jmeter-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Grayson" <tgray...@navidec.com>
Subject Re: SSL Question
Date Mon, 10 Dec 2001 20:47:45 GMT
Gurinder...

We dropped back to 1.6.1 as the 1.7 is still in beta.  With regards to
SSL...

Assuming your using JDK1.3.1x, Looks like there might be more than one
issue here...

At first glance from the exception, it looks like your name that the
trusted certificate contains is not the same one that jmeter is
connecting to... but then your discussion for being prompted for a
password makes me believe this is an obfuscated error based upon the
myriad of ways of bringing certificates in with keytool.

The jsse documentation included with the jsse1.0.2 has a good overview
of the JVM security policy, and how to work with multiple keystores.  To
make things simple, I configure things with the default keystore that
contains the public CA's that are trusted by the JVM by default.

You should be familiar with the configuration of the java.security &
java.policy file for your JVM of the /<java-home>/jre/lib/security/
folder

When you install a certificate for a specific server, and establish
trust for that server, the name that you connect to the server with has
to be the same as the common name field of the certificate... but i
think your problem might be because you have a CA chain, rather than a
specific server certificate for import. (I could be wrong though...)
what is the context of your use of the certificate?  Is this the
certificate that was issued to the server? Are you presenting a
certificate from your virtual user to the https server for
authentication? Or are you trying to install a trusted private
Certificate Authority into your trusted CA's for your JVM?

the keytool documentation doesn't give a good example of how to install
trust for a CA... its good reference through
( http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html ) you
need to invoke:

keytool -import -file pathtofilename.cer* -trustcacerts -keystore
cacerts -storepass changeit

note that the pathtofilename.cer* is the file containing your trusted
CA's information.  I had to install the CA chain from my private iPlanet
CMS certificate authority in IE and then export it to a .cer before I
could get the keytool to take it... I think the netscape CMS presents
things in a form keytool cant parse..

The default password for the cacerts keystore is  changeit

You might want to deploy jsse and your custom certs based upon the
discussions presented in the jsse documentation included with the
jsse1.0.2 (its included in JDK 1.4 from what i gather... but once
again... beta)

Todd

Gurinder Marok wrote:

> Hi All,
> JMeter: 1.7beta on win2000
> I have a couple of questions about https support. I've installed JSSE.
>
> JMeter confirms it on startup with the following message:
> <<
> C:\jakarta-jmeter\bin>CALL ..\lcp ..\lib\ant-1.3-optional.jar
> SSL Provider is: SunJSSE version 1.02
> >>
> Upon issuing a https request jmeter opens a popup asking for keystore
> password.
> <<
> Sampling url: https://symphony.torolab.ibm.com:443/
> KeyStore Type: JKS
> >>
> I don't know if I got the password correct. (I leave it blank and
> press
> enter)
> I think its ok because JMeter seems to have read into the cacerts file
>
> because
> it knows the name of a machine that the cacert was created on
> "jackfong.torolab.ibm.com".
> <<
> JmeterKeyStore type: class
> org.apache.jmeter.util.keystore.DefaultKeyStore
> class org.apache.jmeter.util.keystore.DefaultKeyStore
> KeyStore Type: JKS
> TrustStore Location: C:WebsphereWAServerjdkjrelibsecuritycacerts
> TrustStore type: class org.apache.jmeter.util.keystore.DefaultKeyStore
>
> JsseSSLManager installed
> Is server trusted ???
> java.io.IOException: HTTPS hostname wrong: should be
> , but cert says
> >>
> At this moment you are probably asking me why I just don't create a
> new
> local cacert.
> 1) One reason is that our product ships with this cert as a default
> and when
> developers use the
> product the browsers just bring up a warning stating hostname issue.
> From
> the browser we get around by acknowledging the issue.
> So there is not issue from a development perspective.
> 2) I'm a little cloudy on certificate signing subject matter.
> So to my questions:
> Does Jmeter support a mode to get around the hostname issue in the
> cert? If
> not, is the implementation fairly localized such that
> I can update the code in the area of the exception to get around it.
> Or do I have to create a new cert file for my machine?
> I've configured the web generator control to send the request out on
> port
> 443.
> Sampling url: https://symphony.torolab.ibm.com:443/
> Is server trusted ???
> java.io.IOException: HTTPS hostname wrong: should be
> , but cert says
> at java.io.IOException.(IOException.java:49)
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
> 1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
> 1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V
> 1.2-120198])
> at
> com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connec
> t([DashoPro-V1.2-120198])
> at
> org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSample
> r.java:437)
> at
> org.apache.jmeter.protocol.http.sampler.HTTPSampler.sample(HTTPSample
> r.java:164)
> at
> org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java(Compiled
> Code))
> at java.lang.Thread.run(Thread.java:481)
> Thanks for giving me your time.
> Regards,
> Gurinder Marok
> Email: gmarok@ca.ibm.com
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
> http://explorer.msn.com/intl.asp
>
> --
> To unsubscribe, e-mail:
> <mailto:jmeter-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:jmeter-user-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:jmeter-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jmeter-user-help@jakarta.apache.org>


Mime
View raw message