I would like to use JMeter to run some load testing against our OpenLDAP service authenticating using GSSAPI (i.e., Kerberos). How do I get JMeter to use a keytab with Kerberos credentials to do this? (Note: I tried following the directions here but they did not work for me: https://community.hortonworks.com/articles/141035/jmeter-kerberos-setup-for-hive-load-testing.html)
UPDATE
The command I use to start JMeter is
java.exe -XX:+HeapDumpOnOutOfMemoryError -Xms1g -Xmx1g
-XX:MaxMetaspaceSize=256m -XX:+UseG1GC -XX:MaxGCPauseMillis=100 -XX:G1ReservePercent=20 -Djava.security.egd=file:/dev/urandom
-Duser.language="en" -Duser.region="EN"
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
-jar "D:\JMeter\bin\ApacheJMeter.jar"
-Dsun.security.krb5.debug=true
-Djava.security.krb5.conf="D:\JMeter\bin\krb5.conf"
-Djava.security.auth.login.config="D:\JMeter\bin\jaas.conf"
-Djavax.security.auth.useSubjectCredsOnly=false
The contents of D:\JMeter\bin\jaas.conf:
JMeter {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=false
useKeyTab=true
keyTab="D:\JMeter\bin\ldap.keytab"
principal="service/testing-prod#example.com"
debug=true;
};
I have a single LDAP Request sampler. For that sampler I entered the LDAP server, port, and search base and filter. I run the test which "succeeds" but no information comes back.
I see no log messages in jmeter.log concerning the success or failure of authentication.
Unfortunately your didn't work statement tells nothing to us. With regards to the referenced guide - it is fine for HortonWorks Docs, however it might be not applicable for your application setup as Kerberos has many faces, to wit:
Your REALM will be different
Your SPN will be different (it may or may not be present)
Your keytab configuration will be different (again, Kerberos may or may not use keytabs for authentication)
Your KDC will be different
Your keytab generation algorithms may be different
So I would recommend the following:
Reach out to your network administrators / developers / devops / whoever can have the knowledge about your Kerberos setup and collect as much information as you can
Enable debug logging for JMeter HTTP Authorization Manager by adding the next line to log4j2.xml file:
<Logger name="org.apache.jmeter.protocol.http.control" level="debug" />
Enable debug logging for Java Kerberos implementation by adding the next line to system.properties file:
sun.security.krb5.debug=true
Restart JMeter to pick up the changes
Re-run your test and look for underlying error cause in jmeter.log file and in STDOUT
Fix the issue
Repeat step 5 until you're happy with the result
There are hundreds of different reasons, it might be the case your setup is 100% fine, however your login doesn't succeed because you have different time on KDC and your JMeter machine and it needs syncing.
Related
I am using jmeter 5.4.1, and facing issue while setting up the whole environment for that.
I have firewall in between master and slave machines.
I can request for some ports to open but before that I want to know how to configure them?
What update is needed in jmeter.properties and jmeter-server files to create a JMeter Remote Load Test.
In jmeter.properties nothing, don't touch this file, perform all the configuration either in user.properties or via -J command-line arguments.
Coming back to your question, I believe the official documentation is quite comprehensive, however just in case you cannot or unwilling to read:
In the master:
remote_hosts=ip,addresses,or,dns,hostnames,of,slaves,separated,by,comma
client.rmi.localport=xxxx
In the slave(s):
client.rmi.localport=xxxx
server.rmi.localport=yyyy
If you don't want secure communication between master and slaves - add the next line to both as well:
server.rmi.ssl.disable=true
So in the firewall you need to open these xxxx and yyyy ports
More information:
Apache JMeter Distributed Testing Step-by-step
Remote hosts and RMI configuration
JMeter Distributed Testing with Docker
exception Jmeter throws-
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at com.ibm.jsse2.qc.a(qc.java:422)
at com.ibm.jsse2.qc.h(qc.java:714)
at com.ibm.jsse2.qc.a(qc.java:831)
at com.ibm.jsse2.qc.startHandshake(qc.java:828)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:553)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
at org.apache.jmeter.protocol.http.sampler.LazySchemeSocketFactory.connectSocket(LazySchemeSocketFactory.java:97)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:328)
at org.apache.jmeter.protocol.http.sampler.MeasuringConnectionManager$MeasuredConnection.open(MeasuringConnectionManager.java:114)
Is there any specific Java version need to be used?
Jmeter version is - 3.1
Just add the next lines to system.properties file (located in the "bin" folder of your JMeter installation)
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/your/certificate.p12
javax.net.ssl.keyStorePassword=your_certificate_password_here
Another option is providing the aforementioned properties via -D command-line argument like:
jmeter -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=/path/to/your/certificate.p12 -Djavax.net.ssl.keyStorePassword=your_certificate_password_here
This is more convenient for unattended executions, i.e. using Continuous Integration servers
Restart JMeter to pick the properties up
Now JMeter will be using your client certificate for requests encryption
See How to Set Your JMeter Load Test to Use Client Side Certificates for more details.
Alternatively you can use SSL Manager, however personally I consider using system properties more convenient.
I'm working with Maven(3.3.9), JMeter (3.0) and the Jenkis Performance plugin.
When I run my JMeter test with Mvn on my Computer, everything works fine, but when I try to make a build #Jenkins, the JMeter tests always fail(100%).
Has anybody an idea what could be the cause for my problem?
My JMeter tests use an assertion, which checks for "viewExpired", because I'm using JSF, and a second assertion, which skips all the other tests as soon as the first test fails.
