I have a collection in documentdb in which I need to verify the contents using JMeter. I'm relatively new to JMeter and I was wondering how I can connect JMeter to AWS document db. I tried using the SSL manager to use the rds-combined-ca-bundle.pem but it does not work with pem files. How can I use this pem file in JMeter?
You need to convert the PEM file to the .p12 using either OpenSSL tool like:
openssl pkcs12 -in certificate.pem -out certificate.p12 -nodes
Alternatively you can use the keytool and import the certificate into existing .p12 Java Keystore
keytool -import -v -alias your-certificate-alias-here -file certificate.pem -keystore certificate.p12
Once done you can specify the path to the certificate and its password in JMeter's system.properties file like
javax.net.ssl.keyStore=certificate.p12
javax.net.ssl.keyStorePassword=changeit
and after JMeter restart it will send encrypted requests to the backend.
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
Use this script to import the .pem certificate for Amazon DocumentDB to the keystore:
#!/bin/bash
mydir=/tmp/certs
truststore="$mydir"/rds-truststore.jks
storepassword="truststorePassword" # at least 6 characters
mkdir -p "$mydir"; cd "$mydir" || exit
curl -sS "https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem" > "$mydir"/rds-combined-ca-bundle.pem
awk 'split_after == 1 {n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}{print > "rds-ca-" n ".pem"}' < "$mydir"/rds-combined-ca-bundle.pem
for CERT in "$mydir"/rds-ca-*; do
alias=$(openssl x509 -noout -text -in "$CERT" | perl -ne 'next unless /Subject:/; s/.*(CN=|CN = )//; print')
echo "Importing $alias"
keytool -import -file "$CERT" -alias "$alias" -storepass "$storepassword" -keystore "$truststore" -noprompt
rm -f "$CERT"
done
rm -f "$mydir"/rds-combined-ca-bundle.pem
echo "Trust store content is: "
keytool -list -v -keystore "$truststore" -storepass "$storepassword" | grep Alias | cut -d " " -f3- | while read -r alias
do
expiry=$(keytool -list -v -keystore "$truststore" -storepass "$storepassword" -alias "$alias" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }')
echo " Certificate ""$alias"" expires in '$expiry'"
done
Then update system.properties as mentioned above with the location of the keystore and its password.
Related
I'm trying to import my existing ssl certificates in my wowza streaming server.
I'm following this document: Import certificate
I'm able to convert my certificates in JKS format, and i have change VHost.xml file as suggested on the url. but when i restart server and check logs i found below error:
Here is my conf VHost.xml file: (i have replace password with asterisk just for screenshot)
Steps that i have follow:
sudo openssl pkcs12 -export -in /etc/ssl/private/nginx/certificate.crt -inkey /etc/ssl/private/nginx/private.key -name example.com -out example.com-PKCS-12.p12
sudo keytool -importkeystore -deststorepass ***** -destkeystore example.com.jks -srckeystore example.com-PKCS-12.p12 -srcstoretype PKCS12
sudo keytool -import -alias bundle -trustcacerts -file /etc/ssl/private/nginx/ca_bundle.crt -keystore /usr/local/WowzaStreamingEngine-4.7.6/conf/example.com.jks
After that i have open 443 port in VHost.xml and change keystore and password
Please help me to run wowza streaming engine over https server.
Thanks in advance
I have been struggling with setting up our env on ssl. We get keystore files from our CA's.
It is fairly an automated process. However, we mostly struggle at the client side.
Currently, I run following command to check certs from server
openssl s_client -connect <server>:<port>
Once it prints the certs, I list keystores and verify DN, issuer, subject manully.
keytool -list -v -keystore keystore.jks
I would like to know if there is a command or any other way to feed the keystore.jks to openssl command and verify certs.
You can try following command:-
openssl s_client -verify 100 -showcerts -connect $HOST:$PORT -CAfile <(keytool -list -rfc -keystore truststore.jks -storepass changeit)
-keystore is the path of keystore.
-storepass is the password for the keystore
This will load your keystore as input to -CAfile
Command works as same as openssl s_client -connect $HOST:$PORT -CAfile <path-to-ca.pem>
I was hoping I can get some info on how to resolve this issue. I am new to jenkins and trying to setup a jenkins server.
