HTTPS/SSL and Kerberos

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTPS/SSL and Kerberos

ahardy42
Hi,

I used JMeter 3 with Kerberos for some time but the servers I was testing
used just plain HTTP with no encryption and have just been upgraded to SSL.

My JMeter tests now refuse to run, giving me a Kerberos error (I think) in
the logging.

Here's the relevant part of the logging:

2018-11-19 15:30:23,095 INFO o.a.j.JMeter: Running test (1542641423095)
2018-11-19 15:30:23,195 INFO o.a.j.e.StandardJMeterEngine: Starting
ThreadGroup: 1 : POST data/loadList
2018-11-19 15:30:23,195 INFO o.a.j.e.StandardJMeterEngine: Starting 1
threads for group POST data/loadList.
2018-11-19 15:30:23,195 INFO o.a.j.e.StandardJMeterEngine: Thread will
continue on error
2018-11-19 15:30:23,196 INFO o.a.j.t.ThreadGroup: Starting thread group...
number=1 threads=1 ramp-up=0 perThread=0.0 delayedStart=false
2018-11-19 15:30:23,201 INFO o.a.j.t.ThreadGroup: Started thread group
number 1
2018-11-19 15:30:23,201 INFO o.a.j.e.StandardJMeterEngine: All thread groups
have been started
2018-11-19 15:30:23,206 INFO o.a.j.s.SampleResult: Note: Sample TimeStamps
are END times
2018-11-19 15:30:23,207 INFO o.a.j.s.SampleResult:
sampleresult.default.encoding is set to ISO-8859-1
2018-11-19 15:30:23,207 INFO o.a.j.s.SampleResult:
sampleresult.useNanoTime=true
2018-11-19 15:30:23,207 INFO o.a.j.s.SampleResult:
sampleresult.nanoThreadSleep=5000
2018-11-19 15:30:23,208 INFO o.a.j.t.JMeterThread: Thread started: POST
data/loadList 1-1
2018-11-19 15:30:23,521 INFO o.a.j.p.h.s.HTTPHCAbstractImpl: Local host =
ILCSWXD7F66H2-L
2018-11-19 15:30:23,530 INFO o.a.j.p.h.s.HTTPHC4Impl: HTTP request retry
count = 0
2018-11-19 15:30:23,651 WARN o.a.j.p.h.c.KerberosManager: Could not log in
user adam42
javax.security.auth.login.LoginException: No LoginModules configured for
JMeter
        at
javax.security.auth.login.LoginContext.init(LoginContext.java:264)
~[?:1.8.0_131]
        at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:417)
~[?:1.8.0_131]
        at
org.apache.jmeter.protocol.http.control.KerberosManager.lambda$getSubjectForUser$0(KerberosManager.java:68)
~[ApacheJMeter_http.jar:5.0 r1840935]
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[?:1.8.0_131]
        at
org.apache.jmeter.protocol.http.control.KerberosManager.getSubjectForUser(KerberosManager.java:83)
[ApacheJMeter_http.jar:5.0 r1840935]
        at
org.apache.jmeter.protocol.http.control.AuthManager.getSubjectForUrl(AuthManager.java:294)
[ApacheJMeter_http.jar:5.0 r1840935]
        at
org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.executeRequest(HTTPHC4Impl.java:820)
[ApacheJMeter_http.jar:5.0 r1840935]
        at
org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(HTTPHC4Impl.java:570)
[ApacheJMeter_http.jar:5.0 r1840935]
        at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:67)
[ApacheJMeter_http.jar:5.0 r1840935]
        at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1231)
[ApacheJMeter_http.jar:5.0 r1840935]
        at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1220)
[ApacheJMeter_http.jar:5.0 r1840935]
        at
org.apache.jmeter.threads.JMeterThread.doSampling(JMeterThread.java:622)
[ApacheJMeter_core.jar:5.0 r1840935]
        at
org.apache.jmeter.threads.JMeterThread.executeSamplePackage(JMeterThread.java:546)
[ApacheJMeter_core.jar:5.0 r1840935]
        at
org.apache.jmeter.threads.JMeterThread.processSampler(JMeterThread.java:486)
[ApacheJMeter_core.jar:5.0 r1840935]
        at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:253)
[ApacheJMeter_core.jar:5.0 r1840935]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
2018-11-19 15:30:23,708 INFO
o.a.j.p.h.s.h.LazyLayeredConnectionSocketFactory: Setting up HTTPS TrustAll
Socket Factory
2018-11-19 15:30:23,714 INFO o.a.j.u.JsseSSLManager: Using default SSL
protocol: TLS
2018-11-19 15:30:23,715 INFO o.a.j.u.JsseSSLManager: SSL session context:
per-thread
2018-11-19 15:30:24,494 INFO o.a.j.u.SSLManager: JmeterKeyStore Location:
type JKS
2018-11-19 15:30:24,500 INFO o.a.j.u.SSLManager: KeyStore created OK
2018-11-19 15:30:24,501 WARN o.a.j.u.SSLManager: Keystore file not found,
loading empty keystore
2018-11-19 15:30:29,910 WARN o.a.h.i.a.HttpAuthenticator: NEGOTIATE
authentication error: No valid credentials provided (Mechanism level: No
valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt))
2018-11-19 15:30:29,917 INFO o.a.j.t.JMeterThread: Thread is done: POST
data/loadList 1-1
2018-11-19 15:30:29,918 INFO o.a.j.t.JMeterThread: Thread finished: POST
data/loadList 1-1
2018-11-19 15:30:29,918 INFO o.a.j.e.StandardJMeterEngine: Notifying test
listeners of end of test

