Im trying to use client ssl certificate in JMeter to authenticate on website. The problem is that when i try to import it in SSL Manager, im not getting any message for password, anything. In configuration i've written:
user.classpath=/home/m/Downloads/jre-1.7.0_09/usr/java/jre1.7.0_09/lib/
ssl.provider=com.sun.net.ssl.internal.ssl.Provider
I've added user.classpath because jsse.jar stands there, but i think its not necessary. What am i doing wrong?
To test Client Certificates, use this:
Keystore Configuration
Steps are:
Create your certificates either with Java keytool utility or through your PKI
If created by PKI, import your keys in Java Key Store by converting them to a format acceptable by JKS
Then reference the keystore file through the 2 JVM properties :
-Djavax.net.ssl.keyStore=path_to_keystore
-Djavax.net.ssl.keyStorePassword=password_of_keystore
You use either HTTPClient 3.1 or 4 implementations for HTTP Request
To make JMeter use more than one certificate you need to ensure that:
https.use.cached.ssl.context=false
is set in jmeter.properties or user.properties
Related
I am currently struggeling with the following tasks. I don't want to include my TLS certificates in my templates because
I don't want to check in credentials in code management while still checking in the templates
I am using multiple Applications with the same Certificate and I don't want to update repos just because I might distribute another certificate
Now my approach is this. I am using Jenkins for my build pipelines. I have a Repo that is used just for certificate management. It will run when updated and distribute the certificate and private key to Openshift Secrets on various clusters.
When running the Template of an application I am retrieving the Information from the secret and setting the values in the route. And here's where things get tricky. I can only use single line values because
Openshift templates will not accept multiline parameters with oc process
Secrets will not store multiline values
So the solution seemed to be easy. Just store the Certificate with \n and set it in the Route like this. However Openshift will not accept single line certificates resulting in the error
spec.tls.key: Invalid value: "redacted key data": tls: found a certificate rather than a key in the PEM for the private key
Now the solution could be to insert the Certificate as multiple lines directly in the template file before processing and applying it to the cluster but that seems a little bit hacky to me. So my Question is
How can you centrally manage TLS Certificates for your applications and set them correclty in the Templates you're applying?
Secrets can be multiple lines. You can create a secret using a certificate file, and mount that secret as a file into your containers. See here for how to create secrets from files:
https://kubernetes.io/docs/concepts/configuration/secret/
Use the openshift command line tool instead of kubectl.
For certificates, there is something called cert-manager:
https://docs.cert-manager.io/en/latest/
This will generate certs as needed. You might want to take a look.
In order to centrally manage TLS Certificates for the applications, you can create a general secret and use it via volume mounting.
I have created a new certificate using Let's Encrypt, also, I was able to generate my keystore. Now I'm loading my Play application like this:
activator run -Dspring.profiles.active="dev" -Dhttp.port=disabled -Dhttps.port=9443 -Djavax.net.ssl.keyStore=/home/webapp/play/conf/keystore.jks -Djavax.net.ssl.keyStorePassword="password"
However, Play seems not to read my keystore and keeps generating a new one.
[warn] play - Using generated key with self signed certificate for HTTPS. This should not be used in production.
How can I make Play to read my keystore ?
You don't mention which version of Play you're on, so I'll assume you have Play 2.4.6.
Configuring SSL is documented in https://www.playframework.com/documentation/2.4.x/ConfiguringHttps
The warning you're seeing comes from the DefaultSSLEngineProvider -- the source code is in:
https://github.com/playframework/playframework/blob/2.4.x/framework/src/play-server/src/main/scala/play/core/server/ssl/DefaultSSLEngineProvider.scala#L57
So you can see looking at the documentation, you need to set play.server.https.keyStore.path and so on to configure SSL.
I have a free domain,sayexample.ml, and I hosted my files at byethost.com. I am trying to implement free ssl on my site. I have logged into cacert website. Added and verified my domain. And now I am stuck. I dont know how to set up an ssl certificate from this stage.
A step by step explanation will be quite a lot helpful.
Generate a private key and save it in your file system safely.
Generate a CSR with it.
You can use openSSL for 1 and 2.
Refer : http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl
Get the signed server certificate from cacert.org by copying the contents of your CSR to Server certificates -> New. Save it in your file system.
You need to point your Appserver/Webserver to the location where your private key and signed server certificate is stored. Read documentation.