After I enable SSL, I am unable to login to Jenkins. Chrome throws the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
Jenkins Version: jenkins-2.77-1.1
Steps followed:
1. Created a self signed SSL Cert.
Create Java keystore and imported the cert .
/bin/keytool \
-keystore .keystore/cacerts \
-import -alias jenkins -file ./ssl/cert.pem
Updated /etc/sysconfig/jenkins
JENKINS_HTTPS_PORT="8443"
JENKINS_HTTPS_KEYSTORE="/var/lib/jenkins/.keystore/cacerts"
JENKINS_HTTPS_KEYSTORE_PASSWORD="changeit"
JENKINS_HTTPS_LISTEN_ADDRESS=""
restarted jenkins.
Any help or pointers would be appreciated.
regards,
Ok I was able to resolve this by creating a PKCS12 cert and adding that the to the java Keystore.
The following thread that has the steps:
How to import an existing x509 certificate and private key in Java keystore to use in SSL?
Created the PKCS12 cert as below.
openssl pkcs12 \
-export -inkey ssl/key.pem \
-in ssl/cert.pem \
-out ssl/cert.p12 \
-password pass:test
Imported this cert to my java keystore.
/bin/keytool -importkeystore \
-deststorepass changeit \
-destkeypass changeit \
-destkeystore .keystore/cacerts \
-srckeystore ssl/cert.p12 \
-srcstoretype PKCS12 \
-srcstorepass test
I have scanned SO and found there is no detailed instructions on how to install letsencrypt.org SSL certificate on glassfish and specifically in this tutorial I will be using glassfish 4.1.2 build 1. After a lot of trial and error, I was able to put together the following guide. So I hope that it is fine to ask and answer my own question.
In this tutorial I shall be using an Ubuntu 16.04 LTS Server with Shell access from my Ubuntu 16.04 LTS desktop.
visit certbot and follow the instructions below to setup your system
Install
On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your
list of repositories all you'll need to do is apt-get the following packages.
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot
Get Started
Since your server architecture doesn't yet support automatic installation
you'll have to use the certonly command to obtain your certificate.
$ sudo certbot certonly
terminal will output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
We select the 1st option key in 1 and press enter
terminal will output
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):yoursite.com www.yoursite.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yoursite.com
http-01 challenge for www.yoursite.com
terminal will output
Select the webroot for yoursite.com:
1: Enter a new webroot
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for yoursite.com: (Enter 'c' to cancel):/home/yourUsername/glassfish4/glassfish/domains/domain1/docroot
Select the webroot for www.yoursite.com:
1: Enter a new webroot
2: /home/yoursite/glassfish4/glassfish/domains/domain1/docroot
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
terminal will output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yoursite.com/fullchain.pem. Your cert will
expire on 2017-08-21. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
certbot renew --dry-run
make the following script can automate importing certificate to glassfish
for further reading
https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711
Now we import the certificates.
Make the following script and save it as yourscriptname.sh to automate the process then run it with the command
$ sh yourscriptname.sh
#!/bin/sh
DOMAIN=yoursite.com
#note that changeit is the default keystore password
KEYSTOREPW=changeit
GFDOMAIN=/home/yourUsername/glassfish4/glassfish/domains/domain1
LIVE=/etc/letsencrypt/live/$DOMAIN
mkdir etc
cd etc
sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name myalias -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo cp -f keystore.jks $GFDOMAIN/config/
sudo service glassfish stop
sudo service glassfish start
cd ..
sudo rm -rf etc
if you need to change the keystore password
Use keytool command. If it doesn't work you might have to cd to the path where it's located in your glassfish-install-dir/glassfish/domains/domain1/config directory and run the command in that directory.
keytool -storepasswd -keystore /path/to/keystore
Enter keystore password: changeit
New keystore password: new-password
Re-enter new keystore password: new-password
After successfully importing the certs and restarting glassfish server, SSL worked with the installed web application but unfortunately I was not able to log into the glassfish admin console from the browser, though the asadmin tool still worked.
