Wednesday, 8 July 2020

How to create multiple client certificates and use them in JMeter script

Client authentication/ mutual authentication / Two-way SSL are typically implemented when the client device is expected to authenticate to the server using certificate.

Below are the high level steps involved in the script development

1. Generate client certificate
2. Convert client certificate (pfx) to pem and then to p12
3. Create a KeyStore
4. Add all p12 certificates to JKS
5. Configure JMeter to use JKS
6. Develop JMeter script

Below are the detailed steps involved in the configuration

1. Generate client certificate
Understand how the client certificate is generated and implement the same using an appropriate tool/ language.


2. Convert client certificate (pfx) to pem and then to p12
p12 files can be converted using the below two commands
a) openssl pkcs12 -in filename.pfx -out filename.pem
b) openssl pkcs12 -export -in filename.pem -out filename.p12

A combination of "Shell script" and "Tcl/Tk Expect" together are used,shell script for conversion and Expect for entering the password during conversion.

The script should iterate through all the files and upon conversion the pfx file has to be moved to a done folder, to avoid duplicates.

3. Create a KeyStore
Create a keystore using this command
keytool -genkey -alias abc_keystore -destkeystore abc_keystore -deststoretype pkcs12

4. Import all p12 certificates to JKS
p12 files converted in step 2, can be added to JKS created in step 3, using the below command
keytool -importkeystore -srckeystore /path/filename.p12 -srcstoretype pkcs12 -destkeystore abc_keystore.jks -deststoretype JKS

The script should iterate through all the files and upon addition the p12 files are to be moved to a done folder, to avoid duplicate entries.A combination of "Shell script" and "Tcl/Tk Expect" together are used, shell script for adding files and Expect for entering the details, when adding.

Note: Providing an alias is important and it is recommended to provide a suitable alias. By seeing the alias name, user should be able to pull data that is required to be passed in HTTP request/ or some pre-processor.

Ex. If a client cert is used for mobile eCommerce app, then the User ID, etc. can be used as alias, so that the client cert can be easily mapped with data in database.

5. Configure JMeter to use JKS
Add/ update the below entries in system.properties of JMeter
javax.net.ssl.keyStoreType=pkcs12    
javax.net.ssl.keyStore=abc_keystore.jks
javax.net.ssl.keyStorePassword=mypassword

6. Develop JMeter script
Follow the steps mentioned here to develop the JMeter script   https://developer.ibm.com/mainframe/docs/how-to-test-your-apis/how-to-configure-jmeter-to-use-client-side-ssl/

No comments:

Post a Comment

How to create multiple client certificates and use them in JMeter script

Client authentication/ mutual authentication / Two-way SSL are typically implemented when the client device is expected to authenticate to ...