[Gatling List] HTTPS client certificate configuration

[Jean-Baptiste Reich]

Hi,

I would like to configure Gatling in order to have an HTTPS client
certificate per user. I saw the keyStore and trustStore configuration
in gatling.conf but in my case I really need to specify it per user.
Is there a way to do that ? With a feeder for example ?

Thanks

[Stéphane Landelle]

You can't, the AsyncHttpClient engine is shared amongst users.

What's your use case exactly? I have the feeling that you're looking for some beyond web apps load testing... Networks? If so, people tend to implement their own protocol support and ship it Gatling orchestration engine.

2013/4/29 Jean-Baptiste Reich <jeanbapti...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "Gatling User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gatling+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Jean-Baptiste Reich]

My use case is to test an HTTP REST application in which each user have a unique SSL client certificate. This is important because users are authenticated with it and access their private data. I cannot test my application with only one client certificate because I will only be able to access one account which is not representative of my application usage.

If the only way to do that is to implement a custom protocol then I will try to

Thanks

2013/4/29 Stéphane Landelle <slan...@excilys.com>

[pbo...@gmail.com]

Hello,
I this case maybe you could use alternative tools like JMeter which allows https client certificate per user.

Regards

[pbo...@gmail.com]

For completeness:

- http://jmeter.apache.org/usermanual/component_reference.html#Keystore_Configuration
- http://stackoverflow.com/questions/14607897/jmeter-and-optional-ssl-client-certificate

- http://jmeter.512774.n5.nabble.com/Certificate-Based-Authentication-td5713372.html

Regards

[Nicolas Rémond]

How does this work then ?

You specify the Keystore, and from that, JMeter cycle thru all the certificates ?

What if you inject more users than the number of certificates your have ?

Regards

--

[Stéphane Landelle]

Let me talk about this with Jean-François (the AHC project leader) to see if we can find a proper solution for this.

Cheers,

Stéphane

2013/4/30 Nicolas Rémond <nicolas...@gmail.com>

[Stéphane Landelle]

@JB: I was able to have one AHC instance per user, while sharing the underlying thread pools.

Meaning that we could perfectly implement what you need.

I would just need some help on the SSL part:

https://github.com/excilys/gatling/blob/master/gatling-http/src/main/scala/io/gatling/http/ahc/GatlingHttpClient.scala#L63

Cheers,

Stéphane

2013/4/30 Stéphane Landelle <slan...@excilys.com>

[Jean-Baptiste Reich]

Hi,

The problem as I understand it is that the keystore is only defined once in gatling.conf. Then, the same instance is given to all AHC. The solution would be to provide a keystore for each AHC but I don't know how...

Jean-Baptiste

2013/4/30 Stéphane Landelle <slan...@excilys.com>

[Stéphane Landelle]

No no no, this part will be just fine. :)

I just need to get sure that passing one keystore per user is fine for you, or if you want one single keystore containing multiple key.

I have no problem with the first solution, but I don't know how to implement the second one.

2013/4/30 Jean-Baptiste Reich <jeanbapti...@gmail.com>

[Jean-Baptiste Reich]

OK,

One KeyStore per user is fine for me.

Thanks

2013/4/30 Stéphane Landelle <slan...@excilys.com>

[Stéphane Landelle]

Cool!

Can you wait a day or two so I implement this properly?

2013/4/30 Jean-Baptiste Reich <jeanbapti...@gmail.com>

[Jean-Baptiste Reich]

Yes !

Thank you for your reactivity

2013/4/30 Stéphane Landelle <slan...@excilys.com>

[Stéphane Landelle]

Stay tuned!

Beware that you'll have to walk on the wild side: 2.0.0-SNAPSHOT

2013/4/30 Jean-Baptiste Reich <jeanbapti...@gmail.com>

[pbo...@gmail.com]

I don't know if it's the proper place for that , maybe jmeter user mailing list or stackoverflow (with jmeter tag) is more appropriate but yes you need to have as many certs as users you inject, otherwise your test would not be realistic anyway and you might introduce non existent problems.

Regards

[Stéphane Landelle]

@JB I have great news: I was able to implement it.

Please use this bundle: https://docs.google.com/file/d/0B1zTVlhQrNiyN2dRcExteWVoUGM/edit

Here's the procedure: https://github.com/excilys/gatling/issues/1121

Beware that we're dropping our own JsonPath for Jayway's one, and the syntax is a bit different: http://goessner.net/articles/JsonPath

Please provide feedback.

