Need help setting up Jmeter to use multiple Certs.
Need Jmeter HTTPS requests to use different client certificates that I have in a JKS keystore, currently 2 client certs/keys are in it.
Currently I have few HTTPS request in first thread group which should be made using CERT1 and Second thread group has few more HTTPS request which should be made using CERT2.
I am using KeyStore configuration to have have these different thread groups to use different CERTs by using alias or index.
Besides adding the Keystore Configuration to the thread group and setting different alias to select different Cert, Jmeter is not using different certs to make request. I see the same cert is being used.
I have set -Jhttps.use.cached.ssl.context=false -Jhttps.socket.protocols=TLSv1.2 -Djavax.net.ssl.keyStore=%KEYSTORE% -Djavax.net.ssl.keyStorePassword=%KEY_PASS%
and also I am using HTTPClient4 in my HTTPS requests.
Is there something that I am missing..any help would be appropriated..?
Read the documentation reference:
http://jmeter.apache.org/usermanual/component_reference.html#Keystore_Configuration
Pay attention to the yellow notes:
To make JMeter use more than one certificate you need to ensure that:
- https.use.cached.ssl.context=false is set in jmeter.properties or user.properties
- You use either HTTPClient 3.1 or 4 implementations for HTTP Request
Related
I have two nifi nodes I want to run behind an AWS Application Load Balancer. This type of load balancer decrypts the incoming request to parse it, then re-encrypts with it's own cert.
I'm having issues getting the Nifi to recognize the user making a request since the requests always come in with the LB cert instead of the original users cert. I'm wondering if Nifi already has a means of handling this, for instance is it possible to have my LB set a header to specify the DN of the user's cert and have nifi authenticate first the LB DN and, if that passes, the header?
I am aware that the other two types of load balancers provided by AWS would in theory work, so long as I updated the SAN of the nifi certs to include the LB DN. However, I have reasons I would prefer to stick to an ALB. Is their any viable manner to properly authenticate users behind an ALB?
The Proxy Configuration section of the Admin Guide should cover this:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration
Specifically the part about X-ProxiedEntitiesChain.
To serve https requests in Ktor, their documentation states you need to set some config properties (ktor.security.ssl) in application.conf, such that Ktor can find the ssl certificate. However, I want to retrieve the ssl certificate from another server (via an encrypted connection).
Can I setup my Ktor server in such a way that I retrieve this certificate and enable https on server startup?
If anyone is still wondering about this, the way to do this is to start your Ktor server as an embedded server and supply it with your own ApplicationEngineEnvironment (As a reference you can use the function io.ktor.server.engine.CommandLine.Kt).
In this ApplicationEngineEnvironment you can customize the way the SSL certificate is loaded.
I did create a ssl virtualhost in apache with a self-signed certificate.
In my opinion the configuration is correct however it is possible to access this url using "curl --insecure".
Searching at google, reading several tutorials and trying several configurations (diretives SSLVerifyClient|SSLVerifyDepth|AuthType|AuthBasicProvider|AuthUserFile|Require valid-user) I did not have any success in block this url using "curl --insecure"
I have been thinking in testing mod_security but I don't know if is the right way.
Could you give me some advice?
Thanks
Hudson
I suspect you may need to refine the understanding of sleep. You can't force clients to verify your SSL certificate. Besides, if you're using a self signed cert, it would never verify for anyone who didn't add the cert to their ca library.
You could block curl by rejecting requests based on their User Agent string. But that's just a header, and can be set by the client to anything ( such as a "valid" browser URL). If you really want to control clients, one way would be to use client certificates, which is the analog of the server certificate you set up, but on the client side. In that case, in addition to the client (ostensibly) verifying the server's cert, the server would verify the client's cert, providing a very strong and reliable mechanism to verify client access. Unfortunately, due the the difficulty of generating keys and cert signing requests, and signing certs for clients, client http certificates are not common. But they're very secure, and a good choice if you control both sides.
A middle ground would be to add an authentication layer into your app to control who can access it (you'd then refuse unauthenticated requests altogether)
In short, though, none of these things block curl. They block clients who cannot authenticate. I would recommend you not focus on the remote browser/client in use ( that's at the discretion of your http client). instead, focus on providing the security authentication you require. IMHO, trying to block client user-agents is a fool's errand. It's security by obscurity. Anyone can set any user-agent.
I have an application with a few war files all deployed on the same tomcat server. I need to force client authentication only for one war context, and only for a specific URL.
I've read a lot on the web and similar questions here, but the conclusions I've reached are not matching the solution I need:
define 2 connectors with different ports (one with clientAuth enabled and one without) and access the specific URL with the relevant port ==> this solution is not good since if a hacker tries to access this URL with the other port he can succeed
define transport-guarantee in web.xml (for example Enabling mutual SSL per service in Tomcat) ==> this is also not good since I don't want to define users in some realm, I just want the server to ask for the client certificate and verify it is trusted and valid.
Is there a way to use option 2 without defining users? Or maybe a third option?
Thanks in advance!
You can't do this in pure Tomcat. The best solution is to put an Apache HTTP in front of it, that terminates the SSL connection, and in which you can configure SSL to your heart's content right down to the level of an individual directory.
If you want to accept any certificate from trusted CAs, just put clientAuth="want" to Connector and write a filter to check, if a certificate was sent. Assign that filter to desired web app only. In the filter, get the certificate using:
request.getAttribute("javax.servlet.request.X509Certificate");
and check it's CA.
But remember, that any certificate from that CA will allow access. If this is a public CA, anyone can buy one and access your app. You should always check the DN, in Tomcat you do this by defining a user, or manually in a filter.
I am working on a website that exposes an xml gateway that clients can submit an xml request to and get an xml response in return. The website/company has been purchased by a larger organization and has been migrated into their infrastructure. The existing production site is using an ssl certificate by a particular certificate authority but the larger organization uses certificates issued by a different certificate authority. We have tried run a test with one of their clients and they are getting an SSL handshake error. The original developer says that the only way to get it to work is to restore the original SSL certificate and not to use the new ones. I am looking for some guidance or direction to diagnose this issue, so any help would be appreciated.
What the developer says, from the description is sensible to me, but the problem is theirs.
To verify that this is exactly what is happening you can do a wireshark capture and then decode the flow as SSL. If the problem is that the client do not trust the certificate send by the server and reject the connection you will see it in the handshake in the wireshark.
If you use a java client you could run it with -Djavax.net.debug=ssl to see the ssl messages from within java.
If this is indeed the problem then you must configure the client's truststore to have the certificate send by the server (which is the original one).
If this configuration is possible of course... This depends on the application
UPDATE:
Well if you migrated to a new CA, i.e. you deploy a new certificate in your interface, then sorry to say, it is "your" -meaning the server side- error.
IMHO, if it is possible, you should redeploy the old certificate for a prespecified period, communicating to all the stakeholders that you plan to migrate to a new certificate signed by a new CA, so that the clients don't break
Then it is their responsibility, within that period, to "fix" their client apps to be able to accept the new certificate. This can be as simple as configuration i.e. importing the certificate to a truststore, to as "complicated" as to change code and rebuild the client app (e.g. if the new issued certificate does not have extensions that the code is verifying or the CN has changed etc).
If it is not possible to redeploy the old certificate then, you just have to communicate the change to all stakeholders and then, they should "fix" it accordingly (as mentioned above)