Updated
It’s been dark over net and was hard to find any
good and consolidated doc about this. I got some information and trying to
consolidate all and putting here.
For your brief information A keystore contains
private keys, and the certificates with their corresponding public keys. A
truststore contains certificates from other parties that you expect to
communicate with, or from Certificate Authorities that you trust to identify
other parties. If you open any browser you can see truststore of all valid CA
installed in browser by default. If you have installed any .pfx certificate for
authentication in browser you can see in keystore of browser.
Please follow the steps as needed for you
requirement.
Phase 1: If server supports ssl (https). One ways SSL. This is very common SSL
where your server have certificate. Gmail is an example of one way SSL when you hit gmail it always opens in https://
Phase 2: Two way SSL where server is configured for two ways SSL. It is next
step of one way ssl. Here when server handshake happens it ask for user authentication
and one certificate would be installed in your browser.
How to test
Phase 1:
It is very simple. You need Jmeter. You need java
keytoo.exe which come in all latest version of java under java/jdk/bin
directory.
Steps:
1.) Make Sure you have java 1.5 or above version installed and classpath
configured
2.) Download Jmeter (http://jmeter.apache.org/download_jmeter.cgi)
3.) Unzip Jmeter
4.) Open browser, hit the https (SSL) site that you want to test
5.) If Site is https then the URL first part will be in green color
6.) Click on Green part
7.) One pop up will open, Select More Information button
8.) Next Select Security -> View Certificate ->Details
9.) Select the Root CA and export it. See picture below for your
understanding. (You can save in PEM or .der format)
10.)
Now using java keytool.exe convert exported file to
.jks
keytool -importcert
-alias mycert -file exportedFile.der -keystore Convertedtruststore.jks
-storepass password
11.) Now copy this jks file in some
directory. I create a cert directory in jmeter and
Keep this
file there.
12.)
Now open file system.properties from jmeter/bin
Add this
line at that end of the file.
javax.net.ssl.trustStore=C:/jakarta-jmeter-2.4/Convertedtruststore.jks
(Make sure all other javax.net.ssl.trustStore is commented except what
you enter)
13.) Start jmeter from
jmeter/bin/jmeter.bat
14.) Create thread with server and
login details
And you are ready to test SSL
using Jmeter.
How to test
Phase 2:
You need java keytool, jmeter and jetty.jar to test
two way ssl. Download /jetty-6.1.22.zip from this location (http://dist.codehaus.org/jetty/jetty-6.1.22/jetty-6.1.22.zip).
Unzip this file.
There are lot more other stuff that we will not use
for SSL testing.
Look for jetty-6.1.22\jetty-6.1.22\lib\jetty-6.1.22.jar.
You just need this jar file from this whole download. Copy this at some
location.
Steps:
1.) Follow the same step to convert truststore to jks mention in Phase1.
2.) Copy your .pfx certificate (cert for login authentication) inside the
location where you
copied jetty-6.1.22.jar.
3.) Run below command to convert .pfx file to .jks file
java -classpath jetty-6.1.22.jar org.mortbay.jetty.security.PKCS12Import
AdminCert.pfx AdminKeystore.jks
Input keystore passphrase : is the password which you give while
installing the cert in browser.
Output keystore passphrase : new password if you want or else give the
same old password that you used while installing the cert.
Example:
C:\jakarta-jmeter-2.4>java
-classpath jetty-6.1.22.jar org.mortbay.jetty.securit
y.PKCS12Import
"ADMIN.pfx" "Admin_Keystore.jks"
Enter input
keystore passphrase: password123
Enter output
keystore passphrase: password
Alias 0:
a30aa2839c8903cfab4c10a0bf63bb38_ed9f8b24-03cd-4908-9bed-3adc703c5d80
Adding key
for alias a30aa2839c8903cfab4c10a0bf63bb38_ed9f8b24-03cd-4908-9bed-3a
dc703c5d80
4.) Copy these two .jks file and put it inside some directory in jmeter
(Mention in Phase1)
5.) Now open file system.properties from jmeter/bin
Add this
line at that end of the file.