I didn't change my config files, unless unintentionally, but double-checking
them confirms they all look OK. (system.properties, krb5.conf, jaas.conf)

I configured system.properties like this:

file.encoding=UTF-8
javax.net.ssl.keyStore=c:/dev/.secure/v3.jks
javax.net.ssl.keyStorePassword=teaCUP876
sun.net.http.allowRestrictedHeaders=true
java.security.krb5.conf=C:/dev/workspace/jenna/jmeter/krb5.conf
java.security.auth.login.config=C:/dev/workspace/jenna/jmeter/jaas.conf
sun.security.krb5.debug=true

so I don't know why the logs show SSL warnings.

Just for the record, here is what my jmx file for the HTTP authorization
manager looks like:

      <ConfigTestElement guiclass="HttpDefaultsGui"
testclass="ConfigTestElement" testname="HTTP Request Defaults"
enabled="true">
        <elementProp name="HTTPsampler.Arguments" elementType="Arguments"
guiclass="HTTPArgumentsPanel" testclass="Arguments" testname="User Defined
Variables" enabled="true">
          <collectionProp name="Arguments.arguments"/>
        </elementProp>
        <stringProp
name="HTTPSampler.domain">test-url.bla-web.megacorp.com</stringProp>
        <stringProp name="HTTPSampler.port">443</stringProp>
        <stringProp name="HTTPSampler.connect_timeout"></stringProp>
        <stringProp name="HTTPSampler.response_timeout"></stringProp>
        <stringProp name="HTTPSampler.protocol">https</stringProp>
        <stringProp name="HTTPSampler.contentEncoding">UTF-8</stringProp>
        <stringProp name="HTTPSampler.path"></stringProp>
        <stringProp
name="HTTPSampler.implementation">HttpClient4</stringProp>
        <stringProp name="HTTPSampler.concurrentPool">6</stringProp>
      </ConfigTestElement>

      <AuthManager guiclass="AuthPanel" testclass="AuthManager"
testname="HTTP Authorization Manager" enabled="true">
        <collectionProp name="AuthManager.auth_list">
          <elementProp name="" elementType="Authorization">
            <stringProp name="Authorization.url"></stringProp>
            <stringProp name="Authorization.username">adam42</stringProp>
            <stringProp
name="Authorization.password">scooby-secret</stringProp>
            <stringProp
name="Authorization.domain">X2.MEGACORP.COM</stringProp>
            <stringProp
name="Authorization.realm">X2.MEGACORP.COM</stringProp>
            <stringProp name="Authorization.mechanism">KERBEROS</stringProp>
          </elementProp>
        </collectionProp>
      </AuthManager>

The HTTPS/SSL configuration on the server is all hunky-dory as far as I can
tell, and encryption has been working fine for weeks for all normal clients.

