I am running a JMS point to point sampler for TIBCO EMS queue testing. I have added all the tibco ems jars to jmeter lib folder. Configured the queue details, context factory, user credentials in JMS sampler.
When hitting the TIBCO ems with tcp request for queue, it is working. But while hitting with SSL url it is failing to connect.
I tried below way to attach the Self signed certificate given by tibco team
added the .pem file (only begin and end certificate) to JAVA JDK cacerts file and opened Jmeter in command line with -Djavax.net.ssl.keystore=cacerts with password. The SSL request failed to connect with tibco ems server
extracted the certificate from server through openssl -connect commands, copied the begin & end certificate sections to .cer file and used keytool to add them to trustore. Started jmeter with this truststore. the JMS sampler still failed.
I understand the SSL certificate is not getting attached with JMS sampler when we are running it. Can some one help out with steps to successfully attached the SSL certificate to the JMS request.enter image description here
Looking into Configuring EMS over SSL on Application Servers I think you need to provide the following Java System properties:
com.tibco.tibjms.naming.security_protocol=ssl
jsse.providerClass=com.ibm.jsse2.IBMJSSEProvider2
com.tibco.tibjms.ssl.expected_hostname=xxxx
com.tibco.tibjms.ssl.enable_verify_host_name=false
com.tibco.tibjms.ssl.enable_verify_host=false
com.tibco.tibjms.ssl.trusted=/path/to/your/certificate.pem
The properties can either be put into system.properties file (lives in "bin" folder of your JMeter installation) or passed via -D command-line arguments like:
jmeter -Dcom.tibco.tibjms.naming.security_protocol=ssl -Djsse.providerClass=com.ibm.jsse2.IBMJSSEProvider2 ....
References:
Java Secure Socket Extension (JSSE) Reference Guide
TibjmsContext
TibjmsSSL
Apache JMeter Properties Customization Guide
Overriding Properties Via The Command Line
Related
I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore
I am working on setting up ssl to secure my end points. I got a test certificate created from my org
I have recieved a .pfx file
I converted it into .pem -----> .der -------> .jks format
We have basic infrastructure to put this .jks file in a folder called ssl and it gets picked up just by using a confg file.
Next I set up Jmeter to test this. Steps Followed
set up a test recorder --> set up an http get request that takes no parameters
2.changed protocol to https ---> given port no ---> set up host and path. This is correct as I have tested it with http and it returns fine.
Now when I try to test it I get an error Certificate_Unknown error.
I have tried searching the internet and StackFlow articles about testing SSL. I also stumbled upon an article which says I need to add the certificate to my java_home cacerts. I havenot been able to successfully test it. Any pointers to what I might be doing wrong or if I could test it in some other way would be very helpful.
I am comparatively new to SSL concepts and just learnt about formats, ssl etc.
Thanks in advance. :)
You don't need to convert .pfx file into .jks as .pfx files are basically PKCS 12 certificates and JMeter supports them out of the box
I fail to see where you "tell" JMeter to use the certificate. If your " basic infrastructure to put this .jks file in a folder called ssl and it gets picked up just by using a confg file" stanza is related to JMeter - you should address this question to the "infrastructure" providers. Otherwise you need to explicitly configure JMeter to use the certificate. Just add the next lines to system.properties file:
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/certificate.pfx
javax.net.ssl.keyStorePassword=your certificate password
JMeter restart will be required to pick the properties up.
Looking to port Outbound SSL configuration from Websphere to JBoss. In my case, JBoss is the client. It wants to pass a client cert to a remote machine as part of a 2-way SSL communication.
In Websphere, you explicitly specify...
keystore / keystore password (where are the certs?)
certificate alias (which client cert to apply?)
matching outbound url pattern (when do i apply the client cert?)
You may have many of these configurations. Between these 3 pieces of info, the container can selectively choose when/which client certificate to include when making outbound SSL calls.
What is the JBoss way of doing the same thing as I described above ?
Can this be done by simply configuring your JRE ?
Are there parts of this that cannot be done in JBoss and/or java?
Thanks,
Wade.
Im creating alert using URL Health check for HTTPS in mule MMC. When I configure Http url works fine. But for HTTPS how can I achieve the health check( https://apps:8089/check), since it is secured connection, there is no option for keystore path where can I place my certificate. Obvious Alert showing me 'SSL handshake error'( Because no where i can configure the certificate) .
How can I configure HTTPS url in MMC( MMC document in Mule also says for HTTP not for HTTPS). Hopefully some way should be there .
Let me know whether it is possible or not, If possible how to achieve the same.Help will be really appreciable.
I assume you are running MMC using container such as tomcat, glassfish or jboss. All these containers use JRE/JDK(depending on what you have configured). If you are trying to invoke an HTTPS url from MMC, the relevant certificate(for the HTTPS URL) must be imported into JDK/JRE trust store so that when HTTPS url within MMC is invoked in the JVM(that is running MMC in tomcat/glassfish/jboss), the relevant certificate can be recognized.
Download the certificate from the browser(by clicking on the green bar in browser)
Use this command to import certificate:-
keytool -import -file "Path to your certificate file" -keystore "C:\Program Files\Java\jre7\lib\security\cacerts"
Once done, restart your container and try again.
I'm setting up a test plan using JMeter 2.8 involving SSL client certificates. The test plan roughly consist in two https calls to server1 and server2.
The tricky part is that the call to server1 should not use SSL client authentication (although the server is requesting one) while the call to server2 must use SSL client authentication.
Currently as soon as I give a keystore to JMeter all https calls are sending SSL certificate which cause the call to server1 to fail.
I currently tried two approaches:
I removed the -Djava.net.ssl.keyStore=xxx from the JMeter command line and use a BeanShell or BSH pre-processor to set it just before the call to server2 but it does not work and call to server 2 fails as if no keystore had been specified.
I try to use the Keystore management configurator to specify an inexisting key before making the call to server1 but when I put the start and end indices after the last certificate in the store, JMeter still send the first certificate in the store.
What you can do is the following:
Add to jmeter the following JVM Properties:
-Djavax.net.ssl.keyStore=<path to folder containing keystore>/keystore.jks
-Djavax.net.ssl.keyStorePassword=password if any
Use Keystore Configuration
set in user.properties:
https.use.cached.ssl.context=false
Use HC4Impl for the sampler that must send client certificate
Use JavaImpl for the one that must not send it (it is a kind of trick, I must say I don't understand why you must not send client certificate if server requests it)