javax.net.ssl.trustStore=C:/jakarta-jmeter-2.4/Convertedtruststore.jks
javax.net.ssl.keyStore=C:/jakarta-jmeter-2.4/Admin_Keystore.jks
javax.net.ssl.keyStorePassword=password
(Make sure all other
javax.net.ssl.trustStore, javax.net.ssl.keyStore,
javax.net.ssl.keyStorePassword are commented except what you enter)
7.) Create thread with server and login details
And you are ready to test SSL
using Jmeter.
Hope this will help you to test SSL using jmeter. Let
me know if you have any question.
Thanks,
Manoj
Rajan 
very good info
ReplyDeleteHi Manoj,
ReplyDeleteI have existing jmeter scripts which are working fire before implementing https. After SSL implantation i am not able to execute those scripts. i created keystore bu running
C:\Documents and Settings\Administrator.LYRIS-4164BBD31>keytool -genkey -alias l
yris.net -keyalg RSA -Keystore test.jks -keysize 2048
test jks file was created and i have updated javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword properties but still i am getting javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1289) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1936) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at org.apache.jmeter.protocol.http.sampler.HTTPJavaImpl.sample(HTTPJavaImpl.java:483) at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:62) at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.followRedirects(HTTPSamplerBase.java:1341) at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.resultProcessing(HTTPSamplerBase.java:1412) at org.apache.jmeter.protocol.http.sampler.HTTPAbstractImpl.resultProcessing(HTTPAbstractImpl.java:244) at org.apache.jmeter.protocol.http.sampler.HTTPJavaImpl.sample(HTTPJavaImpl.java:590) at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:62) at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1018) at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1004) at org.apache.jmeter.threads.JMeterThread.process_sampler(JMeterThread.java:411) at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:297) at java.lang.Thread.run(Thread.java:722)
Hi Sreepal,
ReplyDeleteIt seems your rootca keystore is not added properly. Please try same way in above mention phase 1 steps.
Thanks,
Manoj Rajan
Manoj,
ReplyDeleteThank you for this post. Could you please give more detail for Phase 1, Step 14? What JMeter element(s) do I use?
Thank you.
Manoj,
ReplyDeletecan you elaborate the step 14 in phase 1
Manoj,
ReplyDeleteI'm trying to test a service with SSh, and I've tried you steps.
But it's an error that I have:
java.net.ConnectException: Connection timed out: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)
at org.apache.jmeter.util.HttpSSLProtocolSocketFactory.createSocket(HttpSSLProtocolSocketFactory.java:152)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.apache.jmeter.protocol.http.sampler.SoapSampler.sample(SoapSampler.java:256)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:965)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:951)
at org.apache.jmeter.threads.JMeterThread.process_sampler(JMeterThread.java:348)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:243)
at java.lang.Thread.run(Unknown Source)
Can you help me?
Thanks,
Fernando Lima
Hello Manoj,
ReplyDeleteI am getting Hand Shake Alert error while load testing a website, though other SSL enabled websites are working fine. I ready your solution but I am unable to understand Step 2 of Phase 2:
"Copy your .pfx certificate (cert for login authentication) inside the location where you copied jetty-6.1.22.jar"
How to create .pfx certificate? I know this post is old but your help would be much appreciated.
Thanks
What if we have more than 1 cert and pwd?
ReplyDeleteNice work, it helps, thanks.
ReplyDeleteHi:
ReplyDeleteI have a certification splits on 3 files with PEM format(key, certicate, ca), How can I used them or how can I import them in java? Please Could you give a hand with this?
thanks
This comment has been removed by the author.
ReplyDeleteHi,
ReplyDeleteFollowing error message is displaying when import certificate in Firefox browser,
"This personal certificate can't be installed because you do not own the corresponding private key which was created when the certificate was requested"
How to resolve this.....
Thanks.