Cheers,

Stéphane

2013/4/30 <pbo...@gmail.com>

I don't know if it's the proper place for that , maybe jmeter user mailing list or stackoverflow (with jmeter tag) is more appropriate but yes you need to have as many certs as users you inject, otherwise your test would not be realistic anyway and you might introduce non existent problems.

Regards

[Jean-Baptiste Reich]

Hi,,

Sorry it took time to test because my simulation was based on gatling 2.

 

With the new code I am not able to connect to my application with client certificate. I noticed with basic tests that only my trustStore was used in the test

Then, I looked at the code in git and I think I found a bug in gatling-http/src/main/scala/com/excilys/ebi/gatling/http/ahc/GatlingHttpClient.scala:

     val trustManagers = for {

        storeType <- session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_TYPE)

        file <- session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_FILE)

        password <- session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_PASSWORD)

        algorithm = session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_ALGORITHM)

      } yield newTrustManagers(storeType, file, password, algorithm)

      val keyManagers = for {

        storeType <- session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_TYPE)

        file <- session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_FILE)

        password <- session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_PASSWORD)

        algorithm = session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_ALGORITHM)

      } yield newKeyManagers(storeType, file, password, algorithm)

but I think it should be:

     val trustManagers = for {

        storeType <- session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_TYPE)

        file <- session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_FILE)

        password <- session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_PASSWORD)

        algorithm = session.getAttributeAsOption[String](CONF_HTTP_SSS_TRUST_STORE_ALGORITHM)

      } yield newTrustManagers(storeType, file, password, algorithm)

      val keyManagers = for {

        storeType <- session.getAttributeAsOption[String](CONF_HTTP_SSS_KEY_STORE_TYPE)

        file <- session.getAttributeAsOption[String](CONF_HTTP_SSS_KEY_STORE_FILE)

        password <- session.getAttributeAsOption[String](CONF_HTTP_SSS_KEY_STORE_PASSWORD)

        algorithm = session.getAttributeAsOption[String](CONF_HTTP_SSS_KEY_STORE_ALGORITHM)

      } yield newKeyManagers(storeType, file, password, algorithm)

I don't know how to recompile everything and to test my patch. Can you tell me if you think this will fix my issue and provide me a new gatling environment ?

Thanks

2013/5/2 Stéphane Landelle <slan...@excilys.com>

[Stéphane Landelle]

Damn copy/paste.

Do you prefer a SNAPSHOT of 1.5 or 2.0?

2013/5/2 Jean-Baptiste Reich <jeanbapti...@gmail.com>

[Jean-Baptiste Reich]

2.0 if possible

Thanks

[Stéphane Landelle]

Here you are: https://docs.google.com/file/d/0B1zTVlhQrNiyUFhBZzBacGVNZnc/edit

2013/5/2 Jean-Baptiste Reich <jeanbapti...@gmail.com>

2.0 if possible

Thanks

[Jean-Baptiste Reich]

OK, now it works

Thank you for your help !

2013/5/2 Stéphane Landelle <slan...@excilys.com>

[Stéphane Landelle]

Fantastic! Honestly, that went smoother than I originally expected.

We'll ship this in both 1.5.0 and 2.0.0-M2.

Have fun,

Stéphane

2013/5/2 Jean-Baptiste Reich <jeanbapti...@gmail.com>

[Kan Wu]

My situation is a bit different from this case. I have many https requests in the script but only one needs certificate, and certificate is same for all users. 

so i should not change the gatling.conf, but rather change session's trustStore and keyStore parameter before i call that https request? and after that particular request, i have to reset keyStore and trustStore value so subsequent https will be alright?

i tried change gatling.conf but got sun.security.validator.ValidatorException: No trusted certificate found error. i believe thats because the keyStore and trustStore file is not working for all my https requests.

any ideas or better implementations?

thanks!

[Kan Wu]

I think i figured out how to do it. i imported the cert into jre trustStore, cacerts, and use that one as the trustStore. keyStore is ok to contain only one entry.

[alex.s...@ipt.ch]

Hi Stéphane,

Is it possible to implement the second solution as well?
I'm currently switching from JMeter to Gatling, but I'm currently stuck at the authentification part of the website which I'm testing. For that I need a keystore containing multiple keys (for 200 users).

In JMeter there's an option "Keystore Configuration" where I can declare the aliases in the keystore (working like a feeder).

Cheers,

Alex

[Stéphane Landelle]

This is not currently implemented.

I opened a feature request: https://github.com/gatling/gatling/issues/2293.

No ETA though.

For more options, visit https://groups.google.com/d/optout.