You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jmeter.apache.org by Gurinder Marok <ma...@hotmail.com> on 2001/12/10 20:20:47 UTC
SSL Question
Hi All,
JMeter: 1.7beta on win2000
I have a couple of questions about https support. I've installed JSSE.
JMeter confirms it on startup with the following message:
<<
C:\jakarta-jmeter\bin>CALL ..\lcp ..\lib\ant-1.3-optional.jar
SSL Provider is: SunJSSE version 1.02
>>
Upon issuing a https request jmeter opens a popup asking for keystore
password.
<<
Sampling url: https://symphony.torolab.ibm.com:443/
KeyStore Type: JKS
>>
I don't know if I got the password correct. (I leave it blank and press
enter)
I think its ok because JMeter seems to have read into the cacerts file
because
it knows the name of a machine that the cacert was created on
"jackfong.torolab.ibm.com".
<<
JmeterKeyStore type: class org.apache.jmeter.util.keystore.DefaultKeyStore
class org.apache.jmeter.util.keystore.DefaultKeyStore
KeyStore Type: JKS
TrustStore Location: C:WebsphereWAServerjdkjrelibsecuritycacerts
TrustStore type: class org.apache.jmeter.util.keystore.DefaultKeyStore
JsseSSLManager installed
Is server trusted ???
java.io.IOException: HTTPS hostname wrong: should be
, but cert says
>>
At this moment you are probably asking me why I just don't create a new
local cacert.
1) One reason is that our product ships with this cert as a default and when
developers use the
product the browsers just bring up a warning stating hostname issue. From
the browser we get around by acknowledging the issue.
So there is not issue from a development perspective.
2) I'm a little cloudy on certificate signing subject matter.
So to my questions:
Does Jmeter support a mode to get around the hostname issue in the cert? If
not, is the implementation fairly localized such that
I can update the code in the area of the exception to get around it.
Or do I have to create a new cert file for my machine?
I've configured the web generator control to send the request out on port
443.
Sampling url: https://symphony.torolab.ibm.com:443/
Is server trusted ???
java.io.IOException: HTTPS hostname wrong: should be
, but cert says
at java.io.IOException.(IOException.java:49)
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connec
t([DashoPro-V1.2-120198])
at org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSample
r.java:437)
at org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSample
r.java:164)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java(Compiled
Code))
at java.lang.Thread.run(Thread.java:481)
Thanks for giving me your time.
Regards,
Gurinder Marok
Email: gmarok@ca.ibm.com
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: SSL Question
Posted by Todd Grayson <tg...@navidec.com>.
Gurinder...
We dropped back to 1.6.1 as the 1.7 is still in beta. With regards to
SSL...
Assuming your using JDK1.3.1x, Looks like there might be more than one
issue here...
At first glance from the exception, it looks like your name that the
trusted certificate contains is not the same one that jmeter is
connecting to... but then your discussion for being prompted for a
password makes me believe this is an obfuscated error based upon the
myriad of ways of bringing certificates in with keytool.
The jsse documentation included with the jsse1.0.2 has a good overview
of the JVM security policy, and how to work with multiple keystores. To
make things simple, I configure things with the default keystore that
contains the public CA's that are trusted by the JVM by default.
You should be familiar with the configuration of the java.security &
java.policy file for your JVM of the /<java-home>/jre/lib/security/
folder
When you install a certificate for a specific server, and establish
trust for that server, the name that you connect to the server with has
to be the same as the common name field of the certificate... but i
think your problem might be because you have a CA chain, rather than a
specific server certificate for import. (I could be wrong though...)
what is the context of your use of the certificate? Is this the
certificate that was issued to the server? Are you presenting a
certificate from your virtual user to the https server for
authentication? Or are you trying to install a trusted private
Certificate Authority into your trusted CA's for your JVM?
the keytool documentation doesn't give a good example of how to install
trust for a CA... its good reference through
( http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html ) you
need to invoke:
keytool -import -file pathtofilename.cer* -trustcacerts -keystore
cacerts -storepass changeit
note that the pathtofilename.cer* is the file containing your trusted
CA's information. I had to install the CA chain from my private iPlanet
CMS certificate authority in IE and then export it to a .cer before I
could get the keytool to take it... I think the netscape CMS presents
things in a form keytool cant parse..
The default password for the cacerts keystore is changeit
You might want to deploy jsse and your custom certs based upon the
discussions presented in the jsse documentation included with the
jsse1.0.2 (its included in JDK 1.4 from what i gather... but once
again... beta)
Todd
Gurinder Marok wrote:
> Hi All,
> JMeter: 1.7beta on win2000
> I have a couple of questions about https support. I've installed JSSE.
>
> JMeter confirms it on startup with the following message:
> <<
> C:\jakarta-jmeter\bin>CALL ..\lcp ..\lib\ant-1.3-optional.jar
> SSL Provider is: SunJSSE version 1.02
> >>
> Upon issuing a https request jmeter opens a popup asking for keystore
> password.