What do I need to check here?

Thanks
Adam




--
Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: HTTPS/SSL and Kerberos

Felix Schumacher

Am 19.11.18 um 18:02 schrieb ahardy42:

> Hi,
>
> I used JMeter 3 with Kerberos for some time but the servers I was testing
> used just plain HTTP with no encryption and have just been upgraded to SSL.
>
> My JMeter tests now refuse to run, giving me a Kerberos error (I think) in
> the logging.
>
> Here's the relevant part of the logging:
>
> 2018-11-19 15:30:23,095 INFO o.a.j.JMeter: Running test (1542641423095)
> 2018-11-19 15:30:23,195 INFO o.a.j.e.StandardJMeterEngine: Starting
> ThreadGroup: 1 : POST data/loadList
> 2018-11-19 15:30:23,195 INFO o.a.j.e.StandardJMeterEngine: Starting 1
> threads for group POST data/loadList.
> 2018-11-19 15:30:23,195 INFO o.a.j.e.StandardJMeterEngine: Thread will
> continue on error
> 2018-11-19 15:30:23,196 INFO o.a.j.t.ThreadGroup: Starting thread group...
> number=1 threads=1 ramp-up=0 perThread=0.0 delayedStart=false
> 2018-11-19 15:30:23,201 INFO o.a.j.t.ThreadGroup: Started thread group
> number 1
> 2018-11-19 15:30:23,201 INFO o.a.j.e.StandardJMeterEngine: All thread groups
> have been started
> 2018-11-19 15:30:23,206 INFO o.a.j.s.SampleResult: Note: Sample TimeStamps
> are END times
> 2018-11-19 15:30:23,207 INFO o.a.j.s.SampleResult:
> sampleresult.default.encoding is set to ISO-8859-1
> 2018-11-19 15:30:23,207 INFO o.a.j.s.SampleResult:
> sampleresult.useNanoTime=true
> 2018-11-19 15:30:23,207 INFO o.a.j.s.SampleResult:
> sampleresult.nanoThreadSleep=5000
> 2018-11-19 15:30:23,208 INFO o.a.j.t.JMeterThread: Thread started: POST
> data/loadList 1-1
> 2018-11-19 15:30:23,521 INFO o.a.j.p.h.s.HTTPHCAbstractImpl: Local host =
> ILCSWXD7F66H2-L
> 2018-11-19 15:30:23,530 INFO o.a.j.p.h.s.HTTPHC4Impl: HTTP request retry
> count = 0
> 2018-11-19 15:30:23,651 WARN o.a.j.p.h.c.KerberosManager: Could not log in
> user adam42
> javax.security.auth.login.LoginException: No LoginModules configured for
> JMeter
>          at
> javax.security.auth.login.LoginContext.init(LoginContext.java:264)
> ~[?:1.8.0_131]
>          at
> javax.security.auth.login.LoginContext.<init>(LoginContext.java:417)
> ~[?:1.8.0_131]
>          at
> org.apache.jmeter.protocol.http.control.KerberosManager.lambda$getSubjectForUser$0(KerberosManager.java:68)
> ~[ApacheJMeter_http.jar:5.0 r1840935]
>          at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> [?:1.8.0_131]
>          at
> org.apache.jmeter.protocol.http.control.KerberosManager.getSubjectForUser(KerberosManager.java:83)
> [ApacheJMeter_http.jar:5.0 r1840935]
>          at
> org.apache.jmeter.protocol.http.control.AuthManager.getSubjectForUrl(AuthManager.java:294)
> [ApacheJMeter_http.jar:5.0 r1840935]
>          at
> org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.executeRequest(HTTPHC4Impl.java:820)
> [ApacheJMeter_http.jar:5.0 r1840935]
>          at
> org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(HTTPHC4Impl.java:570)
> [ApacheJMeter_http.jar:5.0 r1840935]
>          at
> org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:67)
> [ApacheJMeter_http.jar:5.0 r1840935]
>          at
> org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1231)
> [ApacheJMeter_http.jar:5.0 r1840935]
>          at
> org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1220)
> [ApacheJMeter_http.jar:5.0 r1840935]
>          at
> org.apache.jmeter.threads.JMeterThread.doSampling(JMeterThread.java:622)
> [ApacheJMeter_core.jar:5.0 r1840935]
>          at
> org.apache.jmeter.threads.JMeterThread.executeSamplePackage(JMeterThread.java:546)
> [ApacheJMeter_core.jar:5.0 r1840935]
>          at
> org.apache.jmeter.threads.JMeterThread.processSampler(JMeterThread.java:486)
> [ApacheJMeter_core.jar:5.0 r1840935]
>          at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:253)
> [ApacheJMeter_core.jar:5.0 r1840935]
>          at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
> 2018-11-19 15:30:23,708 INFO
> o.a.j.p.h.s.h.LazyLayeredConnectionSocketFactory: Setting up HTTPS TrustAll
> Socket Factory
> 2018-11-19 15:30:23,714 INFO o.a.j.u.JsseSSLManager: Using default SSL
> protocol: TLS
> 2018-11-19 15:30:23,715 INFO o.a.j.u.JsseSSLManager: SSL session context:
> per-thread
> 2018-11-19 15:30:24,494 INFO o.a.j.u.SSLManager: JmeterKeyStore Location:
> type JKS
> 2018-11-19 15:30:24,500 INFO o.a.j.u.SSLManager: KeyStore created OK
> 2018-11-19 15:30:24,501 WARN o.a.j.u.SSLManager: Keystore file not found,
> loading empty keystore
> 2018-11-19 15:30:29,910 WARN o.a.h.i.a.HttpAuthenticator: NEGOTIATE
> authentication error: No valid credentials provided (Mechanism level: No
> valid credentials provided (Mechanism level: Failed to find any Kerberos
> tgt))
> 2018-11-19 15:30:29,917 INFO o.a.j.t.JMeterThread: Thread is done: POST
> data/loadList 1-1
> 2018-11-19 15:30:29,918 INFO o.a.j.t.JMeterThread: Thread finished: POST
> data/loadList 1-1
> 2018-11-19 15:30:29,918 INFO o.a.j.e.StandardJMeterEngine: Notifying test
> listeners of end of test
>
> I didn't change my config files, unless unintentionally, but double-checking
> them confirms they all look OK. (system.properties, krb5.conf, jaas.conf)
>
> I configured system.properties like this:
>
> file.encoding=UTF-8
> javax.net.ssl.keyStore=c:/dev/.secure/v3.jks
> javax.net.ssl.keyStorePassword=teaCUP876
> sun.net.http.allowRestrictedHeaders=true
> java.security.krb5.conf=C:/dev/workspace/jenna/jmeter/krb5.conf
> java.security.auth.login.config=C:/dev/workspace/jenna/jmeter/jaas.conf
> sun.security.krb5.debug=true

Where have you defined those properties? Are you sure they get used?

For me it looks like JMeter is not using the correct jaas.conf. Have you
had a look into that file? Any reason for not using the default
jaas.conf that comes with JMeter?

Regards,

 ¬†Felix

> so I don't know why the logs show SSL warnings.
>
> Just for the record, here is what my jmx file for the HTTP authorization
> manager looks like:
>
>        <ConfigTestElement guiclass="HttpDefaultsGui"
> testclass="ConfigTestElement" testname="HTTP Request Defaults"
> enabled="true">
>          <elementProp name="HTTPsampler.Arguments" elementType="Arguments"
> guiclass="HTTPArgumentsPanel" testclass="Arguments" testname="User Defined
> Variables" enabled="true">
>            <collectionProp name="Arguments.arguments"/>
>          </elementProp>
>          <stringProp
> name="HTTPSampler.domain">test-url.bla-web.megacorp.com</stringProp>
>          <stringProp name="HTTPSampler.port">443</stringProp>
>          <stringProp name="HTTPSampler.connect_timeout"></stringProp>
>          <stringProp name="HTTPSampler.response_timeout"></stringProp>
>          <stringProp name="HTTPSampler.protocol">https</stringProp>
>          <stringProp name="HTTPSampler.contentEncoding">UTF-8</stringProp>
>          <stringProp name="HTTPSampler.path"></stringProp>
>          <stringProp
> name="HTTPSampler.implementation">HttpClient4</stringProp>
>          <stringProp name="HTTPSampler.concurrentPool">6</stringProp>
>        </ConfigTestElement>
>
>        <AuthManager guiclass="AuthPanel" testclass="AuthManager"
> testname="HTTP Authorization Manager" enabled="true">
>          <collectionProp name="AuthManager.auth_list">
>            <elementProp name="" elementType="Authorization">
>              <stringProp name="Authorization.url"></stringProp>
>              <stringProp name="Authorization.username">adam42</stringProp>
>              <stringProp
> name="Authorization.password">scooby-secret</stringProp>
>              <stringProp
> name="Authorization.domain">X2.MEGACORP.COM</stringProp>
>              <stringProp
> name="Authorization.realm">X2.MEGACORP.COM</stringProp>
>              <stringProp name="Authorization.mechanism">KERBEROS</stringProp>
>            </elementProp>
>          </collectionProp>
>        </AuthManager>
>
> The HTTPS/SSL configuration on the server is all hunky-dory as far as I can
> tell, and encryption has been working fine for weeks for all normal clients.
>
> What do I need to check here?
>
> Thanks
> Adam
>
>
>
>
> --
> Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: HTTPS/SSL and Kerberos

ahardy42
I defined the properties in a system.properties file which I keep in my code
repo and reference on the command line with the '-p' parameter.

The jaas.conf is exactly the same. I copied it across to my code base,
that's all.

I also suspected the jaas.conf file, but I'm not able to force it to make an
error which would show that it's using the jaas.conf specified.

I was also so fixated on the jmeter.log that I only just noticed this
warning on the command line:

$ tools/apache-jmeter-5.0/bin/jmeter.sh -n -p
workspace/jenna/jmeter/system.properties -t
workspace/jenna/jmeter/benchmark.jmx -j logs/jmeter.log -e -l
logs/jmeter-data.csv
Nov 19, 2018 6:47:10 PM java.util.prefs.WindowsPreferences <init>
WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs at
root 0x80000002. Windows RegCreateKeyEx(...) returned error code 5.
Created the tree successfully using workspace/jenna/jmeter/benchmark.jmx
Starting the test @ Mon Nov 19 18:47:10 GMT 2018 (1542653230567)
Waiting for possible Shutdown/StopTestNow/Heapdump message on port 4445
Tidying up ...    @ Mon Nov 19 18:47:17 GMT 2018 (1542653237675)
... end of run

Is it critical?




--
Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: HTTPS/SSL and Kerberos

ahardy42
So presumably then this error:

javax.security.auth.login.LoginException: No LoginModules configured for
JMeter
        at
javax.security.auth.login.LoginContext.init(LoginContext.java:264)
~[?:1.8.0_131]
        at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:417)
~[?:1.8.0_131]
        at
org.apache.jmeter.protocol.http.control.KerberosManager.lambda$getSubjectForUser$0(KerberosManager.java:68)
~[ApacheJMeter_http.jar:5.0 r1840935]


means that JMeter can't find the jaas.conf?

I went back to basics and retried using system.properties with jaas config
set to "jaas.conf" with no directory and JMeter found the jaas.conf straight
away. I'll now work forwards again step by step and try to see where I went
wrong. If it wasn't for this hiccup, it would be much easier to keep those
jaas.conf and krb5.conf files with the other project files.






--
Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: HTTPS/SSL and Kerberos

ahardy42
By playing around, I noticed that JMeter lets you specify a system props file
using the '-q' flag as well.

This works. I verified it by removing all kerberos related config from the
apache-jmeter-5.0/bin directory, and also by changing the LoginConfig name
in the jaas.conf file so it couldn't be found.

The tip about how to interpret the Kerberos error really helped. Hopefully
this info about the -q flag will help someone else in future.

Regards
Adam



--
Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]