solving unable to login to admin console after above changes
We need to add wget command to our script to download the most Recent CA file revisions per date of apperance from recent trusted ca revisions from mozilla
Add the following to the the yourname.sh script just above the command sudo service glassfish stop to fix the problem.
wget https://curl.haxx.se/ca/cacert-2017-01-18.pem --no-check-certificate -O cacert.pem
PEM_FILE=cacert.pem
KEYSTORE=cacerts.jks
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
for N in $(seq 0 $(($CERTS -1))); do
ALIAS="${PEM_FILE%.*}-$N"
cat $PEM_FILE | awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
keytool -noprompt -import -trustcacerts \
-alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW
done
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW
if [ ! -f $GFDOMAIN/config/keystore-orig.jks ]; then
echo "Backing up original files..."
sudo cp -f $GFDOMAIN/config/keystore.jks $GFDOMAIN/config/keystore-orig.jks
sudo cp -f $GFDOMAIN/config/cacerts.jks $GFDOMAIN/config/cacerts-orig.jks
fi
echo "Updating certificates..."
sudo cp -f keystore.jks $GFDOMAIN/config/keystore.jks
sudo cp -f cacerts.jks $GFDOMAIN/config/cacerts.jks
cd ..
echo stop and restart glassfish domain to complete
cd ..
sudo rm -rf etc
I hope this helps someone cheers all!
I have created a Perl script to assist in the installation of Let's Encrypt certificates in Glassfish and Payara. I have successfully used it to not only install a certificate for multiple domains in about five minutes, but to automatically renew - via a cron job - those certificates when they were about to expire.
What I've done is broken the process of obtaining a Let's Encrypt certificate into the following steps, not all of which will be necessary:
Customize the script to the particular local installation
1a. List of domains for which a certificate is to be created
1b. Glassfish/Payara setup (where they're located in your filesystem)
1c. Password for Glassfish/Payara
Change Glassfish/Payara to listen on ports 80 and 443
Generate the Let's Encrypt certification keys
Insure that the keystore password matches that of the server
Create a keystore
Import the created keystore into the Glassfish/Payara keystore
Apply the new certificate to the https listener
Update the domain SSL information
Set (if necessary) the server admin password.
Set up the https domain
Additionally, the script can be invoked periodically (typically via 'cron') to check to see if any domains need to be renewed and if so, renew them automatically.
See: https://github.com/hbrednek/letsencrypt_glassfish for the script.
I'm following SSL basic access authentication doc
Step 3: Combine the key and certificate files into a PKCS12 format
file, the format used by the Java keystore. If the certificate you
received is not in the .pem format, see the Jetty SSL configuration
docs to learn how to convert it.
Read key password from env variable MARATHON_KEY_PASSWORD
Set PKCS password to env variable MARATHON_PKCS_PASSWORD
$ openssl pkcs12 -inkey marathon.key
-passin "env:MARATHON_KEY_PASSWORD"
-name marathon
-in trusted.pem
-password "env:MARATHON_PKCS_PASSWORD"
-chain -CAfile "trustedCA.crt"
-export -out marathon.pkcs12
I have marathon.key from step 1
I have trusted.pem from step 2
But I don't have trustedCA.crt
Is this a cert from my server?
I created a cert on my server, and used it but I get an error
Error self signed certificate getting chain.
If you don't have singed chain (self signde doesn't count) there is no point in using this option. Use the code below to generate self signed sert and use it with Marathon.
I generate self signed certs as follow without chain.
mkdir -p /etc/marathon/ssl
cd /etc/marathon/ssl
export MARATHON_SSL_KEYSTORE_PASSWORD=jks_pass
keytool -keystore marathon.jks -deststorepass $MARATHON_SSL_KEYSTORE_PASSWORD -alias marathon -genkey -keyalg RSA
cat << EOF > /etc/default/marathon
MARATHON_SSL_KEYSTORE_PATH=/etc/marathon/ssl/marathon.jks
MARATHON_SSL_KEYSTORE_PASSWORD=$MARATHON_SSL_KEYSTORE_PASSWORD
EOF
Releated to marathon#4783