Here is my log (i changed it a bit, server-adress,etc.)
https://gist.github.com/anonymous/801ef819233468246eb9e42893366b56
Tom -
From your logs, it looks to me that your TLS connections are failing from the Jenkins machine to the target test server (test.at.com). If your Jenkins machine has an Xterm interface, can you install JMeter there and launch it in the GUI mode to validate? Your test plan should run without issues. The logs also indicate that it is using an empty key store. Do you have the test.at.com certificate added to the default java key store on your Jenkins machine? By default, JMeter uses the java key store present under /lib/security. You can override it with your own trust store by using the property
You can edit the JMeter system.properties to use a custom Keystore by editing the below lines
\# Keystore properties (client certificates)
\# Location
\#javax.net.ssl.keyStore=H:\\cert\\client_keystore.jks
\#
\#The password to your keystore
\#javax.net.ssl.keyStorePassword=changeit
\#
\#javax.net.ssl.keyStoreProvider
\#javax.net.ssl.keyStoreType [default = KeyStore.getDefaultType()]
I would also suggest enabling the SSL debug options if you want to know the actual root cause. You can turn it on in the system.properties
\#javax.net.debug=ssl
Having said all the above, please can you check if the connectivity is there between your Jenkins machine and the actual target host
**telnet test.at.com 443**
2017/01/23 15:50:17 DEBUG - org.apache.jmeter.protocol.http.sampler.JMeterClientConnectionOperator$JMeterDefaultClientConnection: Connection 0.0.0.0:33542<->62.116.177.251:443 closed
2017/01/23 15:50:17 DEBUG - org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl$7: Closing the connection.
2017/01/23 15:50:17 DEBUG - org.apache.jmeter.protocol.http.sampler.JMeterClientConnectionOperator$JMeterDefaultClientConnection: Connection 0.0.0.0:33542<->62.116.177.251:443 closed
2017/01/23 15:50:17 DEBUG - org.apache.jmeter.protocol.http.sampler.JMeterClientConnectionOperator$JMeterDefaultClientConnection: Connection 0.0.0.0:33542<->62.116.177.251:443 shut down
2017/01/23 15:50:17 DEBUG - org.apache.jmeter.protocol.http.sampler.JMeterClientConnectionOperator$JMeterDefaultClientConnection: Connection 0.0.0.0:33542<->62.116.177.251:443 closed
I have implemented PerfMon Metrics Collector (listeners) in my JMeter scripts. These listeners have HOST and PORT fields. I have defined variables for these in Test Plan and using them in listeners.
I tested these scripts in non-distributed mode and it worked perfectly.
Now, I converted my scripts for distributed mode. Everything works fine except PerfMon listeners which throw following error message:
2016/02/29 09:06:35 ERROR - kg.apc.jmeter.perfmon.PerfMonCollector: Perfmon plugin error: java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine
This error seemed to be related to invalid value (may be these listeners do not handle special characters like {} $ in distributed mode!!). So, I removed variables for HOST/PORT and instead used hard coded values and it worked fine.
So apparently, these listeners do not work properly in distributed mode (IF used with variables).
Is there any workaround for this issue as I have plenty of PerfMon listeners in my setup and manually changing them all will be a tiresome job.
Go for JMeter Properties instead of JMeter Variables, like:
Substitute ${HOST} with ${__P(HOST,)}
Substitute ${PORT} with ${__P(PORT,)}
Pass HOST and PORT properties values on JMeter master side like:
jmeter -GHOST=target_hostname_or_IP -GPORT=target_port -s -n -t ....
You can have different values on different slaves, in that case specify properties in user.properties file (it's located under /bin folder of JMeter installation) like:
HOST=10.20.30.40
PORT=1234
Remember to restart JMeter after editing any configuration file.
References:
__P() function documentation
Full list of command-line options
Apache JMeter Properties Customization Guide
I installed springxd 1.0.1 release. I configured spring-xd to run in HTTPS mode by enabling the SSL properties as specified in https://github.com/spring-projects/spring-xd/wiki/Application-Configuration#enabling-https. I am able to start the xd admin and containers successfully after that. I set the httpSSL.properties as well. However, I am not able to get the xd shell properly. or admin UI to run. I know I have to specify these new ssl properties for them to use, but I am not sure where. The output when I run xd shell is:
1.0.1.RELEASE | Admin Server Target: http://localhost:9393
-------------------------------------------------------------------------------
Error: Unable to contact XD Admin Server at 'http://localhost:9393'.
Please execute 'admin config info' for more details.
-------------------------------------------------------------------------------
Welcome to the Spring XD shell. For assistance hit TAB or type "help".
server-unknown:>
When I try the admin-ui, I just get a 'Connection Interrupted' error.
EDIT: I tried basic authentication by enabling the properties in servers.yml. With this I am able to get the admin-ui to work, but shell still does not work. I am trying to find which configurations I need to set to make this work unsuccessfully. Any help is greatly appreciated.
Any pointers are greatly appreciated.
thanks much,
AG
Asha,
A few clarifications:
You do not need to change httpSSL.properties, that is necessary only for configuring HTTPS for the HTTP source.
Since you've enabled https, you must change the target URL accordingly, as follows:
xd:> admin config server https://localhost:9393
(please note that the protocol is https now)
If you also enable Basic security, you must add the configuration parameters to the configuration command, as in this example:
xd:> admin config server --uri https://localhost:9393 --username adminUserName --password adminPassword
(As described in the reference documentation)
Hope this helps,
Marius