokens=*” %%i IN (‘docker-machine.exe env mplescano’) DO @%%i
“C:\Program Files (x86)\Git\bin\bash.exe” –login -i



Spring AOP Transacional

    <!-- Para que funcione @annotation se tuvo que agregar una nueva version de aspectj 1.7.2 en el lib del ws-ear y sobrecargar el paquete en el weblogic-application.xml -->    
<!-- Para que funcione @annotation se tuvo que agregar una nueva version de aspectj 1.7.2 en el lib del ws-ear y sobrecargar el paquete en el weblogic-application.xml -->    
<!-- Se comentó tx:annotation-driven en favor de pointcut para tener un mayor control sobre que paquetes debe usar el maestros.transactionManager y         no colisionar con otros transactionManager --> 
<!-- <aop:config>
 <aop:pointcut id="maestro.transactional" expression="execution(* pe.gob.sunat.iqbf2.registro.maestros.service.impl.*.*(..)) &amp;&amp; @annotation(org.springframework.transaction.annotation.Transactional)"/> 
<aop:advisor pointcut-ref="maestro.transactional" advice-ref="maestro.txadvice"/> 
 <bean name="maestro.txadvice" class="org.springframework.transaction.interceptor.TransactionInterceptor"> 
<property name="transactionManagerBeanName" value="transactionManager" /> 
<property name="transactionAttributeSource">
        <bean class="org.springframework.transaction.annotation.AnnotationTransactionAttributeSource"/>
        </property> </bean> -->
 <!-- ======================== -->
        <!-- Crea un transaction manager JTA de id transactionManager -->
    <!-- Esto para asegurar que la transaccion sea independiente del datasource, y la transaccion sea multi-datasource -->
    <!-- Los datasources tienen que ser obtenidos desde jndi -->
    <!-- <tx:jta-transaction-manager/> -->


<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>

<bean name="org.springframework.transaction.annotation.AnnotationTransactionAttributeSource#0"
<constructor-arg index="0">
<bean class="com.example.MyTransactionAnnotationParser" />
</bean> <bean name="org.springframework.transaction.interceptor.TransactionInterceptor#0"
<property name="transactionManagerBeanName" value="transactionManager" />
<property name="transactionAttributeSource" ref="org.springframework.transaction.annotation.AnnotationTransactionAttributeSource#0" />

<bean id="org.springframework.transaction.config.internalTransactionAdvisor"
<property name="transactionAttributeSource" ref="org.springframework.transaction.annotation.AnnotationTransactionAttributeSource#0" />
<property name="adviceBeanName" value="org.springframework.transaction.interceptor.TransactionInterceptor#0"/>
</bean> ´

Apache James 3.0-RC1 Intallation and Configuration in Jdk 1.6

Download from

Unzip to /oracle/james-server-app-3.0.0-RC1/

Then, you have to copy and rename configurations files from the template files in the conf/ folder
cp indexer-template.xml indexer.xml
cp quota-template.xml quota.xml
cp events-template.xml events.xml
cp managesieveserver-template.xml managesieveserver.xml

Look into the configuration of this repo. it could help:

* This command can help you to find details of an compiled class
javap -verbose -classpath /oracle/james-server-app-3.0.0-RC1/lib/joda-time-2.9.4.jar org.joda.time.base.BaseDateTime

  • This command can help you to find a class file in a folder of jar files:
    grep BaseDateTime.class ../lib/.jar (only works in dir containing jar files)
    find ../lib/ -type f -name ‘
    .jar’ -print0 | xargs -0 -I ‘{}’ sh -c ‘jar tf {} | grep Hello.class && echo {}’

  • This command can help you to find the the xml file that contains that word.
    grep -R –include=”.xml” “admin” /oracle/james-server-app-3.0.0-RC1
    or this grep -r -R –include=”
    .xml” -F “8280” /opt/wso2/ei

You have to eliminate the package joda-time in the jar elasticsearch-2.2.1.jar inside the conf folder. Because is compiled in java 7 version.

You have to eliminate the jar files lucene-analyzers-common-5.4.1.jar and lucene-backward-codecs-5.4.1.jar from the conf folder.

You have to execute the james server like this:
sudo /oracle/james-server-app-3.0.0-RC1/bin/james start

You can follow the status of the james server:
sudo /oracle/james-server-app-3.0.0-RC1/bin/james status

You can see the log file of the james server:
cat /oracle/james-server-app-3.0.0-RC1/log/james-server.log

You can add domain like this:
sudo /oracle/james-server-app-3.0.0-RC1/bin/ -h localhost adddomain

See more information in

Notes on Ransomware WannaCry

- Block the ports 137/UDP y 138/UDP 139/TCP y 445/TCP.

#Catalog of patches

#How to disable the smbv1
Disables the SMBv1 on the SMB client by running the below commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

Enables the SMBv1 on the SMB client by running the below commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto