SSL cert works in SOAPUI but not in Jmeter2.13 - ssl

I am testing client-server over secured connection.
I loaded keystore cert into SOAPUI and was able to connect to my server's component. However, when I configure the same keystore cert in JMeter v2.13, I am getting this error:
Response code: Non HTTP response code: javax.net.ssl.SSLHandshakeException
Response message: Non HTTP response message: >java.security.cert.CertificateException: Certificates does not conform to >algorithm constraints
I've referred to many suggestion found and have
configured the path to my keystore and password in Jmeter's system.properties and added the 'Keystore Configuration'
Can anyone shed light on this?

After searching for answer I found that the answer here. Potentially there's few installation in my local machine.
My issue was because I have java.security at the following directories:
C:\Program Files (x86)\Java\jre1.8.0_73\lib\security
C:\Program Files\Java\jdk1.8.0_101
C:\Program Files\Java\jre1.8.0_101\lib\security
So, I've editted the value in java.security of C:\Program Files\Java\jre1.8.0_101\lib\security and I was able to send SOAP over https.
Having solved the problem, I do hope someone is able to explain to me why my client looks for settings in JRE but not JDK.

Related

Matomo 4.7.1 core:archive ssl certificate problem

I have Matomo 4.7.1 installed on RHEL8 and am getting an error message when running the core archive.
/opt/matomo/matomo-4.7.1/plugins/GeoIp2/GeoIP2AutoUpdater.php(175): GeoIP2AutoUpdater: failed to download 'https://download.db-ip.com/free/dbip-city-lite-2022-03.mmdb.gz' to '/opt/matomo/matomo-4.7.1/tmp/latest/DBIP-City.mmdb.gz.download': curl_exec: SSL certificate problem: unable to get local issuer certificate. Hostname requested was: download.db-ip.com [Query: , CLI mode: 1]
Our company uses a self signed cert and it is installed on this server and Apache and PHP both work as expected. I can use command line curl to download the file given in the error message with no problems, but running the core archive always shows the error. I also added the option to accept invalid ssl certificates and that didn't help.
php /opt/matomo/matomo/console core:archive --url=https://myserver.com/matomo/ --accept-invalid-ssl-certificate
I also updated the php.ini file with the path to the pem file and that didn't work.
curl.cainfo = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
Is there anything else I am missing or can check?
Turns out there is config item for Matomo where you can set it to use your custom pem file instead of the one included with Matomo.
https://forum.matomo.org/t/certificate-issues-during-update/30238/8https://matomo.org/faq/troubleshooting/faq_34226/
To solve this issue, you are able to provide your own cacert file that trusts your proxies certificate. To use your own file, follow these steps:
1. Upload your cacert.pem file in a folder on your server such as /path/to/your/cacert.pem
2. Add custom_cacert_pem = "/path/to/your/cacert.pem" to the [General] section of your config file config/config.ini.php.
3. Make sure the certification is readable by your webserver.

Jenkins doesn't connect to Internet (SSL trouble)

Error message: SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I been trying to configure the proxy correctly but some http servers respond with success, meanwhile all the https doesn't.
I installed all the necessary plugins manually for run a sample pipeline but the error in console output is just a nested page 404 by jenkins.
It's important to know that my OS have the cli internet connection blocked for security terms.
This is the last followable trouble that I have, but I'm a little bit confusing with the SSL cert, I tried to resolve it by this post but is not clear to me which SSL cert I have to download and if this could cause troubles with my PC restrictions.
One solution to resolve this issue is change the update url at management plugins > advanced setting > url update from this
https://updates.jenkins.io/update-center.json
to this
http://updates.jenkins.io/update-center.json
this solutions is not definitive and i won't recommend it.
Actually i solve this problem loading the plugins.jenkins.io cert to the javas's keystore using
.\keytool.exe -import -alias {alias} -keystore %JAVA%\lib\security\cacerts -file \path\to\your\cert
(Be sure than you are not overwritting anything and the password for -import param by default is changeit)

Tomcat is not picking up the keystore

I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore

SSL : Testing Server Side certificates using Jmeter

I am working on setting up ssl to secure my end points. I got a test certificate created from my org
I have recieved a .pfx file
I converted it into .pem -----> .der -------> .jks format
We have basic infrastructure to put this .jks file in a folder called ssl and it gets picked up just by using a confg file.
Next I set up Jmeter to test this. Steps Followed
set up a test recorder --> set up an http get request that takes no parameters
2.changed protocol to https ---> given port no ---> set up host and path. This is correct as I have tested it with http and it returns fine.
Now when I try to test it I get an error Certificate_Unknown error.
I have tried searching the internet and StackFlow articles about testing SSL. I also stumbled upon an article which says I need to add the certificate to my java_home cacerts. I havenot been able to successfully test it. Any pointers to what I might be doing wrong or if I could test it in some other way would be very helpful.
I am comparatively new to SSL concepts and just learnt about formats, ssl etc.
Thanks in advance. :)
You don't need to convert .pfx file into .jks as .pfx files are basically PKCS 12 certificates and JMeter supports them out of the box
I fail to see where you "tell" JMeter to use the certificate. If your " basic infrastructure to put this .jks file in a folder called ssl and it gets picked up just by using a confg file" stanza is related to JMeter - you should address this question to the "infrastructure" providers. Otherwise you need to explicitly configure JMeter to use the certificate. Just add the next lines to system.properties file:
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/certificate.pfx
javax.net.ssl.keyStorePassword=your certificate password
JMeter restart will be required to pick the properties up.

soapui WSDL error when adding

I keep getting this error when adding this. Any ideas. I worked on other WSDL links and they are fine except this.
org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
The WSDL is on https, so you need to add the domain certificate to your cacerts on JRE which comes with SOAPUI installation (also could be probably that wsdl is published also on http so you can try to change the url for wsdl to http, first try this if not try steps below).
You have to download the server certificate (you can connect with the browser to the url of wsdl and save the certificate as an archive).
Then you can import this cert to your cacerts with keytool:
keytool -import -alias somealias -file serverCertificate.cer -keystore SOAPUI_HOME/jre/lib/security/cacerts
(default password for cacerts is "changeit").
With this steps you can use the WSDL and avoid the "PKIX path building failed" exception.
Hope this helps,
The Problem with the SOAP UI is it's using it's won JRE to execute programs...
To resolve the above exception follow the below steps.
Export the certificate from the key store or browser (which contain the public key)
Go to the SOAPUI installed directory and locate following directory \SmartBear\soapUI-4.0.1\jre\lib\security
Import the certificate in to cacerts trust store (Which is the default trust store)
Restart the SOAP UI and load the WSDL...
This appears to be a bug in SoapUI (at least as of 4.6.4). I just ran into the same issue and after making sure I had all of the CA certificates imported everywhere I found this post that mentions the same problem.
I installed the nightly build as mentioned in the post and I was able to get past the SSL handshake issue.
There is a sly detail here:
The SOAPui calls wsimport command with an OS system call to wsimport program. It does not load internal class com.sun.tools.internal.ws.WsImportto do the WSDL import.
If you are running SOAPui with the default JRE that comes with it but you also have a different JDK installed, then when using SOAPui tools to generate code, the wsimport command used is the one the OS knows better from the PATH and not the com.sun.tools.internal.ws.WsImport that comes with SOAPui.
In this case the called wsimport will not references the embedded cacerts in SOAPUI_HOME\jre\lib\security .
Instead it utilizes the default cacerts of the JDK the wsimport belongs.
SOAPui uses wsimport from a JDK as this picture shows
In that case the steps you have to follow are:
Download and save the serverĀ“s certificate to a file, say srv-certificate.txt
Import this certificate to the cacerts of the JDK used by the SOAPui tools:
C:\>keytool -import -alias somealias -file cmq-certificates.txt -keystore C:\software\jdk1.8.0.65\jre\lib\security\cacerts
where jdk1.8.0.65 is the JDK used by the SOAPui tools.
Hope it helps!
I've had the same problem (working with profesionnal computer behind a corporate proxy) :
It appeared that I just had to set proxy in SoapUI to None to solve it (neither manual - cntlm, in my case - nor automatic - windows settings, corporate proxy - did work :-/) !...