I am trying to send a SOAP request(signed) using HTTP Request Sampler along with SOAP Message Signer plugin. Request works fine with SOAPUI. It seems to fail through JMeter if i use same parameters(for SOAP Message Signer).
As a part of SOAP Request, Header needs to be signed. I am getting the below error while Signing. Could anyone please let me know the reason for failure?
n.c.b.j.m.AbstractWSSecurityPreProcessor: Building WSS header
o.a.w.d.m.WSSecSignature: Beginning signing... ERROR
n.c.b.j.m.AbstractWSSecurityPreProcessor:
org.apache.wss4j.common.ext.WSSecurityException: No certificates for
user "cert_alias" were found for signature
Did you add in jmeter keystore the certificate under alias cert_alias?
That's what message is saying:
No certificates for user "cert_alias" were found for signature
Keystore is located in jmeter/bin folder
You may want to try this plugin:
https://github.com/tilln/jmeter-wssecurity/blob/master/README.md
Finally i was able to send a successful request using the plugin.
I was using the Signed Header as a part of SOAP request.
Plugin Config:
Keystore File : Path to .jks file
Keystore Password : password
Cert Alias - cert_alias
Cert Password - cert password
After removing the Signed Header from the SOAP request, it worked. Thanks you.
If your SOAP endpoint expects the message to be encrypted with a client-side certificate you can configure JMeter to use it by adding the next lines to system.properties file:
javax.net.ssl.keyStoreType=pkcs12 or jks
javax.net.ssl.keyStore=/path/to/your/jsk keystore or .p12 certificate
javax.net.ssl.keyStorePassword=your certificate or keystore password
JMeter restart will be required to pick the properties up.
You can also pass them via -D command line argument like:
jmeter -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=your-certificate.p12 -Djavax.net.ssl.keyStorePassword=secret
More information:
Customizing the Default Key and Trust Stores, Store Types, and Store Passwords
How to Set Your JMeter Load Test to Use Client Side Certificates
Related
I have a perfectly working Spring Security web application that uses SAML SSO. The client (IdP) changed their certs. I updated the cert and the CA certs to my keystore.jks. I am getting redirected properly to the IdP, I log in and get properly redirected back to my app. At that point I am getting theses in the logs:
Attempting to validate signature using key from supplied credential (validate) (SignatureValidator.java:54)
Creating XMLSignature object (buildSignature) (SignatureValidator.java:90)
Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 (validate) (SignatureValidator.java:64)
Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' (validate) (SignatureValidator.java:65)
Signature validated with key from supplied credential (validate) (SignatureValidator.java:70)
SSL negotiation with xxxxxx using candidate credential was successful (verifySignature) (BaseSignatureTrustEngine.java:148)
Successfully verifiServer certificate verify failed: signer not foundidate) (BaseSignatureTrustEngine.java:101)
Attempting to establish trust of KeyInfo-derived credential (validateConnected to HTTPS on 34.196.133.252)
Failed to validate untrusted credential against trusted key (validate) (ExplicitKeyTrustEvaluator.java:95
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
So it looks like something is being validated, but I do not understand why it's failing. I double checked with keytool and all the CA's are there.
I'm using the JavaLite implementation and everything works fine when requesting HTTP services but when trying to get data from the HTTPS version of the service I get the HttpException "Failed URL".
Here's my code:
Get get = Http.get(url + "/eds/api/v1/certificados");
get.header("Authorization", "Basic " + Credentials);
get.header("APIKey", APIKey);
get.header("Accept", "application/json");
System.out.println(get.text());
Also tried with
String test = Http.get(url + "/eds/api/v1/certificados").header("Authorization", "Basic " + Credentials).header("APIKey", APIKey).header("Accept", "application/json").text();
Both of them behave the same way, if the URL is HTTP I can get the data, if the URL is HTTPS catch "Failed URL". I've tested the REST service with SOAPui and the HTTPS server works fine.
Any suggestion what I'm missing when trying to send a GET on HTTPS with headers?
I was going to suggest that the site's digital certificate was not signed by a Certificate Authority that is contained in the Java JRE certificate store.
Here is what you can do:
Use the browser and explore the certificate of the site, including a certificate chain, all the way to the root Certificate Authority
Explore what CA certs are installed locally.
The file for Java is:
$JAVA_HOME/jre/lib/security/cacerts
you need to run this command:
keytool -list -keystore cacerts
When prompted for password, just press Enter.
If you do not see a certificate of a CA that was used to sign a certificate of your site, than you will have this error.
How to fix:
Use a well known CA to get a certificate for your site and ensure it is already present in your Java cert database.
or:
Get the certificate from the site using a browser, and import it into your local Java database with command:
keytool -importcert ...
For more information on the keytool program:
keytool --help
Ok , this is a little off . I have a XMPP sever that supports XEP-00178 (SASL-External)(namely : openfire) and I am using Gajim client to test it. Now I created a .p12 file(using openssl) for the registered user on the server with the common name equal to the user name. The .p12 file is encrypted. But when I use the Gajim to add the user's corresponding encrypted .p12 file , it prompts for the pass phrase , which I supply correctly but it just fails with the error :
Unknown error while loading certificate from file /root/sslCA/alice.p12
I tried opening the same alice.p12 using OpenSSL and everything works just great. Would it be wise to remove the password from the .p12 file? or Is there something that I am doing wrong with regards to Gajim?
I'd like to automate the task of requesting client certificates from the CA attached to our Active Directory. Currently, I use certmgr and click "Request New Certificate" from the menu and do several other selections, including selecting an appropriate policy.
Surely, Powershell can help me with this, as I already use it to get rid of old certificates. Is there a module which can be used for this or does Powershell 3 cover this out-of-the-box?
I think certreq could be what you are looking for.
Certreq can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request.
Then there is another useful utility when dealing with certificates in windows - certutil
I want to run some tests against an internal (with an internally minted cert) web service using SoapUI. I am not sure I fully grasp the SSL handshake stuff. But I exported the cert for the endpoint to a .cer file, then fired up java keytool with this command:
keytool -import -alias ca -file myservice.cer -keystore cacerts –storepass changeit
Which I got from another SO question. Then I added this truststore file (cacerts) to the project properties in SoapUI. But when I try to add a WSDL to the project, I still get the same error as before:
Error loading [https://myservice?wsdl]: org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Am I completely off base? Do I add all the certs in the chain to the truststore? I wasn't able to do that, it told me that the alias was already in use? Or should I just get a cert minted from an outside trusted authority?
The SOAP UI raise the exception because your certificate not properly installed in SOAP UI trust store.
To resolve the above exception follow the below steps.
Export the certificate from the key store or browser (which contain the public key)
Go to the SOAPUI installed directory and locate following directory \SmartBear\soapUI- 4.0.1\jre\lib\security
Import the certificate in to cacerts trust store (Which is the default trust store)
Restart the SOAP UI and load the WSDL...
To understand more about SSL ... follow the below link ...JSSE documentation