If it is a Apache webserver you can refer: https://techstrum.wordpress.com/2014/11/25/how-to-enable-ssl-for-ohs-oracle-http-sever/
First, you need the CSR (your public key with some information).
To generate it you have to use the tool that your server provide would be easier (such as Apache Tomcat :: using keytool, Linux :: using openssl)
Then, sending your CSR file to the certificate vendor to verify and insert Root certificate.
They will send you back certificate file.
So, you need to use this certificate file for import into your secret key which you get it from the key-pair generate process on the first step.
Finally, setup your key into your server and config some property in web server config file.
These are the concept, for the technical you need to know what platform you used and find the way to use their provided tool.
I have a .NET application built with Mono, that I've bundled into a native (Linux) executable using mkbundle. This is so that end users don't need to mess around and install Mono themselves.
The application uses ServiceStack, which under the hood uses HttpListener. I need the web services to be exposed over an SSL-enabled HTTP endpoint.
Normally, you would run something like httpcfg -add -port 1234 -p12 MyCert.pfx -pwd "MyPass" during configuration (all this really does is copy the certificate to a specific path), and HttpListener would automatically bind the certificate to the port.
So HttpListener loads certificates from a particular path at runtime.
Is that path hard-coded? Or is there some way I can tell it to use a certificate from another location, since the end user will not have Mono installed?
Yes the path that HttpListener expects to find certificates at is predefined, and cannot be specified by the user, programatically or through a config file. The Mono EndPointListener class will look for the path:
~/.config/.mono/httplistener/
HttpListener code:
string dirname = Environment.GetFolderPath (Environment.SpecialFolder.ApplicationData);
string path = Path.Combine (dirname, ".mono");
path = Path.Combine (path, "httplistener");
As you have noted this is the same path the httpcfg copies certificates to.
Even though you are using mkbundle, this is still where HttpListener will expect to read the certificate from, regardless of the fact that the Mono runtime is installed.
In your application startup, you should:
Check for the existence of the directories, and create as required
Write your certificate and key to that path from an embedded resource in your application. PouPou's answer here shows the method used by HttpCfg.exe.
Therefore eliminating the requirement to run httpcfg, you will effectively be building that functionality straight into your application.
Does Mono perform any validation of the certificates it loads from there for HttpListener? i.e., will it expect to find the issuer's certificate in the certificate store?
I don't know for sure if Mono checks for a valid corresponding issuers certificate in the certificate store at the point of creating the listener, or upon each connection request. However you can add a CA cert to the certificate store yourself, or import all the standard Mozroot certificates.
The full source code for Mozroots is here. This shows how to import the CA certs.
Is the path to the certificate store also hard-coded?
The certificate store should be managed through the X509StoreManager provider.
I’m trying to consume a secured web service hosted on WSO2 AS, so I created a new certificate in the existing wso2carbon.jks file of the server and add it to the client JVM cacerts but I’m getting this error:
java.security.cert.CertificateException: No subject alternative names present
Nevertheless if I create a brand new wso2carbon.jks and overwrite the old one in the server after add the new certificate to the client JVM cacerts I can consume the secured service but other things in AS stop working like datasources, I tried adding the new certificate to the client-truststore.jks in the server, but datasource still don’t work. I’m working with AS 5.0.0
Thanks in advance.
When you add your own certificate, you need to modify the WSO2 configuration files to point to your certificate. Basically, you need to modify repository/conf/carbon.xml, and repository/conf/tomcat/catalina-server.xml. In case of ESB, you need to modify repository/conf/axis2/axis2.xml as well. The changes needed are described in this blog.
The error that you faced with data sources is because of the change of certificates. The reason is that, WSO2 encrypts the datasource passwords using the current keystore certificate at the time of datasource creation. To fix the error, you will need to remove your datasources, and re-add them. No need to re-create your data-services though.
Have you changed the host name(in the carbon.xml) of the AS?
1st Case:
In default wso2carbon.jks have its CN as localhost so you need to change the keystore if you are working with different host name or else you need to invoke hosted web service using localhost.
2nd Case:
If you changed(created and replaced) the wso2carbon.jks of the AS with a appropriate CN, you need to extract its public certificate and import it into cacerts, and client-truststore.jks of all other carbon servers which contact with AS.
HTH,
DarRay
Your client is trying to check the domain name or IP of the server against the domain name or IP in the certificate to ensure that it is reaching the right server. You need to create a new certificate to use that has a subject alternative name equal to the domain name or IP of the server, whichever the client is using to connect.