> <<
> Sampling url: https://symphony.torolab.ibm.com:443/
> KeyStore Type: JKS
> >>
> I don't know if I got the password correct. (I leave it blank and
> press
> enter)
> I think its ok because JMeter seems to have read into the cacerts file
>
> because
> it knows the name of a machine that the cacert was created on
> "jackfong.torolab.ibm.com".
> <<
> JmeterKeyStore type: class
> org.apache.jmeter.util.keystore.DefaultKeyStore
> class org.apache.jmeter.util.keystore.DefaultKeyStore
> KeyStore Type: JKS
> TrustStore Location: C:WebsphereWAServerjdkjrelibsecuritycacerts
> TrustStore type: class org.apache.jmeter.util.keystore.DefaultKeyStore
>
> JsseSSLManager installed
> Is server trusted ???
> java.io.IOException: HTTPS hostname wrong: should be
> , but cert says
> >>
> At this moment you are probably asking me why I just don't create a
> new
> local cacert.
> 1) One reason is that our product ships with this cert as a default
> and when
> developers use the
> product the browsers just bring up a warning stating hostname issue.
> From
> the browser we get around by acknowledging the issue.
> So there is not issue from a development perspective.
> 2) I'm a little cloudy on certificate signing subject matter.
> So to my questions:
> Does Jmeter support a mode to get around the hostname issue in the
> cert? If
> not, is the implementation fairly localized such that
> I can update the code in the area of the exception to get around it.
> Or do I have to create a new cert file for my machine?
> I've configured the web generator control to send the request out on
> port
> 443.
> Sampling url: https://symphony.torolab.ibm.com:443/
> Is server trusted ???
> java.io.IOException: HTTPS hostname wrong: should be
> , but cert says
> at java.io.IOException.(IOException.java:49)
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
> 1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
> 1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
> 1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connec
> t([DashoPro-V1.2-120198])
> at
> org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSample
> r.java:437)
> at
> org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSample
> r.java:164)
> at
> org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java(Compiled
> Code))
> at java.lang.Thread.run(Thread.java:481)
> Thanks for giving me your time.
> Regards,
> Gurinder Marok
> Email: gmarok@ca.ibm.com
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
> http://explorer.msn.com/intl.asp
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: SSL Question
Posted by Berin Loritsch <bl...@apache.org>.
Gurinder Marok wrote:
>
> Hi All,
> JMeter: 1.7beta on win2000
> I have a couple of questions about https support. I've installed JSSE.
> JMeter confirms it on startup with the following message:
> <<
> C:\jakarta-jmeter\bin>CALL ..\lcp ..\lib\ant-1.3-optional.jar
> SSL Provider is: SunJSSE version 1.02
>
>>>
> Upon issuing a https request jmeter opens a popup asking for keystore
> password.
> <<
> Sampling url: https://symphony.torolab.ibm.com:443/
> KeyStore Type: JKS
>
>>>
> I don't know if I got the password correct. (I leave it blank and press
> enter)
The password is for your local keystore--so JMeter can use your personal
certificate to authenticate in case it is required.
> At this moment you are probably asking me why I just don't create a new
> local cacert.
> 1) One reason is that our product ships with this cert as a default and
> when developers use the
> product the browsers just bring up a warning stating hostname issue.
> From the browser we get around by acknowledging the issue.
> So there is not issue from a development perspective.
For JMeter or JSSE to resolve against a host, it must have a valid reference
to the CACERT that the host validates against. A browser is smart enough
to pop up a dialog and ask if you trust the CACERT if it is not already
installed. Unfortunately, JSSE simply throws an exception, and does not
provide an easy conversational method of accepting the cert.
> 2) I'm a little cloudy on certificate signing subject matter.
> So to my questions:
> Does Jmeter support a mode to get around the hostname issue in the cert?
This is a JSSE issue. You must have the CACERT of the machine you are
authenticating against. JMeter tries to use the most relaxed policies
it can--but there are limitations to what it can do.
> If not, is the implementation fairly localized such that
> I can update the code in the area of the exception to get around it.
> Or do I have to create a new cert file for my machine?
> I've configured the web generator control to send the request out on
> port 443.
> Sampling url: https://symphony.torolab.ibm.com:443/
> Is server trusted ???
> java.io.IOException: HTTPS hostname wrong: should be
> , but cert says
> at java.io.IOException.(IOException.java:49)
> at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
> 1.2-120198])
> at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
> 1.2-120198])
> at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
> 1.2-120198])
> at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connec
> t([DashoPro-V1.2-120198])
> at org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSample
> r.java:437)
> at org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSample
> r.java:164)
> at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java(Compiled
> Code))
> at java.lang.Thread.run(Thread.java:481)
> Thanks for giving me your time.
> Regards,
> Gurinder Marok
> Email: gmarok@ca.ibm.com
I wish I could help you more, but JSSE is your enemy here. Server
certificates must match the name of the machine you are authenticating
against. IOW, if your server is www.widget.com, then the server certificate
name must be www.widget.com. There is no way around this that I know of.
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
> .
>
--
"They that give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."
- Benjamin Franklin
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>